You Can Only Detect Something as Malicious if It’s Malicious at the Time You Are Looking at It
I don’t intend to be a purveyor of the obvious, but I keep overhearing discussions where “email threats” and “web threats” and “email security” and “web security” are discussed as if they were separate concepts. It’s a habit of speech rooted in a legacy mindset that doesn’t make much sense in today’s threat context, where multi-step execution of threats across such traditional boundaries is the rule. Some taxonomies of “cross-vector” threats also discuss endpoints, firewalls, user deception (“social engineering”), et al., but for the moment let’s just consider email-to-web crossover.
When pressed, most people seem to get that email security and web security aren’t really separate domains anymore, if they ever really were. However, many don’t seem to talk and deploy security in a manner consistent with that view. This “silo-izing” of solutions by threat vector continues to influence how many people think about their security, to the detriment of that security. Ninety percent of breaches may begin with an email, but today most of the action happens well after an inbound email has been scanned and delivered. To be effective in stopping such threats requires a holistic view of all elements at each step along the threat’s path, including being able to associate data which may have occurred in the “email” phase with the “web” phase.
Security industry segments conversation
I believe many continue to be induced to think and talk this way by a good part of the security industry. While everybody owns up to the importance of layered security, Miles’ Law applies: Where you stand depends on where you sit. Different segments of the security industry still tend to narrow the conversation, with anti-virus companies talking about file-based malware as an end in itself, anti-spam vendors talking about the virtues of scanning at the time of delivery, email and web gateway providers pushing an email-centric or web-centric view, etc. What’s frequently missing is the recognition that they are all really talking about the same problem, and that problem doesn’t respect these separate fiefdoms.
All threats are cross-vector threats
Let’s recognize that, today, nearly all threats with any chance of success are cross-vector threats. That’s what any dialog needs to contemplate, and what security defenses need to focus on. As a case in point, consider that scanning emails as they arrive may have once seemed adequate, but you can only detect something as malicious if it’s malicious at the time you are looking at it. A standard evasive tactic today switches embedded URLs from a benign to a malicious destination well after delivery. The email security industry has created the concept of “time-of-click” protection, which is a way of saying that email security without an integrated and robust web security capability is a failed concept. In its ideal form such a defensive capability would equate to robust web protection that is fundamentally a continuation of the analysis begun by the “email security.” Emails which may be carrying some form of ill-intentioned attachment also cross over frequently and quickly into a complex series of Web and internet communications.
Necurs’ latest spam
Examples abound of this crossover. I’ve been looking at the Necurs botnet’s most recent email activity, and they fit the mold. One large campaign is sending emails with a business focus using the tried-but-true “Unpaid invoice” subject line and an Excel Web Query (.iqy) attachment, which when opened in Excel downloads a PowerShell script, which in turn downloads another script, which then downloads what appears to be an Excel file, which then downloads an encrypted binary, which converts to the remote access trojan FlawedAmmyy. Similar to what I pointed to above, the basic intention is to appear as benign as possible at the moment of the email security scan, and what ensues is more “web” than email.