Attacks over e-mails are becoming more targeted and personalized. Cybercriminals have started to target people not over generic topics, but on trending topics that is assured to pique that interest of the target. With all the panic that is circulating around the novel coronavirus, COVID-19 is the new bait.
Mails targeted towards COVID are being sent to people in an attempt to get people to open and click on malicious links that do not appear so. In this latest attempt, mails are disguised to be from the Center for Disease Control and Prevention announcing that there is some emergency information on the virus. This is a move to exploit the fear of the people with regard to the virus.
While the actual premise is not new, the problem arises because of the presence of new words that get past the existing filters and because there have been no predictable patterns to aid the creation of new rules to stop such emails. Further, there is also a mismatch of the links to the text being displayed which also leads to false positives and allows for these mails to pass.
Currently, most organizations use Secure Email Gateways to analyze and identify the threats in the emails being received by email providers. These are also utilized as spam detection engines where the harmful emails are identified and controlled. However, it is seen that they fail at this identification when the emails start using personalized attacks, or even when they deviate slightly from the previous modes. Here, it is seen that most of these emails have passed through the defenses from Mimecast, Proofpoint, Microsoft’s ATP and so on.
The Secure Email Gateways, or SEGs, only work in retrospect, that is, they can only learn from the emails after they have been delivered. In other words, SEGs work on a list of IPs that are known to be bad. For advanced technologies of anomaly detection or machine learning to kick in, there is a need for significant volumes of similar emails to be sent out. This becomes an issue as it is noted that these emails include a mix of domains just to avoid any pattern from being realized rendering useless SEGs ability to include IPs on their ‘bad’ list.
To counter the SEG’s shortcomings, it may rely on something called sandboxing which essentially creates an isolated environment to test suspicious links and verifying the attachments in the emails. However, even this falls short because the potential threats use evasion tactics such as having an activation time, whereby the threat ‘activates’ after a set period, allowing it to slip past the defenses in place.
However, there is a new approach that can be utilized instead. Cyber AI relies on the business context and understands how corporations are run instead of just focusing on emails in isolation. This is done by allowing the AI to develop a ‘self’ to combat abnormal activity that could pose a threat. This also helps the AI understand behavior beyond the network and prepares it for new attacks that might emerge while giving it a corporate-level understanding.