Why does email need a zero-trust security model?

 It has been 20 years since sender identity fraud moved into the email world and became known as phishing. In the early days, email threats were primarily content-centric and often contained malicious links or attachments to lure users into a trap. But in the last five years in particular, phishing has matured: now, 89 percent of all attacks use impersonation to launch social engineering attacks.

　　If you have ever received a fake email from a CEO asking you to rush to buy a large number of gift cards, or if the email tricks you into thinking that the CFO needs to be proposed to provide a full bank account number via email, then you are the target of a targeted social engineering attack.

　　In fact, the vast majority (90 percent) of today's phishing emails do not contain malware (malicious files or attachments) that could cause a content scan alert. These emails easily bypass most of the latest email defenses due to their lack of identifiable malicious content. Instead, they are designed to establish a trust relationship with you (the recipient). Once this relationship is established, an attacker can use it to cause you to act against your own interests.

　　Persistent Threats

　　Unfortunately, the problem of email threats remains widespread and is made more difficult to address by the lack of identifiable malicious code. Since the start of the new crown virus, email security vendors have reported a surge in pandemic-themed phishing attacks. These scams take advantage of people working from home, in an environment where they are easily distracted and computer hardware and networks are less secure.

　　Whether working from home or not, phishers are continuing to deploy attacks whenever they can, with phishing campaigns lasting an average of just 12 minutes. Google says they intercept more than 100 million phishing emails a day, 68 percent of which are new and never-before-seen scams. This is done by criminals using automated phishing to avoid detection through incremental changes from one scam to another.

　　The changing landscape necessitates an updated classification of phishing attacks.

　　Types of Identity-Based Email Attacks

　　Identity-based email attacks are divided into three types. Each exploits a specific vulnerability in content-centric email defenses.

　　● Exact domain attacks, also known as domain spoofing, are emails that directly emulate a trusted sender by using their domain in the "From" field of the email. Example: "<boss> @ <your company>.com".

　　● Domain emulation attacks, also known as untrusted domain attacks, are emails from slightly modified "similar" or "cousin" domains. For example: "<yourboss> @ fedexx.com".

　　Open registration attacks, also known as user impersonation or friendly emails, show a legitimate sender's name in the "friendly sender" field - this part usually shows your full name. However, these emails come from an account created on a free online email service such as Yahoo or Gmail. e.g.: "Your friend's name <randomaccount1234567@gmail.com>".

　　Why pattern matching does not work in modern attacks

　　Most anti-phishing solutions on the market today rely on identifying and responding to specific patterns. They scan emails for suspicious content, such as links, attachments, phrases or keywords, and apply machine learning to identify bad actors.

　　Unfortunately, while these solutions do a good job with email content, they do not provide actionable, reliable information about the identity of the sender. When phishing emails come from domain spoofing attacks and use carefully crafted messages, they are virtually indistinguishable from legitimate messages in form and content. In this case, the content appears legitimate, the sender appears legitimate, and the anti-phishing system is fooled into thinking it is a legitimate message. Even crude faxes can cause significant damage, such as the recent Iranian spoofing attack against Democratic voters in the United States.

　　In addition, phishers conduct automated attacks, using machines to constantly make slight modifications to their messages in an attempt to get ahead of the filters. In this game, criminals make incremental changes, and then email filtering algorithms respond with incremental changes in a never-ending and expensive defense process. Attacks are easier than ever to deploy because the cost of doing so has dropped dramatically, machine speed has accelerated, and the ability to rent automated bots. There is no end to this iterative process, as the combination of misspellings, wording errors, and deceptions is infinite. Worse, the attacker only needs to "win" once, while the defender needs to be right every time - a highly asymmetrical scenario. Meanwhile, businesses continue to be duped by illicit emails, and with each news cycle, criminals are further incentivized to continue the deception.

　　A different approach is needed to address this asymmetry. It is much easier to define and enforce legitimate communication behavior than to evolve, predict and add to the list of all patterns that will describe all possible undesirable behavior. In other words, it is easier to define a limited set of good behaviors than it is to define a set of bad behaviors.

　　Understanding the legitimacy of behavior in a communication application starts with identity and attributes, and the best way to determine the identity of a communication participant is to enforce authentication at the beginning of the communication.

　　Input: Zero Trust Approach

　　Content-centric solutions evaluate each message based on the severity of the bad message, which can create a gap through which identity-based email attacks may escape. A zero-trust email security model is critical to closing this gap.

　　Zero trust can also be described as a zero assumption. In order to eliminate areas of ambiguity in criminals' sneaky policies, you should do nothing and authenticate all content. This principle is the basis for most digital interactions, such as payments, logging into websites, authenticating employees, etc. However, for historical reasons, the basic primary approach in email has been "allow everything through and block bad behavior.

　　Instead, a zero-trust approach redefines email security: an email is trusted only if it can be proven to be worthy of entering the inbox. Such a model does not allow messages to reach the inbox unless they come from an authenticated sender who has been granted explicit permission to send the message to a specific inbox.

　　A zero-trust solution puts the focus on identifying trusted senders. This allows inboxes to be automatically flagged, blocked or sent to spam without including everything on the trusted sender list. Users do not need to worry about having to regularly find, analyze or evaluate the myriad of possible malicious senders that have previously entered their inbox.

　　To better understand this, consider a traditional login system. It positively identifies known and trusted users without making you worry about analyzing countless possible false logins to determine if each one is suspicious. Similarly, a zero-trust email security system can positively identify known and trusted senders while eliminating the worry of finding malicious senders. Thanks to open standards and support from email providers, a zero-trust approach is now not only realistic, but is considered a fundamental part of effective email security.

　　In short: If you only allow communications from a list of known good senders, there is no need to spend time searching for all bad senders.

　　The perfect email solution does not exist

　　Perfection is somewhat subjective, but true security is not. When evaluating any of the solutions or companies to entrust your organization with email security, ask the following questions.

　　What open standards does the solution meet - DMARC, DKIM, SPF and BIMI - that are recognized authentication standards that help push email to a fundamental principle of zero trust, also known among email insiders as "no authentication, no access. While these standards are not mandatory now, they are best practices and may one day be required. 2.

　　2. What level of control will you have? If you need to approve certain senders that are typically marked as "bad", will your solution allow you to do so? Or will they be too benevolent to prevent you from making bad decisions?

　　3. How often do they verify your emails? Instantly? Or once a day, during which time similar bad characters can get into the inbox?

　　4. How much time will you need to spend managing the solution? It is important to have a simple, straightforward interface that allows you to perform the desired action and then move on to other tasks. Unnecessary complexity is the enemy. Calculate the steps required to perform common administrative actions and find the solution that allows you to make the most informed decisions while requiring the fewest clicks.

　　We must evolve to stop email fraud

　　Businesses and organizations must secure their email to avoid falling victim to phishing attacks. The cost of phishing is already too high, and it's only getting worse. We must adopt a new "zero trust first" framework - the current approach is simply not keeping pace with the attacks. The most reliable foundation for email security is the "zero trust first" approach: let senders prove they deserve access before they actually get to your inbox. Then, add a filtering solution on top of this reliable zero-trust foundation to catch any missed content, such as messages sent from compromised accounts.

　　In other words, first authenticate, then filter. Only through this zero-trust approach to email security can we create a world where email can be truly trusted.

　　We must evolve to stop email fraud

　　Businesses and organizations must protect their email security from phishing attacks. The cost of phishing is already too high, and it's only getting worse. We must adopt a new zero-trust-first framework - the current approach simply cannot keep pace with the attacks. The most reliable foundation for email security is a "zero-trust" first approach: let senders prove they are operating in your inbox before they actually get to it. Then, add a filtering solution to that reliable zero-trust foundation to catch any missed content, such as messages sent from infected accounts.

　　In other words, authenticate first, then filter. Only with this zero-trust approach to email security can we create a world of email that can be truly trusted.