In Part 1 of this series, Ransomware Disruption Overview, George discussed how ransomware campaigns work and gave an overview of some prevention solutions. Part 2 went into preventing ransomware by leveraging a secure access service edge (SASE) architecture. Part 3 of the series takes it further by protecting DNS, a common threat vector. In Part 4, we’ll focus on two more areas of security that are well-known yet often under attack: email security and Next-Generation Firewalls (NGFW). While these technologies may seem standard practice for security, they have evolved with modern software and features over the years as threats have become more sophisticated.
One of the most common attack surfaces for malicious threat actors is through email. It’s a very effective method for several reasons, but the human element is typically at the forefront. Humans are inherently vulnerable because we are both curious and conditioned to want to trust. Email also remains one of the most common forms of communication for business and personal use. Given how pervasive it is as a means of communication, organizations must allow email to be accessed directly by their users. When we think of email security, historically, it’s been to prevent viruses and spam from reaching our inboxes. As defenses improve, threat actors are changing their tactics to get around those protections through social engineering.
How often have you received a gift card or cash offer in your email that piqued your interest? It’s tempting, but if it sounds too good to be true, then it often is. Unfortunately, there is typically either a malicious attachment you open or a hyperlink you click, taking you somewhere you didn’t intend. These links force a malware download, a series of webpage redirects to somewhere malicious, or trick you into providing username and password credentials. These are examples of phishing, which can be very easy to set up and also very effective.
There are a few approaches to phishing that are used with varying levels of sophistication. As in the example above, the gift card method casts a wide net to a large audience. It may be faster and easier for attackers but less effective. Spear phishing is a more targeted approach where the attacker goes after a specific individual, company, or industry. Attackers take more time on reconnaissance, but it allows them to craft a more compelling customized message. Attackers often research their potential victims to find out with whom they work, their interests, and determine the best ways to get their target to interact. These emails are convincing as they typically contain information making them believable, like appearing to come from leadership or an authoritative figure. Plus, there is usually a sense of urgency attributed to the message to get the potential victim to react quickly without time to process.
Secure Email Gateways and Integrated Cloud Email Security
Clicking on that link or opening that attachment allows attackers to execute a ransomware attack, but good defenses are available to protect organizations. While there are native tools in email solutions that may be good enough for security, they often fall short of what dedicated email security solutions can offer.
Typically, we see two offerings: secure email gateways (SEG) and integrated cloud email security (ICES). SEGs have been around for a while and can be deployed on-premise or in the cloud. They sit between the internet and email servers to provide inbound and outbound protection. Organizations adjust their public-facing mail exchange records in the domain name system (DNS) to receive inbound emails. ICES is newer and takes a different approach, given the popularity of hosting email in the cloud. ICES leverages application programmable interface (API) integrations to provide security features instead of sitting in line like the traditional SEG solutions. This can allow faster and simplified deployments while leveraging advanced threat detection. Each approach has advantages, but combining SEG and ICES provides a comprehensive email security solution.
Modern email security solutions allow for behavioral and malware prevention. There’s the ability to do dynamic classification, where machine learning analyzes the content and sender reputation and looks for email address manipulation. Controlling outbound email is very important. We can now automatically encrypt authorized sensitive information and leverage data loss prevention (DLP) to disallow the unauthorized sending of specific files and data. We can also improve responses by leveraging automated threat response capabilities through APIs feeding into security orchestration automation and response (SOAR) platforms. We see many email security solution bundles in Security Awareness Training because email is still a top threat vector.
Over a decade ago, there was a shift from port and protocol firewalls to what is now known as NGFW. Traditional features like packet filtering, network address translation (NAT), stateful packet inspection, and virtual private networks (VPNs) were no longer sufficient in preventing advanced threats. In the beginning, NGFW took those features and layered in additional services like intrusion detection/prevention systems (IDS/IPS), malware protection, and URL/Web filtering. The NGFW became application-aware as many threats had masked themselves as well-known and trusted protocols. For example, DNS is widely used and trusted for domain name resolution. Still, if malicious traffic masked itself as DNS and exhibited suspicious behavior, a NGFW would catch and block the threat. Much like email security evolved over the years, so have features of NGFW.
Over time, threat actors caught on to businesses leveraging NGFW to protect their assets. The increased visibility provided excellent protection, but what if the threats were masked through encryption? This caused a visibility problem for an application-aware firewall through secure sockets layer (SSL) communication between two systems. NGFW manufacturers started allowing SSL decryption capabilities which solved the visibility problem. However, SSL decryption is resource-intensive, and earlier NGFW platforms didn’t have the processing power to decrypt without taking a considerable throughput penalty. Organizations were challenged with choosing performance over security. Fortunately, as the newer generation of hardware platforms came onto the market, performance increased significantly through dedicated hardware processing SSL traffic.
Innovations in software features continue to become layered into the modern NGFW. We’re able to prevent attackers from exploiting internal systems with known vulnerabilities. New and unknown malware variants can be detonated in a sandbox environment to inspect behavior, all before users can open a file. If new malware is discovered, all NGFWs in an enterprise can be updated to prevent it from spreading in real time. NGFWs dynamically update their access lists to block communication based on reputational sources and threat intelligence feeds. Ransomware often exhibits a unique pattern of behavior, and NGFWs now understand these indicators of compromise (IOCs) to update these block lists dynamically.
In our previous Ransomware Series blogs, we mentioned effective ransomware defense solutions such as DNS protection and SASE. SASE includes services such as cloud access security broker (CASB) for SaaS applications, full web proxy, aka secure web gateway (SWG), and DLP. Historically, these have been unique offerings and separately managed systems. Today we’re seeing these added into the NGFW as a software and subscription update. Many organizations are challenged with lean staff and tool sprawl. All these features brought into a single NGFW solution can help simplify operations and speed up threat response to attacks like ransomware.
Next Steps with Nexum
Email security and NGFW may seem like older technologies, but they continue to evolve as threats continue to grow. They are still crucial elements to defend against the likes of ransomware. We understand the importance of patching software and systems to protect against exploited vulnerabilities. Humans are often the most vulnerable layer in an attack. We can’t be patched like software, but we can become less vulnerable through awareness training. An educated user is the first and last line of defense in cybersecurity.
The Nexum solutions team has extensive experience with email security and NGFW solutions. We can also ensure that your investments in ransomware defense technologies are adequately tuned and sized for your organization. If you are not leveraging the full potential of these solutions, require assistance with their configuration and deployment, or are perhaps unsatisfied with the current toolsets, Nexum can help. If you are just starting on your journey, Nexum can assist with architecting and planning.
Jump to –
- Ransomware Disruption Overview: Ransomware Series Part 1
- Prevent Ransomware with SASE: Ransomware Series Part 2
- Ransomware “Does Not Succeed” with DNS: Ransomware Part 3
- Let’s Play a Game (of Deception): Ransomware Series Part 5
Check Out More Resources
The Nexum team attended Black Hat 2023 and DEF CON 31 conferences in Las Vegas. Check out this post about their experiences and some guidance on the differences between the two events.