Adaptable email defenses at Rebellion Defense

Peace of mind in incident response is a rare thing. When we catch glimpses of it, it’s worth taking note. We sat down with Daniel Elice, Cybersecurity Engineer at Rebellion Defense, for a lively discussion about email and data security across Google Workspace, and how Material helps him and his team keep the company safe from phishing attacks and sensitive data exfiltration.

What it takes to defend the defenders

Rebellion Defense is a high-growth technology company providing advanced security solutions for government agencies to stay ahead of national security threats. When your business is focused on nation state adversaries, internal security is paramount. Daniel and his team are responsible for securing their cloud infrastructure, the workforce, and their software products. 

Rebellion leverages Google Workspace as their productivity suite. With high-profile targets within the organization, high-stakes customer engagements, and high-value IP, two critical focus areas for Daniel are stopping sophisticated email attacks and preventing unwanted data exposure. Recognizing that the attack landscape is ever-changing, and the attack surface is wider than what traditional email blockers cover, Rebellion turned to Material Security for more holistic coverage.

“Where I see additional layers needed on top of Google are threat intelligence that drives what we're concerned about in terms of emails," said Daniel.

Securing the productivity suite with Material

Sophisticated threat actors continue to evolve their phishing and pretexting tactics and techniques to evade defenses. Social engineering attacks are harder to catch using basic detections, which shifts much of the responsibility onto users to report. While an important line of defense, it’s dangerous to rely on users to identify malicious emails, and it’s a burden on the incident response teams that have to investigate each one manually. Since rolling out Material, Daniel has experienced a notable improvement in what gets stopped in its tracks, and what gets surfaced for investigation.

Staying ahead of the threat landscape is a concerted effort day in, day out. As the email attacks change, so must the defenses. Daniel appreciates the balance that Material provides – enabling flexibility and customization across how layered detections are deployed without having to maintain the underlying logic engine yourself. Using our out-of-the-box detections and reports, and working with the Material team to fine-tune custom detections, Daniel is able to monitor attack trends, and customize the response automation. He even gained such confidence in Material’s VIP impersonation detection that he set the default remediation option to delete messages on sight.

Email is the primary way into the productivity suite for attackers, but once-in, there’s a treasure trove of sensitive data accessible through an email account. It’s not only malicious activities you have to watch out for, insider risk is a major consideration when there’s so much confidential data across employee mailboxes and shared file repositories. Daniel was one of the first Material customers to jump at the opportunity to apply protections to Google Drive, and was an early design partner for the product. He knew that traditional DLP approaches that only inspect outgoing traffic have a tendency to get it wrong a lot, generating high volumes of false positive alerts while missing true positive sends. The Material approach is to enforce protections to data where it lives. Being able to apply access controls to email messages and revoke external sharing of files using a single product has significantly helped Daniel prevent unwanted data exposure in a more consistent manner.

Full Session Transcript

As a security team inside of a security organization, how do you treat corporate security as it relates to cloud, product and compliance?

I'll break it down into a few different aspects. Risk assessments are going to be a big one – constantly looking at different vulnerabilities, new threats as they're being published, or threat actors. We're also leveraging many frameworks – the NIST framework specifically for government compliance, to implement various security controls there. Aside from the technical written policy processes in place, to help drive the technical implementation and build that cross functional collaboration amongst teams. 

 You use Google Workspace as your primary email productivity suite. Describe your general approach to Google Workspace security – what are some of the more important risk areas and how do you prioritize, what areas to protect? 

 When I think about Google Workspace, I think phishing and then data loss prevention. Phishing… obviously I'm concerned about external threats. So looking at different attachments, hashes, links, the content in the email – basically those external attack vectors.

And then when I think about data loss prevention, I'm thinking about insider threats. Whether it's intentional or unintentional, Rebellion’s sensitive data being exported out of the network through email. 

 I'm glad you mentioned looking at it from different angles. A lot of people, when you think about email security, you might just stop at the phishing, but it's also important to think about the data that exists and what are some of the exfiltration paths.

Where do you see the greatest need for additional layers of either visibility or defenses atop Google Workspace? 

 Where I see additional layers needed on top of Google are threat intelligence that drives what we're concerned about in terms of emails. What TTPs are threat actors using? Is there anything new? Malicious attachments, different hashes… so threat intelligence I see as a big one on top of Google Workspace.

Behavioral analytics in terms of machine learning to identify anomalous patterns that Google might not pick up. And really just that deeper content analysis that can look at those embedded attachments, embedded images… some of those more in depth, deeper phishing protections.

 And the threat landscape has evolved. You mentioned the various TTPs you're trying to keep up with. In terms of email security, in what ways have you seen email security evolve over the years, both from an attacker perspective and a defender perspective? 

 Over the years, I've seen more sophisticated threats still using phishing, spear phishing – those high level tactics and techniques. But they're getting to be more sophisticated where regular scanners are not necessarily going to pick up on them.

With Material, one thing it picked up on was a fake thread… and luckily our users caught it, but it baffled me. It looked very real asking for money information. The threats are definitely becoming more sophisticated and harder to flag. 

And then I think on top of that cloud services are becoming adapted across organizations. So obviously cloud services like Google Workspace have built in security features, but it opens new attack vectors and vulnerabilities as well. 

And then on the contrary to attacks, I think detections have also improved as well, right? There's been advancements in security technologies, such as Material Security that uses machine learning/AI to enable organizations to better detect and prevent those email-based threats in real time.  

I'd love to understand what you're seeing come in – what's being picked up by Material and then what's being picked up by user reports?

We’re a small company, less than 100 employees, but I'd say on an average week, we definitely get a handful of cases created – 99, if not 100 percent are going to be Material flagged, which is fantastic… Material’s getting them before it gets to the users. 

And then we have the remediations in place to automatically move those emails to spam or delete the email or a speedbump saying, “hey, somebody else flagged this as malicious, are you sure you want to click the link?” So that reduces my response time significantly and really prevents it from reaching the user.

 The speed bump feature in Material is also great just for educating user awareness as well. On top of proactive defense, I think educating users is a huge aspect of that speed bump feature.

 Are the different categories that you see more than others in terms of attack types?

 Yeah, out of all the out of all the detections that I'm seeing in Material, VIP impersonation is definitely one of the top ones. Thanks to Material we're able to input VIPs' personal emails with them so that Material is able to look out if this is somebody trying to impersonate a VIP/somebody in the C suite. 

And then payroll solicitation has been another one as well that we've been saying, can you change this bank account to route here? And Material has been picking up on those. It doesn't need user interaction Material’s flagging it before the user even sees that email, which has been great. 

 You were so confident in our VIP detection that you were comfortable making the default remediation to delete the emails. What gives you that confidence for that specific detection? 

The VIP impersonation has been flagged over the past several months. And every time an email was flagged for VIP impersonation, it was legitimate, it was a true positive. So now, instead of just moving it to spam, why keep it in the inbox? We can just delete it, and a user won't even have any opportunity to interact with that email. And that frees up my time as well. If I know  the mail is being deleted right away, I don't have to worry about a user clicking or me responding to it.

Over time, I've definitely noticed that there's been less user reports and more Material detections. From a security perspective, I sleep better at night knowing that Material’s picking up on it and it's not getting to the user, or it's getting remediated before the user has a chance to see it. That helps with incident response, and it reduces the reliance on user vigilance of these emails as well. Users are what malicious actors are targeting, and knowing that Material’s flagging them before it gets to the user is huge. 

With email security – everyone knows about phishing. Are there other facets of email risk that you think deserve more attention than what the market typically thinks about today? 

I'd say on top of phishing, insider threat is big. And again, insider threat might not be malicious in nature, it might be unintentional. But humans are definitely a vector that attackers are using, and accessing sensitive Rebellion data or company data in general is definitely a factor that I'm concerned about. 

You mentioned a vector – we say that email is a method, a vector, and a target. So a method of delivery would be phishing, a vector would be getting elevated access to systems and apps, and then a target would be the sensitive data that sits in the mailbox.

I'd love to hear how you're using Material protections on the vector side of the house for identity protection. Are there specific user risks or events that you're looking for that might indicate something insider risk oriented or potentially even account takeover scenarios? 

In terms of Identity Protection it's very helpful with sign on, it's going to have the user authenticate, make sure it's actually them before clicking on like an account saying, “Hey, is this you?” We have material to do that.

And then for Data Protection there's a lot of, whether it's financial statements or just contract statements, we're working with government partners. So just sensitive data that we wouldn't necessarily want out there. So that Data Protection helps lock the email after a certain period of time.

And then a user has to say, “Hey, this is me trying to authenticate to it.” 

I know you use our API and event subscriptions a lot – I'd love to hear which events in Material are most interesting to you. And then where are those firing off that you can go look at? 

I use a lot of Material’s events and API features here to help automate my tasks. And the primary one I use is really case creation – any time a case gets created, it's going to fire off an event and get sent to Slack where I have my security alerts going and I have it populating with the user who it's from to headers all that stuff. So it triggers right to Slack and allows me some easy integration. If I'm eating dinner, I can just check my phone and kind of have all that information in front of me that Material provides. 

Is there anything around email forwarding, whether to personal accounts or high risk nations that you're using Material to stay on top of?

Yes. So Material has been great – I've worked with the product team and technical support, and they've helped us build out detections for high risk nations. So any email that gets forwarded to say, China, Russia, higher risk nations will get flagged and a Material in a case created. 

So with Material, we set up alerts that are on a flag on emails sent from Rebellion Defense dot com to freeware accounts – Gmail, Yahoo, Hotmail. And that just gives us visibility. If there's an attachment that gets sent to somebody's personal Gmail, just to look over it.

And we're able to flag specific keywords thanks to Material where we can look for any sensitive information or PII, anything that we wouldn't necessarily want exported outside of the Rebellion network.

What type of historical investigations have you used Material to do more in depth inspection for?

 With Material’s search capability, it allows super easy searching for emails based on really any criteria – to, from, a subject, attachment name, you name it. And it really helps with user offboarding is one use case – looking at specific users and seeing what their email interactions look like over the past, say, 30 days. But then also if there is some type of incident that we flag, we can also look at any users affected in the Material console and search for emails or hashes, attachments that may be related to the incident that was flagged as well. 

And the great thing about Material is the case matching is also great – if there's a similar email that matches to an existing case, Material’s automatically going to flag that, which has increased that visibility and correlation for us as well.

 Correlation is the magic word – definitely looking at how we can pull in a bunch of different signals looking at context. We have such in depth visibility into email accounts and account behaviors that the more we can correlate the better it is for folks like you who are trying to triage these things coming in.

I'd love to  touch on some of the risk reports and other areas of the product – when you look at our risk reports, what are some of the actions you took with that new information? 

The risk reports are great in Material. Just looking at case creations, you can look at how many cases were created of specific affected accounts that were affected during the cases. And you can really just look at trends there as well as user reports. And then in terms of Posture Management within Material Security as well – this helps us flag various mail forwarding accounts that might not have MFA enable their MFA bypasses. So it gives us a lot of visibility into our configurations as well related to email and Google Workspace accounts. 

So these reports help a lot with looking at our holistic footprint that we have related to email security and data security. 

We see the risk areas as a combination of a lot of wrangling efforts – there’s definitely a lot of attack wrangling, but there's also all the configuration wrangling, and then of course there's data wrangling. We're glad that we're able to correlate some of those things for you.  

If you didn't have Material, what would you do to protect the content inside of email? 

 If I did not have Material, I don't think I would sleep at night. I would be up responding to phishing emails all night. 

I'd say some of Material’s most unique capabilities compared to what I've seen in the market is that advanced machine learning/AI based threat detections – VIP impersonation, payroll solicitation, fake message threads – those are some of the top 3 categories that get flagged on Rebellion’s network, and working with the Material team constantly building out new detectors and asking for feedback and implementing them. 

And then the reporting and analytics has been great, too, right? We can monitor the number of cases, accounts that are targeted, user reported versus Material cases as well. So it helps present to leadership. “Hey, this is what we're doing.” And it helps me as well – seeing if specific accounts are being targeted or specific methods, tactics, and techniques are targeting our network as well.  

My experience working with the Material team has been fantastic. Since I onboarded, they took the time to show me around the Material console. And we have a monthly cadence sync just to talk about new  features that have been deployed, and if I have feedback or want a new feature, we can talk through it and  if I have any questions, I would reach out and usually receive a reply within the hour if I was trying to work on something. So the Material support team has been fantastic.

We put a lot of pride into our white glove treatment with customers like you. And speaking of that, you were a design partner for our new product, Data Protection for Google Drive. I'd love to hear how that experience has been for you… working with us so early in product development and helping us evolve the product. 

 I sat down with the product development team at Material and talked through some Google Drive use cases on what I was concerned with and how I think Material Security can help with those. 

The search feature is tremendous within Material Security – I'm able to search specifically for criteria that I'm interested in looking at, whether it's users or specific documents that have been shared externally, or with specific users… and it saves me tons of time. I know Material just rolled out custom detections based on criteria – if we want custom categories or if a user shares a file externally. So different use cases, I'm now able to build out those custom detections, and then send them to a webhook or SIEM. And I'm very excited to start using that feature as well to help flag things in real time. 

 When I first joined Rebellion about a year ago, I was concerned that there were very loose policies on external file sharing, and malicious or non malicious employees may have been sharing files externally. So Google Drive protection, just monitoring that quote unquote insider threat again, maybe not malicious, but that kind of insider threat there keeping Rebellion’s sensitive data within our Rebellion network, as opposed to being shared with, say, a personal Gmail account or that we had no visibility over. 

 It's very easy for data in Google Drive to become this messy sprawl of loosely shared data – it's nobody's fault, it’s the way the product was designed, it was literally designed to share documents. So it is good that you saw that and then addressed it. 

 Since we've rolled out our Google Drive protections with Material, the user offboarding process has been much easier. I'm able to go to Material’s Google Drive search and search for that user and look at past Google Drive activity over the past X days. I plan to build out some detections based on the new features that Material just rolled out to flag in real time.

Google Drive has been a huge help doing audits as well, looking at different files, I'm able to just see, “Hey, any sensitive file, show me this.” And if it's shared externally, I could loop them both together and just see it all in one pane and export those results or click a single button and say, “Hey, remote external access.” I'm able to do everything from the Material console, which saves me a lot of time and heartache.

I'd love to hear how you see the value of email and file protection under a single product line? 

 High. I think that these are both two ways that actors or employees can potentially exfiltrate data. And I think having them both under that same product is a good way to monitor that data, that sensitive data that companies care about .