Tell me if you’ve heard this one before – email attacks are on the rise in volume and sophistication. In this article, I'll make the justification that the typical approach to email threat detection & response is missing a critical element — containment.
BEC from the outside in. ATO from the inside out.
Email-based attacks encompass a range of objectives from financial exploitation to data exfiltration. What’s common among them is the urgent pressure to spot and stop them. Two prevalent techniques that continue to make headlines and plague security teams are Business Email Compromise (BEC) and Account Takeover (ATO).
BEC attacks often utilize spoofed emails or compromised accounts to deceive recipients into conducting financial transactions. ATO scenarios originate from stolen credentials or active sessions, and are often aimed at gaining elevated access to systems and data – or to facilitate a BEC attack as the sender. Both flavors of attacks are difficult to detect as they appear legitimate – either by looking like a request coming from a trusted source, or by looking like a user performing authorized actions.
Regardless of the primary attack goal, the consequences of a successful attack are severe – there’s financial losses, reputational damage, operational downtime, competitive setbacks, and even legal ramifications in play. When assessing risk and planning for defenses, it’s important to consider the full attack lifecycle – where email isn’t just one, but *each* of the following:
Attack Method: i.e. a phishing email intended to convince the target user to take action
Attack Vector: i.e. an email account that can be leveraged for elevated access to systems
Attack Target: i.e. the accessible systems and data from within a compromised email account
The status quo is effective until it isn’t
Despite widespread recognition that perimeter defenses are insufficient for the cloud as Zero Trust architectures become the norm, email security is still behind the times. The primary approach is limited to inspecting incoming and outgoing email traffic via Secure Email Gateways (SEG) and Data Loss Prevention (DLP) tools respectively, hoping inline detections catch everything (which they won’t).
Markets evolve quickly, and we’re noticing a trend among organizations to adopt a cloud operating model for email security – recognizing the limitations of perimeter-based SEG and DLP solutions. To begin with, the built-in capabilities of the major cloud email providers – Microsoft 365 and Google Workspace – have improved as the first line of defense for the bulk of high-volume spam and phishing emails. Furthermore, to provide enhanced protections against sophisticated attacks such as BEC and ATO, API-based solutions that utilize advanced AI/ML detection methods such as Material are favored.
While detections are vital to thwart high volumes of spam and phishing emails, they're not the only means of defense against email threats. As attackers are always looking for more effective, yet less obvious ways to bypass defenses, the sophistication with these types of attacks comes from convincing impersonation attempts and legitimate behaviors obscured from even the most advanced detection engines.
This isn’t purely defense-in-depth reasoning – there’s a notable coverage gap that must also be addressed. When compromised, email accounts have full access to the contents of the inbox, respective file repositories, and downstream systems – contents that often lack additional access controls because the generally accepted thinking is that account protection via multifactor authentication (MFA) is good enough. While strong authentication on email accounts acts as an important line of defense, account-level MFA doesn't address resource-level access controls. Therein lies the gap.
Conventional wisdom would say to implement a Privileged Access Management (PAM) product around your sensitive resources and accounts. For teams with the necessary resources, this is advisable, albeit often costly and complex. However, advances in email-based attacks warrant a modern solution dedicated to email security.
If we review the last 5 years of incidents across multiple industries, both sophisticated and wide-spread attacks started with a successful intrusion through phishing. Material gives us an extra layer of protection when it matters most—and accelerates our detection and response time by delivering a strong workflow. - NICO WAISMAN, CISO | LYFT
Email threat detection, containment, and response
Let’s look at this through the lens of incident response across the lifecycle of an email-based attack. First, acknowledging that incident response teams are buried in challenging issues every day across many critical systems where the severity is only truly known after an investigation.
In its most simple form — the function of ‘good’ detection technologies is to catch all the things it's supposed to catch, and then provide actionable context for any necessary response procedures. The function of a ‘good’ response workflow is to effectively remediate the issue given the context provided. But this handoff is rarely as clean as it appears:
No detection engine will catch all the right things every time: Attacks will invariably slip through, and false positives will trigger. Close to 100% coverage is the target, but 100% coverage is unattainable.
There's more issues created than procedures to address them all: Any combination of people, process, and technology will have limitations and bottlenecks. Alert zero is as unlikely and fleeting as inbox zero.
Context is often limited and there’s always blind spots: Detection engines won’t always have the full picture, especially those that only exist at the perimeter. It takes Security teams with advanced skills and deep domain knowledge to understand everything.
This realistic scenario adds up to time and effort – stressful time and expensive effort. There’s a strong desire among security leaders and practitioners alike to measure and minimize Mean Time to Remediate (MTTR) given all the things that can go wrong in between detection and response.
While there’s no silver bullet, a containment strategy is an effective complement to threat detection & response workflows. In this context, containment means applying right-sized access controls around resources that would otherwise be accessible from a compromised account. This includes, but is not limited to email contents, file repositories, chat systems, source code repositories, servers and databases, and 3rd party SaaS applications. The practice will relieve pressure on incident response teams by protecting sensitive data and preventing lateral movement.
At Material, we’ve pioneered a clever approach to containment by applying message-level access controls around emails that are detected or reported as suspicious. We’re integrated with your Microsoft 365 or Google Workspace environment via API, and are continuously syncing its contents and events. Our detection engine includes logic for identifying sensitive data that require protection (PII, PHI, PCI, etc.) and logic for identifying user behaviors that indicate compromise (forwarding rules, password resets, etc.). The contents of these emails are then redacted and the message itself is wrapped with a layer of authentication.
Slowing down the attacker gives me more time to respond. Those speed bumps are the things that allow us to breathe at night. - JJ AGHA, CISO | COMPASS
Detect, contain, and respond with Material
At Material, we take a holistic approach to safeguarding cloud environments, understanding that protecting against email-based attacks requires viewing email as more than just a means of attack. Treating email threat detection, containment, and response as a single workflow does a better job of connecting the dots between stopping attacks and reducing risk that wrangling the problems in isolation.
Detect: Intelligent defenses that identify ongoing email threats, indicators of account compromise, and sensitive data exposure. Early detections across all of these behaviors are critical to spotting an attack in progress. Material has in-depth visibility into email traffic, message contents, and user behaviors to catch and alert on suspicious activity.
Contain: Right-sized controls on accounts and data to prevent lateral movement and data exfiltration events. In an account compromise scenario, it’s critical to slow down the attacker and limit their spread within the environment. Material applies message-level access controls to emails that contain sensitive information or could be used for lateral movement, protecting data and apps behind a layer of authentication.
Respond: Effective issue-handling workflows to remediate compromised accounts and audit data exposure. A timely and efficient response is critical to avoiding any material impacts, whether financial loss, reputational damage, or operational setbacks. Material includes a built-in case triage experience designed for phishing attacks, and integrates with your downstream SIEM and SOAR platforms.