For months we have been reading about increasingly sophisticated attacks on companies. With every new wave, we are amazed to discover that a particular virus or trojan is especially dangerous and clever. The programmer of the malware may even award himself or herself a medal if the German BSI issues a report or a news report mentions the attack.
The vast majority of viruses use emails as a launching pad into the company. Only then are further spreading measures taken that would not have been possible before. Why is this so? The answer is quite simple: at the transition from the Internet to the corporate network is a firewall. Every firewall admin who does his job properly has the famous Any-Any-Drop-Rule at the end of his set of rules. In other words, anything that has not been explicitly permitted is rejected. This means that all open doors to the Internet are known, hopefully well documented and thus controllable. Especially if the firewall has a well-managed IPS set of rules like Snort.
Smart whitelisting as the first step towards increased email security
What about email security? For fear of losing an important contract, many companies are taking a very high risk by setting up at best half-hearted rules in the area of attachment management. Statements such as I don’t even know what our partners are sending us. Better to accept first. are often used as an excuse not to implement important basic security measures. This includes, for example, a solid whitelist procedure in which all emails with attachments that are not explicitly permitted are rejected. Usually only the usual suspects such as executable files or screen savers are blacklisted. Personally, I haven’t heard about viruses that spread via an SCR file for a long time.
Emotet poses a big risk
What firewall admins have been practicing for a long time should finally be adopted by email security admins. Both the financial risk due to a total IT failure and the risk of reputational damage have skyrocketed to dizzying heights due to Emotet. No contract can be that important to expose your company to such a risk. Especially since there was usually always a certain amount of preliminary sales work involved with large orders and both parties might be interested in processing the order properly now.
SPF, DKIM, DMARC and S/MIME verify sender’s authenticity
However, a whitelist for attachments is only the first step towards proper attachment management. The advantage of email is that we can measure sender reputation in different ways. Standards such as SPF, DKIM and DMARC, but also an S/MIME signed email give an indication of the authenticity of the sender. The prerequisite for the S/MIME signature is of course a certificate from a trustworthy certification authority. In its recommendation for the defense against Emotet, the BSI even recommends the rejection of emails in which the sender address in the so-called envelope of the email differs from the sender address in the header. Unfortunately, it goes unmentioned that some newsletters may get lost. But it shows the explosive nature of the matter.
Content Disarm and Reconstruction eliminates dangerous email attachments
Knowledge of the communication relationship as such should have a further influence on the sender’s reputation. A reliable email security gateway knows whether there is already contact with the sender or not. This knowledge must be used consistently. A DOC file from an unknown sender is simply not allowed to end up in a mailbox anymore. Information from the BSI that attachments should only be opened with the greatest care is not really helpful. Either the user opens the file, or he doesn’t. “Just open a bit to take a look” doesn’t work.
In such cases, technologies like CDR (Content Disarm and Reconstruction) have to protect the user as best as possible. In the CDR approach, for example, a DOC file is converted into a harmless PDF file at the gateway, similar to an X-ray image taken by a doctor. In this way, the recipient of the file can see the contents of the original file without having to start the malware.
Even the well-intentioned advice of the BSI to regularly check whether the patterns of the virus scanners are up to date is not an effective defense against Emotet. On average, a new variant of the malware enters the market every 45 minutes and is therefore invisible to most scanners.
NoSpamProxy, a high-performance email firewall
With NoSpamProxy Net at Work offers a powerful email firewall. Enterprises can easily create a whitelist for attachments and reject emails with undefined attachments. Required attachment formats can be handled using a variety of actions. Probably the most important action is the CDR procedure. It can be applied to all Word, Excel and PDF files, although it is recommended not to accept Office files with macros in the first place. With the Level of Trust system, it is also possible to treat attachments from known communication partners differently from attachments from unknown senders. The range of possible actions extends from “Reject” to ” Quarantine”, “CDR” to the “Sandbox procedure”.
Sender reputation procedures such as SPF, DKIM and DMARC play an important role in the assessment of emails. Within the scope of the checking procedure, other characteristics of the sender information are also examined more closely.
In this article we have explained two methods that NoSpamProxy customers can use. None of them are based on patterns or other time-delayed procedures. Convince yourself of the qualities of an email firewall made in Germany during a trial.