BitDam Study Exposes High Miss Rates of Leading Email Security Systems
Imagine receiving an email from US VP Mike Pence’s official email account asking for help because he has been stranded in the Philippines.
Actually, you don’t have to. This actually happened.
Pence’s email was hacked when he was still the governor of Indiana, and his account was used to attempt to defraud several people. How did this happen? Is it similar to how the DNC server was hacked?
Email hacking is one of the most widespread cyber threats at present. It is estimated that around 8 out of 10 people who use the internet have received some form of phishing attack through their emails. Additionally, according to Avanan’s 2019 Global Phish Report, 1 in 99 emails is a phishing attack.
BitDam is aware of how critical emails are in modern communication. BitDam published a new study on the email threat detection weaknesses of the leading players in email security, and the findings command attention. The research team discovered how Microsoft’s Office365 ATP and Google’s G Suite are allegedly critically weak when dealing with unknown threats. Also, their time-to-detect (TTD) can take up to two days since their first encounter with unknown attacks.
How Leading Security Systems Prevent Attacks
Email security systems address cyber threats by scanning links and attachments to determine if they are safe or not.
They can then automatically block links and prevent download or execution of file attachments. In most cases, to identify threats, security systems compare the scanned files or links to a database of threat signatures. They employ reputation services or a threat hunting protocol that monitors possible attacks based on threat data from various sources.
Links or attachments that are deemed safe on the initial scan are not always safe, though. There are many instances when security systems fail to filter threats because they have not updated their threat databases yet. Because of this, gaps in detection exist. There can be up to three detection gaps in a typical security system. These gaps represent vulnerabilities or opportunities for email attacks to penetrate.
There are security systems that take advantage of artificial intelligence to make threat learning and detection automatic and more efficient. They use data from previous attacks and the corresponding actions of the network administration or computer owner to come up with better judgments for the succeeding incidents.
High First Encounter Miss Rates and TTD: Current Email Security’s Inadequacy
Despite all of the advancements in email security, flaws still exist. As mentioned earlier, leading email security systems Office365 ATP and G Suite lose their detection effectiveness when faced with unknown threats. Based on BitDam’s test results, Office365 has an average first encounter miss rate of 23% while G Suite has 35.5%. They also have notably long TTDs after the first encounter. TTD for Office365 and G Suite were recorded at 48 hours and 26.4 hours, respectively.
To clarify, unknown threats are threats that security systems encounter for the first time–those that are not yet in their signature databases. The obscurity is relative, though. Threats that are unidentified to one system may not be unknown to others.
That’s why there’s a significant difference in the miss rates of Office365 and G Suite. Regardless, these unknown threats appear to be the Achilles Heel of current email security in general. They seem unimportant because they are like a temporary weakness that gets corrected over time, but they open a critical window for attack penetration.
It’s also worth noting that unknown threats are not necessarily completely new malware or forms of attacks. According to the BitDam research, they can be mere variants of existing threats rapidly churned out with the help of artificial intelligence. This means that they are extremely easy to produce, presenting an exponentially growing problem to security systems that have difficulties detecting unknown threats.
In BitDam’s tests, new threats, along with their modified versions, were used to test the detection effectiveness of leading security systems. Most of the modified threats were perceived as unidentified/unknown even though their “source” threats were already recorded in the threat signature database.
For an email security system to be regarded as reliable, it can’t continue to have this flaw of having high first encounter detection miss rates.
The Challenges in Fighting Email Hacking
For an email attack to succeed, persistent attacks paired with at least one of the following elements are needed.
- Weak passwords
- Cybersecurity illiterate email users who fall for social engineering attacks
- The absence of a reliable email security system
One of the primary methods used to hack emails is password guessing. With simple and educated (collecting details about the victim) guesswork, hackers persistently enter passwords until they stumble upon the one that works. Many may think that this tactic is too crude to make sense, but there are many instances when email accounts are compromised easily because the account owners use simple and predictable passwords.
Social engineering is about tricking victims into doing things that make them unwittingly reveal supposedly secret information or give away things they otherwise wouldn’t. Phishing is arguably the most common form of social engineering—unsuspecting victims enter their username and password or provide information on a website that looks legit but is actually stealing information.
The modus operandi starts with the attacker sending to the victim an email that requires urgent action. It could be a notification for the victim to change their online banking password after a “breach” has been discovered or a congratulatory message that comes with a link that takes the victim to an online form they have to fill out so they can claim their prize.
Email security may also be breached through malware-laced attachments. Clicking on anomalous email attachments can result in the unintentional installation of spyware or keyloggers, which can obtain passwords and other critical data from infected computers. Some malware may also be designed to simulate forms through a pop-up or modal windows, deceiving victims into entering their login details.
The leading security systems at present cannot protect accounts with weak or predictable passwords. They also can’t guarantee protection against social engineering. They are only expected to focus on blocking malware-infected file attachments and links. Unfortunately, even when it comes to this aspect, they have serious weaknesses. As stated earlier, they have high first encounter miss rates and need time to learn how to block unknown threats.
The Recommended Security Augmentation
BitDam suggests an improvement in the way leading email security systems work: the introduction of a threat-agnostic layer of protection. BitDam’s tests show that a model-based detection approach boosted first encounter detection rates significantly. It even brought TTD down to zero. The malware that Office365 and G Suite failed to detect were effectively identified using BitDam’s model-driven method.
So how does this model-based approach work?
Essentially, it takes away the focus on comparing scanned files to data on existing threats. Instead, it looks at how applications behave when interfacing with certain files. It generates a model (hence the “model-driven” description) of what a “clean” flow of application execution looks like.
Applications behave differently when they are processing files laced with unwanted codes or malware. If apps don’t behave smoothly when dealing with a file, the only logical verdict is that the file is anomalous, malicious, or harmful. As such, it has to be blocked.
This model-driven strategy does not seek to supplant data-driven methods. It is meant to serve as a supplement. It can also have false-positives, so it would be better to use it in conjunction with threat data comparison to ascertain that the blocked perceived threats are indeed harmful.
BitDam’s Study Methodology
BitDam started the study in October 2019, collecting thousands of “fresh” malicious file samples from various sources. It focused on Office365 ATP and G Suite, but ProofPoint TAP is set to be added as the continuing study proceeds.
The process can be summarized as follows:
- Collection — The researchers obtain numerous malicious file samples. Most of which is Office and PDF files.
- Qualification — After collecting the samples, the researchers ascertain that they are indeed malicious/harmful. Only actually harmful files are used for the tests.
- Modification — The verified malicious files are then modified so they can be viewed as new threats by the security systems. BitDam’s researchers employed two methods for this modification. One method was by changing the hash of the file with the addition of benign data to it. The other method entailed the modification of the static signature of a macro.
- Sending — The recently collected malicious files and their variants (modified copies) are then sent to mailboxes considered to have decent protection. For G Suite Enterprise mailboxes, the advanced options are activated, including sandbox in pre-delivery mode.
- Monitoring and Measuring — The mailboxes are then tracked, and the threat detection efficiency measured. Files that get past threat detection are re-sent to the mailboxes every 30 minutes during the first four hours (after the file was sent). For the next 20 hours, the re-sending frequency is reduced to once every six hours. Re-sending frequency is further reduced to once per six hours for the next seven days.
- Data Collection and Analysis — All details produced by the tests are then compiled and examined.
Modifying the collected malicious files is an essential part of the process since BitDam does not have access to the latest malware that has not been entered into Microsoft and Google’s threat registries yet. Take note that the files were to be sent via email (Outlook and Gmail). Microsoft and Google’s security systems would have immediately blocked the attachment of malicious files during the composition of the test emails.
The researchers successfully devised ways to modify the threats for Google and Microsoft to regard them as entirely new and unknown. Hence, the ability of security systems to block the attachment was reduced considerably.
There was the option to use email services like SendGrid, which don’t perform malware scanning. However, the researchers found out that the accounts they used ended up freezing in less than 24 hours.
Again, BitDam does not claim to have collected malware that was not yet in the threat signature databases of Microsoft and Google. Some challenges had to be cleared for BitDam to complete the tests and come up with the bold conclusion that a paradigm shift is in order.
The fact that the researchers managed to add malware attachments to the emails they sent for the test proves that minimal modifications are enough for security systems to see derivative threats as unknowns. Their detection effectiveness is then disrupted, thus suffering from high first encounter miss rates.
Unknown attacks pose serious risks, mainly because of the data-driven nature of most email security solutions. There’s a need to augment security systems with a model-based strategy, so detection does not rely solely on threat signature updates.
Additionally, it’s important to continue educating people about cybersecurity. Email security systems don’t provide blanket protection. They are notably is incapable of stopping attack penetration made possible by the use of predictable passwords and gullibility (easily falling prey to phishing or social engineering).