FireEye gears up email security for emerging threats

In response to changes in real-world incidents, FireEye is updating its email security server to meet the challenges of the increasing popularity of business email compromise (BEC) among cyber attackers.

BEC, which is often cited as the most common way for cyber criminals to infiltrate corporate networks, is a type of scam that targets email accounts of high-level employees related to finance or working with wire transfer payments, either spoofing or compromising them through keyloggers or phishing attacks.

The fraudulent emails typically manipulated employees into transferring funds, clicking a malicious link or taking some other action to aid attackers in the mistaken belief that they are acting in accordance with instructions from a senior manager whose email account has been compromised.

“As adversaries develop new techniques for bypassing detection technologies, we’re on the front lines, with our incident response experts building new techniques for detecting attacks and attempts to bypass defences,” said Ken Bagnall, vice-president of email security at FireEye.

“The speed and flexibility with which an email security solution adapts separates the good from the best.”

The intelligence-led security firm is focusing on detection bypass methods such as executive impersonation, which accounts for 19% of malwareless BEC attacks, FireEye research shows.

This type of BEC attack continues to grow in popularity because adversaries have found that people are more likely to react to an email when it appears to be from an executive.

“The speed and flexibility with which an email security solution adapts separates the good from the best”

“While executive impersonation protection has become a commonplace feature within cloud-based email security solutions, this has not been the case on-premises,” said Bagnall.

“We’ve added executive impersonation protection to FireEye Email Security – Server Edition as a direct response to customer feedback that they are seeing more impersonation emails getting through their existing security services. This update is designed to catch what other security solutions are missing.”

Executive names are commonly used as display names in fraudulent emails to trick employees into taking action. FireEye’s impersonation protection is designed to prevent display name and header spoofing. Inbound mail headers are analysed and cross-referenced with a policy created by the administrator, and headers that do not align with the policy and/or show signs of impersonation activity can be flagged.

In addition to the executive impersonation protection capabilities, FireEye has added several new features designed to combat emerging threats.

These include adding its MalwareGuard machine learning capability to identify malware automatically to help defend against emerging and new threats that often bypass traditional security solutions; adding full URL rewrite capability to protect end users from malicious links by rewriting all URLs contained in an email; and adding the capability to analyse passwords embedded as images within emails.

In 2018, the FBI estimated that scams resulting from business email compromise, such as fake invoices and wire fraud, had cost businesses $12bn globally since 2013.

While phishing is a common means of attack for tricking targeted people into revealing credentials for their email accounts, research by threat intelligence firm Digital Shadows revealed in October 2018 that criminals were resorting to a wide variety of other methods to gain to access to business email accounts, including specialised email hacking services.

Another factor helping to drive BEC, Digital Shadows found, was that companies are making it easy for attackers to do by leaving entire company email inboxes exposed.

According to Digital Shadows, its researcher found more than 12 million email archive files (.eml, .msg, .pst, .ost, .mbox) publicly available across misconfigured FTP, SMB, Amazon S3 buckets, rsync and network-attached storage (NAS) drives, exposing sensitive, personal and financial information.