JRB - Fotolia

Corvid secures email, takes users out of firing line

Email is insecure, yet it is still the main means of business communication, with many companies relying on employees as the first line of defence, but that is unfair, says Corvid

Making business applications such as email inherently safe to use is better than relying on end-users to take security decisions – that is the philosophy of Corvid, the security services division of the Ultra Electronics Group of 26 defence engineering companies.

In line with this approach to security, Corvid has developed a cloud-based email defence system to stop threats before they reach the user, thereby taking them out of the firing line and virtually eliminating the need for email security training.

“Our ultimate objective is that no user ever has to worry or ever has to make a decision when they receive an email as to whether or not it is bad,” said Andrew Nanson, Corvid’s chief technology officer.

“Our starting point was fraud and phishing attacks, which a lot of user awareness training programmes attempt to train people to spot, but that can be extremely difficult,” he told Computer Weekly.

If IT systems are vulnerable to attack, there is nothing users can do about it, said Nanson. “It is up to technology people to come up with the solutions so that users can use IT systems safely. Our aim [at Corvid] is to make security as good as it can be, to make it accessible to as many organisations as possible, and to take the pain away from users and administrators.”

Corvid’s response to fraudulent emails and other email-related threats was to develop a set of algorithms to identify emails pretending to come from legitimate domains by using almost imperceptible variations of the expected domain names or punycode domain names that most users would not detect.

“Every time attackers use these new techniques, users should not need a refresher course,” said Nanson, adding that if users are the first line of defence, it suggests that the organisation’s cyber defences are not very good to begin with.

Relying on users is also extremely risky, he said, because a user only has to get it wrong once to have a massive impact on his or her organisation. “If anti-malware software is unable to detect if something is malicious, then end-users will have absolutely no chance,” he said.

Nanson believes end-users should not be expected to do the right thing every time and to do something exactly the same way every time.

“That’s what computers are for, so we came up with a set of modules to deal with all the different ways attackers use to impersonate organisations and a system to inform users whether the sender could be trusted and if there was any malicious content, using red, amber and green warnings,” he said.

“Most users would struggle to identify a suspicious internet header in an email address, but if you can describe what that looks like to a computer system, it will detect it every single time, and that is the advantage of getting a computer to address these things.”

Read more about phishing

The system, which has since been turned into a product called Pernix Email Protection, was first activated for a customer site with 1,000 email users for beta testing.

Over a three-month period, the Corvid system identified and blocked or warned users about 139,136 impersonation attempts, including phishing and spearphising, 80,148 samples of malware, and 1.4 million spam emails.

According to Nanson, this proves email is still a popular means for attacking individuals and organisations because, in many cases, attackers are still able to read and even modify business communications sent via unsecured email systems.

A cloud-based email checking system is an effective way to improve email security, he said, because it can be activated within seconds and can be continually updated and improved as new impersonation or attack techniques are discovered, without having to retrain users on yet another thing to look out for.

“One of the latest updates to the system, for example, is a URL Parsing mechanism so that users never have to decide if a link is malicious or not because if it is malicious or could become malicious, they simply will not receive it,” said Nanson.

Corvid has developed a range of heuristic detection mechanisms that include static and dynamic analysis and supervised machine learning to identify potentially malicious links, attachments, macros and dynamic scripting, so that users are not faced with making such decisions.

This approach guards against a relatively new technique in which attackers are sending out benign links that do not go anywhere to get past email filtering systems, but are subsequently weaponising it, so that if users click on the link once it has reached their inbox, it will link to malicious content.

If, however, a user is expecting a link that is incorrectly identified as potentially malicious or need to enable a macro, the Pernix system notifies users of blocked content in a regular report and enables them to be released through the system’s management console.

“To a large extent, users can manage their own email using one-time passwords [OTPs], because administrators generally hate administering emails, but if something is confirmed as malicious, users will still have to request an admin to release it to them,” said Nanson.

Read more about CEO fraud

Although the aim is to shield users from as much as possible, the Pernix system adds a banner to every email that enables users to report any email they believe to be suspicious, as well as to manage their email, which triggers an OTP to be sent automatically.  

“Essentially, we are aiming at making email safer to use because it remains one of the biggest attack vectors in the form of phishing, spear phishing, fraud and CEO fraud [also known as business email compromise and whaling],” said Nanson.

In typical fraud scenarios, cyber criminals send plausible emails to companies changing suppliers’ payment details to channel payments into accounts controlled by the criminals, while in CEO fraud, criminals typically hijack a senior executive’s email account to manipulate someone in the finance department to make money transfers to accounts controlled by the criminals.

“This was our starting point [for Pernix] because we believe users should never be in a situation where they are presented with information that is not from the source that it claims to be from,” said Nanson.

The system helps protect against CEO fraud by alerting email recipients that an email that claims to be from a supplier, for example, has come from a source that is not associated with that known supplier, giving an immediate visual warning of a potential impersonation attack.

However, he admits it is still necessary to teach users to be cynical. “We were hoping we would eliminate the need to train users, but they still need to be cynical because we have had some attacks that are so poor that the system does not identify them as an attempted attack,” he said.

In the case of CEO fraud attacks, Nanson advised organisations to implement policies that require any payments or changes to be verified before they are carried out, and if anything should slip past the Pernix detection systems, the system enables users to report any suspicious emails, he pointed out.  

But as the beta site has demonstrated, Pernix takes care of the vast majority of impersonation attacks and other email-related threats, said Nanson. 

“I can’t understand why any organisation would not want a system that blocks most email threats and choose instead to rely on end-users, even though many email-borne attacks are virtually undetectable to the untrained eye without close and careful scrutiny,” he said.

Technologies for the end-user

Corvid is one of a growing number of security suppliers, including Glasswall Solutions and Bromium, that are developing technologies with the end-user in mind.

Glasswall’s software, for example, is designed to strip out malicious documents and links before they ever reach employees by breaking documents down to byte level and passing on only the “known good” as defined by manufacturers’ file format standards.

Bromium has a similar philosophy, but uses micro-virtualisation technology to ensure that whatever a user clicks on launches only within its own virtual machine or micro-VM. This means that any malicious code is not passed on to the main IT environment and can be analysed safely within the micro-VM.

In line with its philosophy that something has to be done if users are suffering, Corvid is currently developing a system aimed at enabling users to recover from ransomware attacks.

The project recognises that it is not always possible to identify how attackers operate because they are continually evolving their attack methods and designing them to avoid detection.

“We have assumed that users will be hit by ransomware, so we are working on a way to make it really easy for them to recover that we have found works with WannaCry samples and we are currently testing it further in a Windows environment,” said Nanson, adding that a Linux agent is still under development.  

“We tried to address the user pain because users should not have pain just because they are being attacked, and that is what we have done,” he said, adding that it will be some months before the system is commercially available.

Next Steps

Ransomware DR: Is your company ready to recover?

Read more on Hackers and cybercrime prevention