Using Policy and Tools to Protect Email: A Conversation with AppRiver

We talked to Scottie Cole and Troy Gill of AppRiver about ways to protect networks from email-borne attacks. The conversation is a useful starting point in understanding how policies and tools can come together to protect email and improve security posture.

Hugh                                      How did AppRiver come into existence?

Troy/Scottie                        We launched in 2002, with spam and virus filtering as our flagship service. We’ve has since added web malware protection, email encryption, secure archiving and email continuity to its suite of security services. We are also among the world’s top providers of Office 365 and Secure Hosted Exchange mailboxes. All of this is backed with our award-winning 24/7 Phenomenal Care.

Hugh                                     What do you see as the most serious email-based threats?

Troy Gill                                                The most common threat that we currently see—and it has been this way for probably 16 or so months—mainly has been the Locky ransomware. But, there’s many different variants of ransomware. There’s a botnet called Necurs, which is a massive botnet. It spews out millions and millions of ransomware attacks per day. The Necurs traffic is not necessarily all from the same group of actors. There’s a whole underground economy of malware for sale. The barriers to entry that used to be there years ago, when you really had to know how to hack to be a hacker, aren’t there anymore. Almost anyone can be a hacker. You just have to get on the dark web and be willing to spend a thousand bucks, and you can buy yourself a nice cyber crime pack. Once you have acquired your hacker starter pack, you can then rent time on botnets and launch attacks. There are definitely some large groups doing these attacks because we can see the commonalities among the messages. At the same time, there’s a bunch of other small actors that are jumping on board just as an opportunity to make money.

Troy Gill of AppRiver

The ransomware threat we’ve seen that make some big impacts, though not catastrophic is the one involving the San Francisco Bay Area Transit [BART] system. They system was shut down for a day because they got ransomware on their system.

The WannaCry and Petya/NotPetya attacks, also were  huge stories and rightfully so. Again, ransomware. In that case it may have been more masquerading as a ransomware and actually be intended to be a wiper. A lot of people have speculated it was committed by North Korea. You saw that having a very real impact in the physical world. A lot of hospitals were affected by that lack of access to health records and access to vital systems, which can be a problem. In certain cases it could be detrimental to someone’s health.

Hugh Taylor:                       It sounds like you are seeing some nation state actors or suspicious suspected of being … Entities suspected of being nation state actors.

TroyGill                                 Yeah definitely. There’s a huge gray area where a nation state could easily just leverage a group that’s committing cyber crime that’s not an official government branch but they’re kind of following out a directive from a nation state. We’re in sort of a Cold War arm’s race situation where we’re building up vulnerabilities and testing networks and intruding networks and not actually doing anything in most cases, but just looking around and seeing what can be done. That’s happening on both sides. The main thing preventing that is the threat of retaliation, mutually assured destruction kind of thing.

Hugh Taylor:                       It seems like the United States is being humiliated on a regular basis. I don’t see any picture of Vladimir Putin’s underwear online. It seems like we either can’t or won’t retaliate against attacks.

Scottie Cole                         Maybe we do, and they just don’t report. A lot of those are third world countries where they have heavy censorship on what’s portrayed in the media. We don’t know what they’re actually reporting and what they’re not reporting.  In Putins case, I think any news site reporting anything embarrassing to him would certainly think twice for fear of retribution.

Hugh Taylor:                       When these botnets attack, how are they getting through the firewall?

Scottie Cole                         A lot of times it’s just social engineering. Social engineering is the easiest way to get through. Whether that be an email, somebody clicking on an infected link. It takes them over to a malware site. Most of your actual infections getting past a firewall or internal people not knowing that they’re actually getting compromised.

Hugh Taylor:                       What kind of policies do you think can mitigate that risk? How do you protect email from malicious actors?

Scottie Cole

Scottie Cole                         Obviously the main thing is you want to train your people. If they’re doing anything that’s connecting to the Internet or using a computer, they need some sort of cyber security training. At least at a base level of saying, “Hey. Don’t click suspicious links. Don’t open attachments that you don’t recognize. Contact your help desk if you think you’re compromised.” Training could be the main thing that stops a lot of these attacks because most of these attacks are not sophisticated. They’re just tricking somebody into clicking a link or downloading an attachment that’s infected.

Hugh Taylor:                       Can we walk through how that works? Let’s say somebody is tricked into clicking on a malware link. What happens then? They’re downloading the malware onto their machine?

Troy Gill                                More or less. Some attacks have several phases to them, but typically, yeah. It’s going to end in an infection. There’s one interesting attack that we’re seeing currently. We wote about it in the recent Global Security Report. I dubbed it a CHA, conversation hijacking attack. What they’re doing is the hackers have phished a user’s credentials – their email credentials. That’s the first phase of the attack, collect email credentials. Then they’re taking those credentials and they’re using the OWA or some sort of web access to that email and they’re logging in to the person’s email account. Then they’re finding an ongoing conversation they’re having with a legitimate contact of theirs. So these two people have been having a back- and-forth conversation and all of a sudden, the attacker is in this person’s email and they’re sending a reply to that message along with an attachment saying, “Hey. Oh yeah, here’s the document I need you to check out.” Who’s not going to open that document, right?

Hugh Taylor:                       Right.

Troy Gill                                I was just talking with this guy. We’re conducting business. Of course. But yes, and that leads to a payload. Usually the payloads embedded in most of the ones we’ve seen have been embedded in the attachment. Occasionally they go out to the web. So then you go to the web and you get infected there. Then from there, the attacker has a foothold in the network. They can look for other connected devices, machines, and they can pivot within the network. Then eventually escalate themselves up to what they’re looking for – whether it’s the data or the infrastructure or whatever.

Hugh Taylor:                       Okay. I mean, that makes sense. From a user’s device, are they using the key logging or something to learn credentials to databases? It would be interesting for me to understand how you go from infecting a device to going and locking up a corporate database.

Scottie Cole                         Yeah. Key logging is one of the things they’ll use for sure. A lot of people store their passwords on plain text on their machines, . so hackers will start looking for those password files, things of that nature. But definitely a key logger can grab credentials right and left.

Troy Gill                                They’ve added so much functionality to each piece of malware. They can almost do it all. There’s samples that we look at where they can log key strokes. They can take pictures with the camera. They search the entire machine for any stored credentials, whether it’s email or web browser related or internal app related. Then they can do things like attempt to mine BitCoin from or steal BitCoin out of wallets that may be stored on the desktop or mine BitCoin from the machine. All within the one malware infection. In the case of ransomware, they basically get the ability to run the encryption algorithm. They lock your files. They put a file on your desktop that has instructions on how to pay. That’s all they have to do.

Why that’s become so popular is that it’s just a really quick way to monetize the infection. Whereas, stealing credentials and then eventually maybe using somebody’s credit card fraudulently or wire transfers, stuff like that takes a lot more work. In certain cases it takes working with money mules and making fake cards and all of that. In this case, it’s just boom, lock up their files, give them instructions. Here’s how to go pay me. It’s done through the dark web, through TOR, so it’s very, very difficult for anyone to trace. That quick monetization I think is obviously what’s made ransomware so popular. But yes, there’s different functionalities and different malware, but a lot of them have just a ton of different functions.

Hugh Taylor:                       Let’s come back to mitigating the risk. One of the things you’re saying is training and then obviously using filtering software like yours. What else can be done? Let’s say that the President of the United States calls you up and says, “I want to offer you unlimited money and absolute power to solve this problem.” What are you going … What do you do?

Scottie Cole                           First thing I’d do is hire a bunch of trained professionals or experts in the field because there’s not enough cyber security experts out there right now. So if they give me unlimited funding, I would start education programs, which they’re starting to do more and more, but I’d definitely start training the next generation that’s coming up. Hire a bunch of cyber security experts, and the best thing is just security in layers. Not one solution fixes everything. So you need intrusion prevention systems that can block inbound and outbound traffic. Say someone gets a malware infection on their machine, tries to call out, that IPS might block that. Whereas, maybe the antivirus doesn’t see that because it’s not a known signature that’s been infected before. Also, you need firewalls. Again, the training.

It’s just security in layers. Like I said, not one solution fixes everything. You need as many as you can that doesn’t make it too cumbersome on the users to actually still be able to function though.

Hugh Taylor:                       Right. My impression talking to people is that you need some kind of like device segregation. Like bring your own device seems like it’s kind of a cool policy but it seems like you’re asking for a lot of problems with that.

Scottie Cole                         Yeah. Definitely. Like here at AppRiver, no one’s allowed to bring in their device and connect it to our network. We’re notified if they try to attempt that. But we do have wireless available for people to put their cellphones on, but that wireless network is not associated with our main corporate network. So if there’s a threat on that network, it doesn’t compromise our other stuff. When you were talking about segregation of systems, you also want to keep critical systems. You don’t want them on the edge of the Internet. You want them back behind the layers of security where only devices that need to talk to those can talk to them. Whether that be databases, industrial control systems, things of that nature. So the more critical the system is the less exposed you want it to be to the Internet. Some of the systems that people run, their databases don’t connect to the Internet at all but it will connect to internal applications. If there’s someone inside the network, they can just pivot from there. But it does less in the risk of that server being compromised or that system being compromised.

Hugh Taylor:                       If you were advising the world, the government of the world on how to make themselves more secure, do you have anything else to offer? I’m trying to get policy ideas.

Troy Gill                                Municipalities are not following the NIST security standards. A handful of states said, “Yes, we are following these standards,” and a lot of them said, “No,” and the rest said, “Well, we don’t know.” That’s a scary thing. So there’s this really highly agreed upon set of security standards that’s readily available to everyone, yet they don’t know if they’re following it or not. So to me that’s just a basic let’s get everyone up to date on this. Let’s at least do this.

Then another one that comes to mind is better patch management. Old exploits, like the Internal Blue exploit that was used in WannaCry was something that had been patched. A lot of these networks that were affected could have easily been prevented with a solid patch management process.

Let’s start with the basics. You can buy the big fancy devices and then in a lot of cases you probably should, but you also need to do the basic stuff or you’re kind of making those a moot point.

Hugh Taylor:                       My issue with the NIST framework is that it’s too open ended. You can sort of do some of it, all of it, part of it. There’s no real enforcement there. It’s a recommendation.

Troy Gill                                It should be a requirement if you’re talking legislation. Some of it’s somewhat difficult to interpret, but if people are making their best effort, as you can see a clear effort to adhere to this, that would go a really long way.