Brian Krebs: Ask Me Anything

Question: What is the most difficult threat to tackle for Cloud Email Security?

Probably the most difficult threat is the person behind the keyboard. The human element has and always will be the most confounding part of securing anything, email or otherwise.

On a more technical level, email security gets harder when the threats leverage features or aspects of the cloud email technology itself to succeed. These same-origin attacks are especially dangerous because you never really fully leave the provider's service, and so you assume that as long as you're there and logged in to the right place you're fine.

So, for example, a phishing page that takes you to Microsoft's real O365 login page but includes a redirect in the link that if you're not looking closely enough will add a malicious app to your account profile. Or a link sent in Slack that downloads a malicious update for the Slack application itself. We actually saw an example of this Slack attack earlier this year.

Question: How can a company prepare for the threats of the post-covid work environment?

I don't think the threats have changed much in the sense of what and whom they're attacking, but they certainly have changed in intensity and frequency and persistency.

But there are a few big challenges that crop up in any work environment where pretty much everyone is working remotely. Probably the biggest is the blurring of the lines between work and personal devices. This was already being blurred somewhat pre-covid with the whole bring-you-own device reality where employees introduce all kinds of devices into an employer's network. But covid I think has intensified that, and you now have a huge number of employees doing personal stuff on work computers and vice versa, which can make securing remote access requirements fairly tricky for a lot of companies.

Another big challenge for companies is securing their VPN access. We've seen a crazy number of very serious security zero days for VPN appliances of almost every kind surface in the past year, and attackers have been quick to seize on these for obvious reasons. We've also seen attackers start targeting employees individually by calling them on the phone and posing as someone from IT, trying to get them to log in to a fake version of their employee portal. These types of attacks are very convincing and often times the bad guys will use fake linkedin profiles and say they're a new guy in IT, and they need to update your VPN profile or software. And they just keep calling different employees until they get someone to bite.

And that's another big challenge for companies: Keeping all these devices and the software that runs on top of them up to date. And that's a lot harder to do when all your employee systems are no longer in one place.

Question: How much protection does end-to-end email encryption confer (if any)?

It's important for all data being transmitted over the web to be encrypted, because most traffic goes through multiple hops before reaching its destination, and any of those hops can potentially have visibility into those communications if the information is unencrypted.

Now, compromising major ISPs isn't the easiest thing to do, so the bad guys tend to set their sites a little lower and focus on accessing email communications by either phishing the end user or getting malware on their system that allows them to do whatever the victim can on that machine. So while end to end encryption for email is necessary, it's not sufficient to guarantee privacy and security.

Question: Should employers allow staff to check company email on personal, unmanaged devices?

Probably not, but I think that ship sailed a long time ago, and as long as companies continue to expect employees to be reachable and working at all hours -- and more and more employees are finding out each day how much fun it is to work remotely in this regard -- it's hard to see how companies could enforce that unless they were to start handing out device-specific certificates or something, which some companies actually do enforce. Certificates are an under-used security precaution, and while they do help they're obviously not a panacea. Access control is an area where they can help.

Question: What process do you take when explaining cloud security to a client who has no knowledge of the technology? And what would you recommend starting out?

I would probably break it down at its most basic using the shared trust or shared responsibility model. You can start with explaining the way many company data centers typically work, which is there's a facility or network of facilities that house lots of servers which are very expensive to maintain, and those servers are responsible for keeping the technology lifeblood of your organization pumping and flowing. And you're responsible for making sure that organism continues to work 24/7, because any downtime in that physical technology -- regardless of the cause -- is going to cost your organization dearly in terms of lost productivity, sales, opportunity costs, however you want to measure it.

On top of that, you have to secure all that infrastructure, and secure access to it. If someone pops your database or breaks into your data center, that's obviously a big deal.

In the cloud environment, the responsibility for building and maintaining all of that physical infrastructure becomes the job of the cloud provider, whether it be Amazon or Microsoft or Google or Rackspace or whoever.

But you the customer of that cloud service are still fully 100 percent responsible for securing access to any data that is stored in the cloud. And this is a tricky area that a lot of companies take for granted at their own peril. Doing cloud security right is hard, and it's very easy to screw things up.

Also, a lot of the stuff you might want from a cloud provider in terms of security is not baked into the product, but is rather sold as a-la-carte add-ons.

And a lot of organizations kind of say well, do we really need pay extra every month for the ability to have a system that alerts us each time some piece of our data goes to a place on the internet nobody has ever seen before, or do we really need this extra service that alerts us if a particular user has too many access rights for their role, or when huge amounts of data leave our cloud environment in a short period of time? Maybe you don't need these a-la-cart services, but if you're not buying them from the cloud vendor, you probably do need to roll your own approach, because this kind of intelligence may just save your bacon. And I think we don't need to look that far back in time for examples of this. Last year's breach at Capital One is a good example of where the lack of that kind of visibility or controls in place to act on that intelligence were missing.

Question: What do you feel is the easiest "low hanging fruit" to protect our users in cloud email–longer passwords, MFA, etc? I always wonder if I've missed something...

Probably enforcing the use of password managers for specific accounts. Beyond that, testing your own users' passwords to make sure they are sufficiently strong and unique. The biggest threat to account security is password re-use and password recycling. Recycling is where you use a different variation on the same password at lots of sites. So like instead of monkey123, you capitalize the M in Monkey or the O or add an exclamation at the end. This is horrible security and the bad guys long ago got wise to this. But recycling is still a big problem.

Password re-use is dangerous because all kinds of sites and services online are constantly getting hacked, and when they do their database of usernames or email addresses and passwords gets uploaded to the dark web and to services that let you lookup these passwords. Basically, you just fund your account, enter an email address, and the service will show you every stinkin password it's ever seen associated with that email address in a previous breach. And this is remarkably effective for targeted email account takeovers.

Fortunately, companies can and should test their own users work and email passwords against these same lists, and there are companies out there that can help with this, although it's not hard to cobble together your own operation to do this. Also, I think Firefox is trying to do this at the browser level, and I know Google does this if you try to pick a password you've used at another site. It would be nice if banks enforced this as well, but I'm not aware of any of them seriously considering this.

Multi-factor is great, provided that one of the factors allowed isn't text messages. SMS is horrible for 2factor because it's super easy for bad guys to use sim-swapping attacks that trick your mobile provider into sending all your texts and phone calls to a device they control. And from there they can then reset the password on any account that uses links sent via SMS. Any robust 2factor approach needs to start with app-based one time codes as a minimum. But the absolute best 2factor approach involves physical security keys, which can't be phished in any way.

Question: What are the steps to take to defend against ransomware?

This is a tough question because the answer is less of a defense technique than it is an organizational mindset and a shift in leadership.

The best defense against ransomware is to be always looking for intrusions, and to be always responding as quickly as possible to any and all security incidents. Most ransomware attacks take days or weeks from the initial intrusion to the full-on data encryption. That's because it takes time for them to go from that initial foothold to hacking admin accounts, hacking the domain controllers, disabling any security and backup systems, and exfiltrating any data they would like to steal or ransom as well. That takes time. But it also means that there's a window of opportunity for all victims to nip it in the bud. But they have to be looking for and expecting intrusions. And a lot of companies unfortunately still don't expect that employees will do stupid things all the time, which of course they do.

But to have this ability to respond quickly means you have the people needed to do this daily blocking and tackling, which is time consuming and expensive. And that requires buy-in from the very top of the organization, and a real recognition that without the technology infrastructure being secure, the whole organization grinds to a halt. Unfortunately, a ton of businesses continue to view their technology infrastructure as somehow separate and apart from what their real business happens to be, whether it's making widgets or building cars or doing someone's taxes or helping people with legal problems. And it's no accident that companies in these industries -- legal, accounting, manufacturing, and a few others -- continue to be among the favorite targets for ransomware purveyors.

Question: What are you using for your email and why?

I use Gmail. I get a lot of flack from security and privacy enthusiasts for this, but honestly I don't care if Google's AI systems want to extract keywords from my emails to better serve me ads. That doesn't bother me. My main concern with the use of email is security, and Gmail as far as I know has invested more than probably any other provider in terms of making sure that even if they have a breach on their end, it is extremely unlikely that will result in someone reading my email.

Also, they offer the most number of security options for my account. I happen to take advantage of the most extreme security option they offer, which is called advanced protection, and as far as I know nobody else offers this. But basically, to log into my account you not only need to know my password but you also have to have my physical security key. On top of that, if Google detects a login from a new IP or machine, it requires additional security.

Question: What are some web tools you suggest we use to help us know where IPs coming from when we get phishing emails? Should domains and IPs be blocked when we get phishing emails?

There are a number of IP and domain blocklists out there (the term blacklist has kind of fallen out of favor). But basically, services like SURBL or Spamhaus or Invaluement can really go a long way toward helping out there.

The caveat here is that an ever-increasing amount of spam is again that same-origin problem, so Google to Google spam, Microsoft to Microsoft, etc. And good luck blocking that. Also, over the past few years we've seen a lot of interest in the badguy and spammer space in sending spam from compromised accounts at the major email service providers, mainly because messages sent from those systems are whitelisted by a ridiculous number of companies out there because these ESPs send mail on behalf of a large number of legitimate companies.

I wrote recently about a spike in malicious emails coming through hacked Sendgrid accounts, and these are especially dangerous because any links included in emails forwarded by the ESPs are obfuscated for tracking and deliverability reasons, which means the person clicking doesn't have any easy way to know where on the internet they will be taken when they click one of these links. But I think Invalument actually now has a special block list specifically for hacked Sendgrid accounts, that's how bad the problem has gotten there, and I expect they and other block lists probably have specialty lists for the other ESPs as well.

Question: Have you come across any reliable figures on how many people among the general public actually click on mass phishing emails?

Not really. There are too many variables. For example, a lot depends on how tailored the list of recipients is and how you define success as a phisher. For example, if I send an email to all 80,000 employees at a company, I may only need one person to click, right? Well that's only a .00001 percent success rate, but it's totally fine for the attacker.

For several years, I had access to the daily communications of Evil Corp, a Russian cybercriminal gang that used email based malware to steal more than $100 million from small to mid sized businesses. I remember at one point they had an internal conversation about conversion rates, and I think it was around 1-3 percent. I suspect that is on the low side as a representive number of overall phishing scam success rates, but again to keep things in perspective, they were sending millions of emails at one go, so even a 1 percent success rate is a lot of potential victims.

Question: What is your suggestion for the cybersecurity world to move away from "blacklist" and "whitelist" terminologies? Welcome List and Block List?

I like those. Good list, bad list would probably work fine, too, although those are a little boring.

Question: What is the most advanced spear phishing email you have experienced, and what automation would have helped to mitigate it (if any) in your opinion?

The best spear phishing email I've seen is one that appears to have been sent by a law firm, telling you that you're being sued. Of course, the attached document is a malware-laced file. But I'd wager this lure has a significant success rate, just purely based on the curiosity factor of knowing by whom and what for.

Honestly, though, some of the better and more common email scams are done by bad guys in N. Africa every day. They either register an email address that is one or two characters off from the person they want to spoof, or they actually take over the inbox of the person. And the messages often start as a forwarding of another email that was already in the victim's inbox, with a brief message that basically requires the receiver -- usually a subordinate in the organization, to respond in some way. From there, they know you already believe you are talking to the boss, and they ask for what they want then, usually to send money somewhere to pay an imaginary invoice.

Question: How do you feel about the API approach to email security that is allowing the email into your inbox prior to scanning the email?

I'm not familiar with this, but it is concerning, given the number of times each year microsoft patches a vulnerability in Office365 that could be used to deploy malware just by previewing the message in the preview pane. In fact, they just fixed one of those bugs last month if I recall correctly.

Question: How do we defend against malicious actors using valid SharePoint and OneDrive links?

Well, I know Microsoft has some decent defenses in place when it gets reports about threats that abuse its infrastructure, so my first thought would be to report such links as quickly as possible.

Question: How do you feel about companies punishing users for clicking on the wrong thing?

This is almost always counterproductive. I did a story last year after running into a guy at a conference who said his employer had actually fired people for failing phishing tests. Granted, he worked at a nuclear facility so maybe they play by a different set of rules.

This is almost always counterproductive. I did a story last year after running into a guy at a conference who said his employer had actually fired people for failing phishing tests. Granted, he worked at a nuclear facility so maybe they play by a different set of rules.

Playing "gotcha" with employees doesn't teach them to be more diligent. If anything, it probably creates tension and distrust between employees and the company's security team, which is the opposite of what you want.

It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security. Threatening people usually backfires, and they end up becoming more defiant and uncooperative.

I happen to believe making a game out of phishing training is probably the best outcome. That might conclude with certain employees or teams that perform the best in anti-phishing tests and who report phishing emails consistently get some kind of prize or incentive.

Question: Do you believe email security is more important to secure than any other vector of your infrastructure? If so why or why not?

When my book, Spam Nation, was published in 2014, I never thought we'd still be dealing with so much spam. But honestly, malicious spam has only gotten worse, more targeted, more believable, and overall way more professional because there's a heckofa lot more money involved with things like ransomware.

To my mind, email remains the single biggest threat to the security of most organizations. It is the most frequent vector for phishing and malware attacks, although phishing seems to make up a majority of this. And that's a consequence of everything moving to the cloud.

Back in the day, it used to be that most cybercrime was parasitical, in that what the bad guys wanted most was to leech off your mail server to send spam, or to lurk in your browser to steal your banking details and passwords. There's still a great deal of that going on, of course, but by and large much of the development and energy we've seen over the past few years has transitioned from being parasitical to predatory, in the form of high-payout crimes like ransomware. It makes sense, too, because you can siphon credit card details all day long for weeks or months, and you still probably won't make as much off that as a criminal than you could ransoming some poor company.

The other big threat from ransomware has nothing to do with email at all. It's remote desktop protocol accounts protected by lame passwords.