We know anecdotally that many companies use MITRE’s ATT&CK Framework as the basis for their scenario development and exercise planning. Most select a small subset of the attacks that most directly correspond to their own concerns about their own environment in the context of the threat of the moment. A growing number of vendors, recognizing the trend, have created product features for this use case and blogged about them. We have so far seen only a few public examples of metrics based on ATT&CK, examples below.

McAfee and UC Berkley looked at ATT&CK specifically for cloud and surveyed companies that used it. [1]

Key findings from the report include:

• Adversary techniques are executed against nearly all enterprises in the cloud: 81% of organizations experience adversary techniques found in the ATT&CK Matrix for Enterprise covering cloud-based techniques (Cloud Matrix); 58% of all enterprises experience the “Initial Access” phase of an attack on a monthly basis.
• Enterprises use the ATT&CK framework to determine gaps in currently deployed security products and for other important tasks: Fifty-seven percent of global respondents believe the ATT&CK framework is helpful for determining gaps in currently deployed security tools. Fifty-five percent recommend the framework for security policy implementation, and 54% find the framework useful for threat modeling.
• The ATT&CK for Cloud matrix is widely adopted: Sixty-three percent of large- and medium-sized enterprises we surveyed use both the Cloud Matrix and Enterprise Matrix (Windows/Mac/Linux) in their security operations centers.
• Large- and medium-sized enterprises are not fully confident that their security products detect all techniques in the ATT&CK matrices: Only about 49% of respondents feel highly confident in the ability of their security products to detect the adversary tactics and techniques in each of the ATT&CK matrices.
• The biggest challenge with ATT&CK framework implementation is its lack of interoperability with security products: 45% of global survey respondents identify the lack of interoperability with their security products as the biggest challenge with the ATT&CK framework, and 43% cite the challenge of mapping event data to tactics and techniques.
• A large percentage of enterprises do not correlate events from the cloud, networks, and endpoints to investigate threats: Only 39% of enterprises incorporate events from all three environments (cloud, network, and endpoints) when investigating threats.
• The ATT&CK framework can increase confidence in cloud security and adoption: Eighty-seven percent of survey respondents agree that adopting the ATT&CK for Cloud matrix will improve cloud security in their organizations. Seventy-nine percent say it would also make them more comfortable with cloud adoption, and 69% agree that they would be more comfortable with outsourcing their security operations center to a third-party provider that uses the ATT&CK framework.

An Israeli startup is making a lot of press out of a study they did that shows companies’ SIEMs do not cover ATT&CK well enough, on average 16% – but I could not find their study online:

[1] https://cltc.berkeley.edu/wp-content/uploads/2020/10/MITRE_ATTCK_Framework_Report.pdf

[2] https://www.scmagazine.com/news/security-news/network-security/siem-rules-ignore-bulk-of-mitre-attck-framework-placing-risk-burden-on-users

[3] https://thecybersecurity.news/general-cyber-security-news/siem-rules-ignore-bulk-of-mitre-attck-framework-placing-risk-burden-on-users-6249/

Bad actors had a banner year engineering cyberattacks. Their creativity exposed the limitations of those playing defense. Mark Fabro thinks that one obstacle is the tendency of C-Suite executives to stick with the basics, even when they aren’t working. He advocates a different approach.

Fabro is an unusual player in the cybersecurity space. He’s the president and chief security scientist at Lofty Perch, based in Toronto. Founded in 2005, the company works to help a country’s critical infrastructure assess risks associated with operational technology. That alone sets him apart. But his ideas are not limited to what will work in one niche.

Most of Lofty Perch’s 15 employees are engineers, but not Fabro. “A lot of my family members were engineers,” he said, almost apologetically. “I took the pure approach,” he continued. “My schooling was actually in applied physics and mathematics, peppered with an awful lot of independent computer security research.”

When we spoke, the subject that came up most often wasn’t physics or math. It was psychology. It can be challenging, he said, to get clients to consider new security solutions. Even though he believes the onslaught of novel attacks invites—even demands—considering fresh strategies to counter them.

From a wide-ranging Zoom interview, we pulled four short video highlights that will give you a sense of his approach to problem-solving. He talks about the ways firms that are prepared for ransomware attacks fare better than those that aren’t. He discusses innovative uses of blockchain technology to back up data. Finally, Fabro speaks passionately about empowering engineers—giving them a seat at the table when executives are considering their security options.

If you’re intrigued, you may want to read the article in which he talks about all this in depth.

The Psychology Conversation (1:58)

Blockchain Backups (2:43)

Prepared for Ransomware (1:22)

The Engineers (2:00)

1 BACKGROUND

The cyber security community understands fully the importance of email in offensive attack strategies by adversaries. The use of email vulnerabilities such as malware-laden attachments or phishing links to malicious sites remains an important component in attacks such as advanced persistent threats (APTs) initiated by offensive actors such as nation-states. For this reason, email security has emerged as a foundational component in the field of cyber security.

As a result, it is both educationally instructive and practically useful to understand the evolution of the email security threat from the perspective of both the offensive attacker and the defensive practitioner. This evolution spans the time starting with the first emails being sent in the 1970’s over Arpanet to the present era, where email serves as the backbone for most business and even personal communications [1].

The evolution is presented in three phases, starting with first generation use of computer viruses as payloads in emails sent from hackers to unsuspecting recipients. This is followed by a second-generation era in which gateways were used to filter and mitigate these viruses and other threats with varying levels of success. The present third generation of email security is shown to be characterized by advanced analytics that can intelligently secure email services.

2 FIRST GENERATION: VIRUS FILTERING

First generation email security emerged well-into the initial use of email as a personal and business platform. At the outset, it was unclear which threat models would drive users of email toward protection. Industry icon Bruce Schneier, for example, penned an early book on email security that focused on the use of public key infrastructure (PKI) for secrecy [2]. This encryption method never caught on and remains largely unused across email infrastructure.

Eventually, in the 90’s and early 00’s, the industry determined that viruses could be transported via email as a convenient mechanism for attack propagation. This required that two condition be met: First, the virus would have to execute in the targeted environment – and this was soon a non-problem as Microsoft Windows came to dominate the PC ecosystem for both business users and most home and family users.

But second, the virus attachment would need to be clicked on for download and execution. This requirement led to what we would now refer to as social engineering and phishing attacks. These were much simpler in the early days when users held the view that inbound email should be trusted. Recent advances in user awareness training have made phishing tougher, but still quite successful with many innocent and unsuspecting email recipients.

Figure 1. First Generation Email Virus Attacks

The most common solution implemented during this first generation of email security attacks involved using anti-virus software to secure the PC. The method relied heavily on the use of attack signatures to detect viruses. While this worked initially, variants were quickly developed to sidestep the detection [3]. Modern PC security tools use behavioral analytics and machine learning to detect the presence of unwanted malware more accurately.

Nevertheless, such methods presume the existence of viruses and focus on their detection and removal. This is a valuable strategy, especially when one assumes that exploits are mostly inevitable, and the cyber security industry has developed many solutions with this emphasis. Popular tools and platform that are postpend referenced with the detection-response (DR) designation involve “shifting right” to address an on-going threat.

3 SECOND GENERATION: GATEWAY PROCESSING

The second generation of email security involved attempts to be more proactive about these viruses and malware-leading URL links that would arrive in a recipient’s inbox. The observation was made that if such threats come in through the usual series of store-and-forward nodes that characterize email transport, that one or more of these intermediate processing steps could be used for security inspection.

This is the origin of the well-known secure email gateway (SEG) platform, which has become almost ubiquitous with any enterprise business or government agency email system. The SEG was expected to be an extremely effective solution because control existed for how inbound email was handed. That is, the SEG could be placed in paths (via redirection) that would provide high levels of coverage for email being sent and received.

The good news during the 00’s and early 10’s was that this type of coverage, combined with processing methods that improved on early signature models, did offer (and continue to offer today) considerable risk reductions for inbound email attacks. This helps to explain why so many organizations continue to use a commercial SEG, and why this protection method is unlikely to disappear from enterprise architectures in the near term.

Figure 2. Second Generation SEG Filtering

Additional good news during this second generation was that standards teams developed new schemes for authenticating email sender identities. The open DMARC standard (Domain-based Message Authentication, Reporting, and Conformance) was the dominant contribution, and it allowed for senders of email to bind their originating IP address to any email carrying their domain [4]. This was designed to be done via DNS records which would allow recipients to enforce polices for handling mismarked email.

Sadly, two problems quickly emerged for DMARC during this second generation. First, many enterprise teams had trouble configuring records, especially in enforcement mode. The use of DNS TXT records for DMARC continues to make it tough for non-experts to navigate the difficult syntax and error-probe editing process required to properly set-up DMARC on DNS without causing unwanted negative side-effects.

Second, the DMARC standard has some awkward constraints that make it hard to use with cloud services. For example, there is a domain limit of ten rule sets in the Sender Policy Framework (SPF) portion of DMARC [5]. Since the whitelisting of public clouds will require several rule sets per service, many organizations will be forced to specify certain cloud sender security information by IP address – and this is neither convenient nor easy.

4 THIRD GENERATION: CLOUD-BASED ANALYTICS

The third and present generation of email security benefits from the pros and cons of anti-virus filtering, SEG processing, DMARC controls, and other capabilities used to reduce risk. This includes years of working with employees and users to help them make better decisions regarding security. This aspect of conventional email security is particularly important because it highlights the synergy that can exist between systems and people at the human layer.

State-of-the-art platforms for email security today have precisely this attribute – namely that they can take full advantage of the things that software systems do best (e.g., process data) combined with things that humans do best (e.g., recognize patterns). The result is an analytics-based security approach natively tied to cloud infrastructure that has the strong potential to bend the risk curve downward for email infrastructure.

Elements of this third-generation email security solution include the following key protection features and risk controls:

Behavioral Analytics – Behavioral analytics involve ingest of relevant factors, processing based on correlation and related strategies, and reporting in a variety of different means including via application programming interfaces (APIs) to other security tools. Automated Learning – With recent advances in machine learning algorithms, email security can improve continually based on patterns detected in test traffic or in live email traffic (e.g., for deep learning systems). Personalized Protections – Tailoring email security to match the preferences and usage patterns of individual users allows for more accurate handling and security. Some users might view an email as Spam, whereas another might view the same email as fine. Cloud-Native Controls – The use of cloud infrastructure has emerged as particularly useful for email security since it offers ubiquitous access for both ingest of threat intelligence, as well as for access to email systems. Quantitative Risk Profiling – Quantifying risk allows for effective reporting of email security posture, which can be helpful when stipulating minimum security levels or in measuring the benefits of a given security protection.

Figure 3. Third-Generation Analytics, Learning, and Advanced Controls

As each generation of email security progresses forward, the good news is that state-of-the-art solutions can incorporate the best practices and demonstrably useful elements of prior generation techniques. Nevertheless, even in the present generation of advanced analytic usage, business email compromise (BEC) and phishing attacks continue to occur, especially when combined with social engineering methods [6].

The goal for email security will never be to reduce cyber risks to zero, but rather to address vulnerabilities sufficiently that email usage becomes a much lower concern for enterprise security teams as well as citizen users. It is an open question whether more intense attention to existing controls will be sufficient to achieve this objective, or if totally new security solutions will be required. The next section offers some views on this future state.

5 EVALUATION FRAMEWORK

To demonstrate how successive generations of email security have provided better handling and protection, it is helpful to introduce a simple evaluation framework. The objective is to identify the relevant aspects of email security that have changed over the years. These include the following attributes:

Email Threat Protection – The purpose of email security obviously is to prevent, detect, or respond to threats – presumably with prevention as the ultimate objective. The good news is that successive generations of email protection introduce stepwise more effective security controls. The reason the problem remains however is that malicious activity has also increased and improved during the same period. Transparency to Users – An objective in any IT security control is transparency for users. This is especially true for email, since it is such a pervasive tool. During successive generations of email security, the obligations for users has increased, as evidenced by the extensive user awareness training typically required. Removal of such user friction should be an objective for future generation methods. Lifecycle Costs to Organizations – While license costs for email security tools have likely increased for most organizations, the corresponding costs for incident response have typically been reduced. This is true when suitable investments and good tooling have been put in place. The case to be avoided in the present generation involves high-cost email security tools without commensurate reduction in lifecycle costs.

Figure 4. Effectiveness for Three Generations of Email Security

It is reasonable to conclude that great progress is being made in email security, as depicted informally in Figure 4 with the progression from red status (weak) to yellow status (improving) to green status (effective). While phishing and business email compromise (BEC) are still problems, they usually stem from inadequate application of available tools and poorly conceived architectures – both of which will also improve in the coming years.

6 FUTURE GENERATION EMAIL SECURITY

The use of virus filtering, secure email gateway (SEG) processing, and cloud-based analytics has thus obviously reduced email security risk considerably. Such advances have been balanced, however, by malicious actors improving their own methods for targeting users. Automation has allowed for increased coverage in phishing attacks, even ones using individualized spear phishing methods. This has expanded the attack surface for email.

Based on the progression through three generations of email security and observations about trends in public cloud, SaaS, and networking, three observations can be made with respect to future generation email security. These observations should be viewed less as “predictions” and more as general “extrapolations” of on-going trends in how email security is likely to be handled in the next few years, post 2022.

Embedded Protections – Email security protections should become more integrated natively into services provided by Microsoft, Google, and others. This does not imply that innovative technology companies working email security will cease to thrive and grow, but rather that the buying habits of end-users will demand that these new controls come pre-integrated and embedded into existing services. Expended Intelligence – Continued advances in artificial intelligence will lead to even more powerful controls for email security. Deep learning methods and computer vision, for example, will more than likely introduce new means for using live email streams as the basis for improving the accuracy and quality of the artificial intelligence models that serve as basis for the protections. Increased Autonomy – With the introduction of more autonomous computing methods (as evidenced in the trucking and automobile industries) will come greater confidence for user to rely on autonomous email assistants. Such assistants will reduce the monotony of handling routine email but will also come with advanced cybersecurity controls to avoid human errors.

The offense is also likely to improve its malicious techniques, and they should be expected to also rely on advances in artificial intelligence and autonomous computing to build more powerful attack tools. One would hope that the defense would be more aggressive in making progress and the shift toward intelligent autonomy should be particularly useful in reducing human errors, which have always been such an easily exploitable weakness.

[1] Ray Tomlinson, “The First Network Email,” (openmap.bbn.com).

[2] Bruce Schneier, E-Mail Security, John Wiley & Sons, 1995.

[3] Timeline of Computer Viruses and Worms, Wikipedia.

[4] DMARC Website

[5] DMARC Wiki

[6] Jade Hill, “Inside the Business Email Compromise Problem,” July 2021