Q. What problem does Iconix address?
A. We address the problem of bad guys using email to deceive email recipients.
Q. Is email deception a big deal?
A. Yes. The most common way that data processing systems are “hacked” is deceptive emails. Deceptive emails are commonly called “phishing,” “spearphishing,” and “whaling.” The distinction between these types of deceptive emails is the degree of targeting. Deception which targets many users (e.g., all Wells Fargo Bank customers) is phishing. Email which is more precisely targeted (e.g., a group of employees at a company) is spearphishing. Deception that is targeted to a very small number of people (e.g., the CFO of a business) is whaling.
Q. Why is email deception used by bad guys?
A. When bad guys want to access internal resources of a target, they must get past the perimeter defenses. Inside EVERY perimeter are the employees. It is easy to communicate with the employees, who are inside the perimeter, using email. And there is even more goodness for the bad guys because users have system privileges. By using email to communicate with employees, the attacker can deceive the employees into misuse of system privileges for the benefit of the attacker. Employees can be tricked into downloading malware, executing system commands such as powershell, compromising passwords, and entering incorrect data.
Q. What about implementing a “Zero Trust Network Architecture?”
A. Zero Trust Network Architecture is not the same thing as zero user rights. For example, accounting personnel must be able to pay bills and maintain vendor data records. By tricking accounting personnel into using incorrect accounting information, bad guys use deception to subvert user privileges — compromising the system without malware and without creating any data processing discrepancies. Misuse of system commands, such as powershell, can be hard to detect. Zero day exploits inadvertently installed by employees can be hard to detect.
Q. How hard is it to detect system compromises?
A. According to Verizon, over 90% of breaches are discovered by 3rd parties after the breach has occurred and the damage has been done.
Q. Isn’t this really a problem of stupid users?
A. No. The problem is that attackers know how to deceive using email. Professor Arun Vishwanath, the leading email deception researcher, says, “It’s not a people problem, it’s an understanding of people problem.” Seen from this viewpoint, the attackers are winning because they understand people better than the defenders understand people.
Q. What about training users?
A. Users should be trained to avoid deceptive emails as one element of a cybersecurity program. The problem with well-crafted deceptive emails is that deception is a more powerful force than training. This is because of the psychology of email processing.
Q. What is the psychology of email processing?
A. The psychology of email is the way the human mind interacts with email to make email decisions. A team of psychologists headed by Professor Arun Vishwanath determined that email decisions are based on three factors. These three factors are habit, urgency clues and perceived relevance. By lying, an attacker can easily create an email that will trigger a habitual email response. For example, an email that claims to be from FedEx about a package delivery will trigger an email open response. It takes remarkably little imagination to craft effective deceptive emails once lying is added to the toolkit.
Q. Why don’t email filters solve this problem?
A. Because bad guys know how filters work. Bad guys also know how these systems work:
- next generation firewalls (NGFW)
- intrusion detection systems (IDS)
- data loss prevention systems work (DLP)
- antivirus (AV)
- system logging
- operating systems
- user applications
- security event incident monitoring (SEIM)
- threat intelligence
Bad guys take their knowledge of defensive systems and manipulate the factors used by these systems to accomplish their objectives.
Q. What can I do to fight deceptive emails?
A. The first step is to realize that the root cause is not inside the data processing system — the root cause is that data processing systems enable bad guys to use deceptive email to turn users into agents of the attacker. The next step is to address the root cause with a tool that unmasks deceptive emails. The tool that unmasks deceptive emails is SP Guard.
A. How hard is it to implement SP Guard?
A. It is easy to implement SP Guard. SP Guard is deployed as an add-on to a Microsoft Outlook desktop client. Use our contact form to reach us to learn about installing SP Guard in your environment.