Foiling content-borne attacks against a remote workforce
Opening a single email with a malicious URL or attachment can threaten your organization. In this interview, Liron Barak, CEO at BitDam, discusses the cybersecurity issue related to remote work, the inadequate security of collaboration tools, and more.
Working remotely is now a reality for most global organizations. What cybersecurity issues do you expect companies to encounter in the months ahead due to this change?
There are many security issues in working remotely. In addition to the technical risks associated with working from a location other than the organization’s facilities (perhaps not using their corporate computer or not using a proper VPN), organizations nowadays face a new challenge – the enormous increase in the use of IM and collaboration tools such as MS Teams, Zoom, Google Hangouts and others as well as cloud drives like Box, Google Drive or OneDrive which are not as secure as one may think.
This dramatic growth in the usage of such tools in general is a fertile ground for cyberattacks. Bad actors use these platforms to send malicious files or links and use this for phishing too. Employees are not always deeply familiar with all business collaboration tools and may be fooled, especially since these tools are typically not secured by Advanced Threat Protection (ATP).
In addition to that, we see a general increase in hacker’s activity around the COVID-19 crisis. Attackers take advantage of the fact that people are less focused, and mainly scared about anything related to this new reality that all of us experience. They send malicious or phishing emails, impersonating official bodies or someone who is trying to help, get the victims’ trust and thus lure them to click something or provide their personal details.
How can the inadequate security of some collaboration tools impact an organization? What can they do about it?
This can have devastating affect on organizations. The data breaches that we occasionally hear about, huge ransomware incidents, phishing attacks and other types of cyberattacks usually start with some kind of content-based malware. Or in other words, a malicious file or a link, sent to an innocent employee who opens it. It doesn’t really matter how this malware is sent. It could be through email, in a file shared on Google Drive, sent as a link on Zoom or delivered as an attachment using MS Teams. For the attacker, this really doesn’t make any difference.
As someone who used to be at “the other side of the fence”, I can spend hours talking about hackers’ strategies in how to deliver malware. To make it short, I will just say that they normally choose either the weakest link in the chain as the delivery method, or attack vector, if you will. Or, they will select the most common channel, and spray the attack assuming that if they send it to a large number of people, someone will be fooled. The latest is the reason that 92% of malware is sent via email.
However, attackers are agile and they are likely to take advantage of the current situation (in fact, they already started doing so). Since suddenly, a much larger number of people use VC and IM platforms, and since these tools are known for their lack in security (and for sure being less secure than email), it’s just a matter of time until we will all hear about the cyberattacks that started in platforms like Zoom or Teams.
Organizations should be proactive about this and deploy security solutions that are dedicated for these collaboration platforms. It was ok not to focus the organization’s security strategy on these channels in the past, but now, things are different. As traffic on these channels grows – and we see it every day at our customers’ environments – security leaders should refer to these platforms as potential penetration points and secure them accordingly.
What advice would you give to the security team of an organization that finds hundreds of its employees suddenly working remotely?
In a normal situation, I would say “combine training and education with technological tools to protect the business as well as your employees”. But let’s be fair. In this crazy crisis and level of uncertainty, we can’t really expect employees that struggle to keep working as expected, to focus on IT security training. Therefore, I would advice security teams to act quickly, and adopt a security solution that would protect against malware across the collaboration tools used by their organization.
This doesn’t have to be a hassle and doesn’t necessarily involve a long deployment or overhead to IT teams. There are cloud-based solutions that can be deployed within a few clicks. Some of them are even offered for a discount or free these days, as vendors are trying to support the global problem.
Email is still widely used in the corporate environment. Unfortunately, we see malicious files regularly bypass leading email security products. What can explain the shortcoming of these products?
As I mentioned, email is still the preferred attack vector by hackers. Why? Because it is working for them. It is true that most organizations have some kind of Secure Email Gateway, and many of them even have advanced security layers for their emails such as Office ATP or Proofpoint TAP. Unfortunately, a recent study shows that some attacks penetrate even those advanced security solutions. In fact, on average, between 25% to 35% of the unknown threats, that emerge every day, bypass them. The reason is quite simple. All these solutions are data-driven, meaning that they rely on knowledge of cyberattacks that they’ve encountered in the past in order to detect new attacks, which are similar to the old ones in one way or another.
The problem is that cyber attackers are sophisticated and they found ways to bypass this mechanism easily. They do so by using automation to generate large numbers of variants of the same attacks very quickly. The variants are slightly different from each other. Different enough to go below the radar of the security solutions. By the time the email security solution identifies a new variant as a threat (which takes hours or even days), there is a newer variant in place.
As long as email security continue to base on data, this problem will remain. A different approach is needed in order to detect attacks at first encounter.
BitDam’s Advanced Threat Protection (ATP) is threat-agnostic. Can you tell us more about its features and how it integrates with an existing security infrastructure?
BitDam is focused on protecting organizations from content-borne attacks, or in other words, ensuring that every content – file or link – that reaches the employees will be safe. BitDam’s ATP solution is not data driven and thus is threat-agnostic. We don’t collect data about threats. Therefore we are able to automatically protect against new variants of known threats when we first encounter those.
Instead of focusing on the malicious behavior and our familiarity with the threat, we focus on the legitimate behavior of business applications such as MS Word, PowerPoint, Safari and Adobe Reader, which attackers use to deliver their attack to end-users. We use a whitelisting approach on these applications, allowing us to detect malicious activities of any type.
This scanning is done before the end-users gets the file or link no matter which collaboration tool they use. BitDam ATP is cloud-based and available for O365 and G-Suite users, allowing security teams to secure enterprise email as well as other collaboration channels such as cloud drives (OneDrive, Google Drive, Drpbox, Box), IM (Teams, Slack) and VC (Zoom, Teams, Skype) within a few clicks.