5 efficient email security techniques for advanced persistent threats

by DuoCircle

 

An advanced persistent threat (APT) is a sophisticated, prolonged cyberattack in which a malicious actor gains access to a network and remains undetected for an extended period. This type of cyberattack is often motivated by political, financial, or strategic interests and aims to steal sensitive data, disrupt operations, or conduct espionage

Some infamous APT groups are APT28 (Fancy Bear), APT41 (Double Dragon), and APT33. 

These malicious groups often dupe people and organizations by exploiting email infrastructures to extract data or even operate hosts’ servers. Data leakage can have serious repercussions, leading to financial, reputational, and legal potholes. 

Here are five techniques you should use to protect your email conversations and, eventually, your business. 

 

data leak

 

Email encryption

In email encryption, email content is disguised as unreadable gibberish, making it difficult for unauthorized people to read it despite getting access. This is done using different kinds of encryption techniques, which ensure confidential and important data is not compromised at any point in transit. End-to-end email encryption safeguards data even when at rest. Only the intended recipient gets the private key that decrypts the email, making it readable again.

The entire process works on the basis of advanced computerized algorithms that encrypt and decrypt email content. SSL, TLS, PGP, and S/MIME are widely followed email encryption techniques.

Here are the points you should be mindful of-

  • Encrypt all emails- both sent and received.
  • Connect with your email service provider to determine which encryption technique is suitable for your organization’s setup.
  • Check for email encryption indicators whenever you send or receive an email.
  • While encryption is responsible for protection against unauthorized access, it’s important to be cautious with email content and attachments.

 

 email encryption

 

 

Email filtering

Email filtering involves screening incoming and outgoing emails based on predefined criteria, such as sender address, subject line, content keywords, attachment type, recipient address, geographic location, header information, etc. An email filter identifies potentially malicious emails and moves them to separate folders where users can release, block, or permit them.

Although all major email service providers have basic filtering capabilities by default, these are not fully effective against new-aged, sophisticated email attacks. That’s why it’s important to deploy a dedicated email filtering tool. The latest email filtering tools and services leverage behavioral analytics driven by artificial intelligence and machine learning—the two-dimensional facets of the evolving digital landscape. Such tools are efficient in assessing normal patterns of human behavior, which helps them spot anomalies that might bypass the standard security filters. 

Email filters are for both inbound and outbound emails. In inbound filtering, emails are scanned to protect users or for lawful interception of the content. Outbound filtering checks emails from local users before they’re sent to prevent harmful content. Internet providers often use transparent SMTP proxies for outbound filtering, while businesses use email servers with data leak prevention to stop sensitive information from being shared.

 

email filtering

 

Email authentication

Email authentication is the process of verifying if the email sender is actually who they are claiming to be. It primarily involves three authentication protocols, namely Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Together, these protocols help identify the sender’s legitimacy and confirm that email content was not altered within transit

 

SPF

SPF prevents APTs by verifying if an email was sent from an authorized server. It works by using a DNS record, in which a domain owner mentions all the IP addresses and mail servers they allow to be used to send emails using their domain. The domain owner has to generate and publish an SPF record in their DNS so that a recipient’s server can retrieve it to check if the sender’s IP address belongs to the list of authorized servers in the SPF record

If the IP matches, the email is considered authentic. If the IP doesn’t match, the email is flagged as suspicious and may be rejected, marked as spam, or delivered with a warning.

 

marked as spam

 

DKIM

DKIM is deployed by the sending domain’s owner to help the receiving mail servers verify that the emails’ contents were not altered during transit and that they were sent by authorized senders.

The sender’s email server adds a cryptographic signature to the email header using a private key. Then, the sender publishes a DKIM record in their domain’s DNS, containing the public key. When the email is received, the recipient’s mail server retrieves the public key from the sender’s DNS. The server uses the public key to verify the signature. If it matches and the email hasn’t been altered, it is authenticated.

 

DMARC

DMARC builds on SPF and DKIM results. It basically instructs the receiving servers how to deal with emails sent from your domain that didn’t pass SPF and/or DKIM checks. Domain owners have the choice of subjecting failed emails to one of the policies—none, quarantine, or reject

  • The none policy: By applying this policy, domain owners instruct receiving servers to take no action against unauthorized emails sent from their domains. It’s basically used for monitoring and reporting DMARC results without impacting email delivery.
  • The quarantine policy: The quarantine policy allows domain owners to tell the receiving mailboxes to simply flag unauthorized emails sent from their domains as suspicious and move them to junk or spam folders
  • The reject policy: It’s the strictest policy that instructs the recipients’ mailboxes to block and prevent the delivery of emails failing DMARC authentication checks.

 

authentication check

 

Email backup

Email backup isn’t a new practice, and you must already know about it. However, not many companies diligently perform it. By definition, email backup means creating a secure and clean copy of all email data (messages, attachments, and metadata) so that you can restore them in case someone disrupts your email infrastructure. It’s also helpful in case of data loss and corruption.

Services like Microsoft 365 or Google Workspace automatically back up emails to secure cloud storage. Alternatively, you can export emails to formats like .PST or .MBOX for manual storage. Other options include backup servers or software that stores email data locally or on external storage devices

 

Email monitoring

Email monitoring involves tracking your email system’s activity and performance to spot and fix issues. It helps detect and respond to threats like APTs that could harm your email security. Monitoring also identifies weak spots in your email system that could make it vulnerable to attacks. Using a reliable email monitoring tool ensures you get alerts about suspicious activities and helpful advice to strengthen security.

Pin It on Pinterest

Share This