No Time Like the Present for Detecting Data Breaches
Jun 16, 2011 5:00 AM PT
The email industry is under a prolonged and targeted attack. Going back almost a year now, service providers and their clients have been the focus of so-called spear-phishing (targeted phishing) and other intrusions that have resulted in large-scale direct and indirect data breaches. It's scary stuff, and the worst of it is far from over.
Largely, these breaches have come in two flavors: system intrusion with direct compromise of data (Return Path, Silverpop, and others); and client credential compromise (CheetahMail), whereby a bad actor gains control of a valid and trusted user account at an email service provider (ESP) and uses it to send malicious content.
The case of a compromised client system (penetrated from the outside or perpetrated from within) is a particularly vexing one for service providers. You'll hear a lot of the discussion about what companies should do to prevent system and account credential compromise -- from better role-based access control and bidirectional client/service provider agreements to multifactor authentication and external penetration testing. This article isn't about those things. It's about what to do when your best laid plans for how to prevent a compromise fail, as they inevitably will.
The hard reality is that regardless of the steps taken to prevent it, a compromise will eventually happen if you've got the customer data a motivated bad actor wants. There are simply too many human, business process and technical points of vulnerability to prevent it. Given this reality, organizations need to invest not only in trying to prevent compromises, but also in detecting them when they happen -- and in the strong remediation steps to mitigate the damage when they do.
This is the core of the "defense in depth" concept: All systems should have multiple layers of protection in place, so that when one inevitably fails, there are backups further down the stack to prevent or limit the damage.
Why is all this important? If not having your breaches broadcast on Twitter and headlined in The Wall Street Journal aren't motivation enough, it's that allowing compromised accounts to run rampant in your infrastructure fundamentally damages your business, the trust your clients put in you, and the reputation you've worked hard to establish with end-users and mail providers. We have a duty and obligation to protect our clients from themselves and those around them, and we have a fundamental responsibility for the quality of any messaging that comes from our systems.
So what can be done? One of the common techniques that is implemented today (or at least recommended) is to automatically pre-scan a campaign with a content scanner, such as SpamAssassin, before it's sent out. This technique suffers from a number of shortcomings:
- High false positive rate, since marketers are always pushing the envelope on content, and SpamAssassin makes heavy use of heuristic content-based detection.
- Timing issues, especially when catching so-called zero-hour attacks. If your system is the origination point for a new piece of malware or a new phishing URL, a feedback-based system won't have yet seen the attack to build the rule to catch it.
- Clever use of dynamic content can make a test sample message appear completely benign while the live campaign contains the malicious content.
Because content and reputation can change in real time, the only truly effective way to monitor a live system is by monitoring both behavior heuristics and the live stream of mail that you're deploying in real time.
From a behavior heuristics standpoint, there are a number of things that can be monitored in real time:
- Feedback Loop (FBL) complaint rates -- particularly sudden spikes and deviations from the norm
- An unexpected jump in "invalid recipient" bounces or other undeliverable messages
- A spike in messages to domains that haven't been sent to previously
The critical point here is that you need to track these factors in real time and make your decisions in real time -- like suspending a client's mailing and dispatching your security team to investigate.
While heuristic methods are great, there's no substitute for direct observational techniques. You can and should monitor your live outbound mail stream itself and make decisions based on that. You can spot abuse in your mail stream by looking for the presence of the following:
- Spam, phishing or malicious URLs in a message, based off a lookup against one or more of the SURBL lists or another URIBL.
- Malicious or abusive content, based off the verdict of a commercial or noncommercial antispam/antivirus scanner.
Timing Is Everything
While the cost overhead (in terms of licensing costs and/or processing overhead) for scanning all of your mail with these techniques can be high, they don't need to be applied with a global simple on/off.
For messages that support completely unique, user-supplied content, scanning every message is the only way to be reasonably safe. (Examples are a forward-to-a-friend service where an end-user can supply content for the message, or a jobs site where an end-user can send a resume through your mail system.) These are well known and commonly abused vectors, and can be sending out malicious content even when no compromise has occurred.
For campaign-based mailings, though, you can take an approach similar to many network security systems and employ stratified random sampling to continuously monitor a portion of every unique campaign that leaves your system. This technique ensures that every campaign gets monitored and real-time reputation data can be effectively used, while limiting your license and overhead costs.
Once you've identified a suspicious mail stream or campaign, there is a plethora of things you can do with that information. One already mentioned is to suspend that campaign (or all of a client's campaigns) and alert your security experts. Of course, you can also push this information directly to a contact at your client company for investigation on its side.
However you choose to handle what you find, everything starts with your ability to detect a compromise in the first place. Again, real-time detection that facilitates real-time decision-making is the key. Things are happening too fast and the potential damage is too great for any other solution to suffice. So find the right combination of technologies and applications that will ensure a safe and secure messaging environment for you, your clients and their customers' data. Do everything you can to harden your defenses to prevent a breach, but be prepared for the inevitable breach when it occurs.