Harden Email Gateway Configurations with BAS

By Dor Sarig

If anything is certain in cybersecurity, it's the fact that email is still the #1 advanced threat vector and more than 90% of targeted attacks start with email[1]. Someone, somewhere in your organization is going to click on something malicious. Here's how to prevent that kind of event from leading to a full-blown breach.


Reduce the Email Attack Surface

Configuring email gateways and other email protection solutions correctly is the first step toward reducing the email attack surface. Settings should be regularly to ensure that they haven't drifted due to rapid IT change, policy upgrades, new product deployments, oversight—even benign neglect.

You can further harden defenses by enabling attachment scanning and other capabilities of your email gateway. In addition, block specific file types that adversaries use for code execution to bypass defenses, conduct reconnaissance, deliver payloads, and exfiltrate data. Reduce your organization's email attack surface by blocking email attachments that contain commonly abused Windows extensions, such as[2]:

  • .exe: Windows executable files in email should instantly raise a red flag
  • .msi: A format for Microsoft Installer used to carry malicious files bundled into another application, making it appear to install legitimate software
  • .jar: Executable applications that take advantage of Java runtime vulnerabilities to download malware
  • .bat: A batch file containing a list of commands that usually run in the Command Prompt
  • .cmd: The same thing as .bat extension introduced in Windows NT
  • .js: A JavaScript file running in a web browser—Windows runs JavaScript files without sandboxing
  • .vb/.vbs: Visual Basic Script file that can execute malicious embedded script code when run
  • .ps/.ps1: PowerShell script executed on a Windows machine


Block the Junk

Many email gateway solutions have functionality designed to block spam, suspicious attachments, and malicious URLS. Spammers can obtain email addresses from compromised accounts. They also search common sources like free email domains, web forums, and online chat rooms using bots to harvest addresses. Spammers often send emails using third-party services with a good reputation. Emails sent from a “good,” known IP address have higher chances of bypassing junk and spam filters. Spammers also can spoof the sender's email address, making it look like it was sent by a legitimate sender. Block the IP addresses (or range of IP addresses) used by spammers to send the junk mail by adding them to blacklists on your email security controls.


Simulate Email Threats to Evaluate Email Defenses

Although email product vendors can help you perform basic testing on their solution, they don't provide an integrated, comprehensive assessment of your overall email security posture, nor do they test in real time against immediate threats seen in the wild. The best way to know if your email gateways and other email security solutions are working as expected is to throw the latest threats against them—safely, of course. Breach and Attacks Simulation (BAS) makes it easy to safely test across your email defenses, whether on premises or in the cloud.

  • Check everything: BAS can check detection and response tools, content disarm and reconstruction (CDR) tools, and sandboxes. BAS also can simulate threats in nested files—such as an executable inside a Word file inside a zip file—which are difficult to detect.
  • Test against latest threats: Simulations test in real time against immediate threats seen in the wild, with continuous threat updates.
  • Test against a standard: BAS is mapped to the MITRE ATT&CK matrix, enabling you to measure and assess risk against known benchmarks.
  • Customize attacks: Evaluate defenses against high-volume broad attacks and then drill down to test against specific attack techniques, payloads, and attacker behavior.
  • Test anytime: No need to incur the cost and disruption associated with pen testing. BAS makes it simple to launch ad hoc simulations and to schedule regular assessments and pen testing for meeting specific compliance requirements.
  • Automate simulations: Use BAS to run simulations in an automated manner, that can be triggered by time (daily/monthly/etc) or whenever a new threat is added.

Get immediate insight into email-based attacks that represent the greatest threat. Risk metrics, such as scores and penetration ratios, and breakdowns of specific attack types give you real-time data for making more informed decisions about remediation priorities, product upgrades, or new technology additions.

Finally, reduce exposure using actionable insights. BAS will list specific file types to check for and recommend remediation steps. You might block executables and other potentially malicious file types that are not used in your environment. You can harden email gateway security by adding DKIM or DMARC records. Consider implementing CDR solutions that will help you remove potential malicious code from attachments. However you choose to respond, you can do it with real data and confidence. Email-based attacks don't have to catch you—or your users—unaware.

Cymulate’s Email Gateway simulation vector is designed to evaluate your organization’s email security and potential exposure to a number of malicious payloads sent by email. Try it out for yourself with a 14-day free trial.

Start a Free Trial

[1] Multiple sources support this: Proofpoint, Cisco, Verizon, etc.
[2] Multiple sources include SolarWinds,  Symantec , How to Geek 

 

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips