Malicious emails spend 83 hours in users’ inboxes before they are removed
A malicious email evading an organization’s security measures and landing in a user’s inbox would need equal attention as block threats in the first place. Researchers of Barracuda, a trusted partner and leading provider of cloud-enabled security solutions recently looked at approximately 3,500 organizations globally to better understand threat patterns and response practices. They identified that an average organization with 1,100 users will experience around 15 email security incidents per month, and on average 10 employees will be impacted by each phishing attack that manages to get through. The researchers also found that 3% of employees will have the tendency to click on a link in a malicious email, exposing the entire organization to hackers for conducting a successful attack.
An effective incident response following a security breach and the threats that arise post-delivery can quickly stop the spread of the attack and minimize any potential damage. There are multiple ways that organizations can identify email threats for post-delivery remediation. Users can report them, IT teams can initiate internal threat hunting, or they can also rely on a community of other organizations that remediate attacks.
Barracuda researchers found that the majority of incidents were discovered through internal threat hunting investigations launched by the IT Team. The investigations were initiated through common practices like searching through message logs or running keyword or sender searches of already delivered mail. Meanwhile, some of the incidents were created from user-reported emails, while the rest were discovered using community-sourced threat intelligence, or through other sources such as automated or previously remediated incidents.
Organizations should always encourage end users to report suspicious emails, but an influx of user-reported emails can be burdensome for resource-strapped IT Teams. A good way to increase the accuracy of user reports is to provide consistent security awareness training. Barracuda researchers found that organizations that train their users will see a 73% improvement in the accuracy of user-reported email after only two training campaigns.
Email remediation can be a lengthy and time-consuming process. During the study, the researchers found that on average, malicious emails spend 83 hours in users’ inboxes before they are discovered by a security team or reported by end users and finally remediated. This time can be considerably shortened with focused security training that will improve the accuracy of user-reported attacks, and deployment of automated remediation tools that can automatically identify and remediate attacks freeing time of security personal.
Security teams can also utilize threat insights from remediated incidents to update their security policies and prevent future attacks. For instance, organizations can regularly update their block lists to block messages from specific senders or geographies. They can also update their web security to block access to malicious sites for entire organizations.
To prevent the devastating effects of a successful email attack and improve their response to email threats post-delivery, organizations can give their users access to continuous security awareness training to ensure that security best practices stay on top of their mind and the volume of reported attacks are improved.
Related and sometimes identical email threats will affect more than one organization since hackers frequently leverage the same attack techniques across multiple targets. Organizations should ensure that their incident response solution can access and leverage intelligence data that other organizations gather rather than only using the data gathered through their individual network, for effective threat hunting and potential incident alerts. Organizations should also deploy threat hunting tools that give them visibility into mail post-delivery and ensure faster investigation of attacks.
Having automated incident response systems in
place can significantly reduce the time it takes to identify suspicious emails,
remove them from all affected users’ inboxes, and automate processes that
bolster defenses against future threats. Besides that, organizations would
also need to integrate their incident response with email and web security to
prevent further attacks. Intelligence gathered from the incident response can
also be used to enable automatic remediation and help identify related threats.
