Mimecast CEO: Internal Email, Supply Chain Attacks On Rise

Mimecast CEO Peter Bauer says cyberprotection must extend beyond the email gateway to address what attackers are trying to accomplish both inside and outside the victim organization via impersonation.


Cyberdefense must focus on preventing adversaries from achieving their desired outcome rather than simply blocking bad emails from getting in, said Mimecast CEO Peter Bauer.

Protection must extend beyond the email gateway to address what the attacker is trying to accomplish inside the victim company as well as what the adversary is doing outside the user’s environment, Bauer told attendees of Midsize Enterprise Summit+, hosted by CRN parent The Channel Company. Businesses today must be concerned with more than just spam, viruses, spear phishing and malware, Bauer said.

“These are sentient attackers playing a chess game against you,” said Bauer during a sponsored keynote session. “And it‘s a game you cannot ever win but certainly a game you cannot afford to lose, and you have no choice but to play it.”

Sponsored post

[Related: Mimecast Acquires Email Security Startup MessageControl]

Adversaries have turned to blended attacks to increase their likelihood of success, Bauer said, combining techniques like impersonation via look-alike domains and websites with non-email-based communication. This can span the gamut from messages on LinkedIn or fake login pages to using web hosted content repositories like Dropbox or OneDrive to host malware, according to Bauer.

“The unfortunate reality is that attackers can be ferociously successful with these after a little thought and planning because people are susceptible, technology is imperfect and adversaries are organized and persistent,” Bauer said.

Email security should therefore no longer be seen as a goal unto itself since a gateway perimeter defense strategy working in isolation cannot necessarily by itself stop an attacker who seeks war, Bauer said. Businesses must approach cyberdefense in a holistic and integrated fashion to increase their odds of denying adversaries the outcome they seek, according to Bauer.

Bauer recommended organizations think about protection in three dimensions, the first of which remains the email gateway. Email gateways are still a crucial pillar in a cyberdefense strategy since every person at an organization typically has an email address, making it a direct pathway into the machine and mind of all of a company’s employees, according to Bauer.

The second dimension revolves around what the adversary is trying to accomplish inside the victim organization, which Bauer said often involves compromising the credentials of employees to send internal emails. Businesses used to trust that internal email was safer than external email, but Bauer said the time has probably come for businesses to take a zero-trust approach for internal emails as well.

As a result, Bauer said businesses should interrogate their internal, east-west email traffic with the same robust set of technologies they use for inbound, north-south emails from the outside. If something bad is discovered in internal emails, Bauer said organizations must have the ability to respond and remediate the issue quickly by essentially extracting the bad messages from their environment.

And if the way a mailbox is behaving suggests a compromised account where an attacker may have taken a user’s credentials, Bauer said organizations must be able to shut that down rapidly as well. Security awareness training and phishing simulation are vital in denying adversaries their goals, and gamification can play a key role in helping companies identify their riskier employees, Bauer said.

In fact, Bauer said Lexington, Mass.-based Mimecast has seen a 5.2X reduction in the propensity of its user base to click on a bad link after engaging with the company’s security awareness training module. Converting employees from a weak link to close allies of the organization’s security program will help stymie attackers, he said.

Finally, Bauer said the third attack dimension involves adversaries working on the outside and taking a businesses’ hard-earned brand, reputation or identity and imitating them to infiltrate and compromise others in the company’s supply chain. It’s quite easy to set up a fake domain that looks like a business or one of its key partners or build a web page that allows adversaries to impersonate a victim organization.

Once that’s been done, Bauer said adversaries can pass themselves off as the victim organization and either communicate with trusted partners to steal information or get inside the payment process for a transaction. LinkedIn accounts can also play a major role in impersonation attacks, according to Bauer.

Businesses must for starters set up DMARC correctly to protect against abuse of their actual domain, Bauer said. Beyond that, Bauer said companies must also proactively hunt for and detect domains and web content that are in the process of being established to harm, and then immediately apply countermeasures to protect the organization in question, its customers and its supply chain partners.

“The faster you can detect and respond, the better,” Bauer said.

Solution providers need to question requests that seem outside the norm and pick up the phone to call the person who allegedly sent a request for gift cards or a purchase order for laptops to be shipped to an unusual location, according to Jack Kaiser, senior vice president of sales and marketing at Waltham, Mass.-based Aqueduct Technologies, No. 288 on the 2020 CRN Solution Provider 500.

Aqueduct Technologies has long seen impersonation attacks where employees receive an email from someone purporting to be the CEO but the top executive’s name is slightly misspelled, Kaiser said. But since the onset of the coronavirus pandemic, Kaiser said Aqueduct has seen far more supply chain-type impersonation attack where adversaries are attempting to get supplies shipped to an unusual location.

As a result, Kaiser said Aqueduct has implemented a new process where anyone asking to have items shipped to a new location gets a call from the company to verify the request was made by the actual customer. And since all new customers are being recruited virtually during COVID-19, Kaiser said someone from operations will call the contact provided to verify that it’s a real person.

“We are definitely seeing more impersonation attempts from various sources,” Kaiser told CRN. “Mimecast has been huge in stopping the vast majority, and the awareness training is helpful in catching the rest.”