Using Zero Trust to battle email impersonation attacks

Email virus and scam theme with aerial view of Manhattan, NY
(Image credit: Shutterstock/TierneyMJ)

The Zero Trust model is founded on a simple concept, “trust no one and nothing.” Forrester notes Zero Trust “centers on the belief that trust is a vulnerability, and security must be designed with the strategy, ‘Never trust, always verify.’"

In practical terms, organizations that adopt the Zero Trust model put policies in place to verify everyone and everything, regardless of whether they are internal or external.

Though the Zero Trust approach has been around for more than a decade – first coined in 2009 by then Forrester Analyst John Kindervag – it hasn’t seen widespread adoption until very recently. 

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

<a href="https://www.perimeter81.com/lp/ztna-vs-vpn?a_aid=2380&a_bid=1682633c&chan=code4&data1=db" data-link-merchant="perimeter81.com"">Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Ditch your legacy VPN hardware and automate your network security with ZTNA.  Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. <a href="https://www.perimeter81.com/lp/ztna-vs-vpn?a_aid=2380&a_bid=1682633c&chan=code4&data1=db" data-link-merchant="perimeter81.com"" data-link-merchant="perimeter81.com"">Download the report.

Zero Trust has picked up steam and modernized many aspects of IT security. For example, while traditional VPNs certainly still provide fundamental protections when remotely connecting from a home to a corporate network, Zero Trust networks have taken telecommuter security to the next level – specifically addressing expanding and modern environments, such as cloud infrastructure, mobile devices and the internet of things (IoT).

Similarly, the Zero Trust concept has transformed email security. Legacy email security solutions only focus on traditional types of attacks, such as spam or suspicious content within a message body – an approach that no longer holds up against today’s advanced threat actors. A Zero Trust approach to email security, on the other hand, gives organizations the extra layer of protection required to defend against even the most complex email-borne threats, such as phishing, social engineering and business email compromise (BEC) attacks.  

Because email remains the number one attack vector and email-based threats are growing in variety, velocity and sophistication, it is critical that organizations apply the Zero Trust model to their email security strategy. 

Making authentication the core of email security 

Email-based threats have evolved beyond simple spam messages to highly sophisticated email impersonation attacks, including lookalike domains, display name spoofing, unauthorized owned domains and social engineering. 

These attacks utilize impersonation techniques to trick the end user into thinking the sender and message is legitimate – usually posing as another employee, a business partner or a brand they know and trust. The goal is to get employees to transfer money, download malware or divulge sensitive information. 

Taking a Zero Trust approach to email can help organizations defend against email impersonation attacks by placing a primary focus on authentication – ensuring that emails entering the corporate environment or landing in end users’ inboxes are from legitimate individuals, brands and domains. 

The most effective way they can do this is to implement security policies that ensure no email is trusted and delivered unless it passes several authentication protocols, including:

SPF – Sender Policy Framework (SPF) records allow a domain owner to specify which host names and/or IP addresses are allowed to send emails on behalf of the domain. 

DKIM – DomainKeys Identified Mail (DKIM) lets domain owners apply a secure digital signature to emails. 

DMARC – Domain-based Message Authentication, Reporting & Conformance (DMARC) policies can prevent anyone except for specifically authorized senders from sending mail using an organization’s domain. It stops malicious actors from sending phishing emails and domain spoofing impersonation attempts that appear to come from trusted brands. By adding DMARC to its internet domain information, a business can find out who is impersonating its brand in email messages, preventing those messages from reaching users.  

To use DMARC, organizations also must have SPF and DKIM protocols. DMARC allows companies to set policies that rely on SPF and DKIM to tell email recipients’ servers what to do when they receive fake emails that spoof a domain. Those options are to report emails but take no action, move them to a spam folder (quarantine), or reject them altogether. Finally, for organization looking to deploy DMARC, there are numerous resources available to help them get started. 

In addition to authenticating email senders, it’s also important to apply Zero Trust principals to email users. They, too, must be authenticated, and Multi-factor Authentication (MFA) is one of the most common and effective ways to accomplish this.  

Zero Trust has zero chance without employee buy-in 

While taking a Zero Trust approach to email security can greatly reduce an organization’s risk of becoming a victim of email-based threats, the model alone is not 100 percent effective. Employees also must do their part. 

Ultimately, the time, effort and budget invested in the Zero Trust model will be undervalued if employees also don’t adopt a Zero Trust mentality to everything they do in the office and at home (which today is often one and the same). This is why ongoing cybersecurity awareness training is crucial to defending against today’s advanced threats.

For example, recent research from Mimecast detected a 3x increase in “bad clicks” among remote workers at the onset of the COVID-19 pandemic, when remote work (and relaxed cyber hygiene) became the norm. Yet the same research found that only one-in-five organizations provide ongoing end-user cyber awareness training.

Organizations should take the time to ensure their employees are trained on how to detect and report suspicious emails. Educate them on the tell-tale signs of email impersonation attacks, such as suspect URLs and attachments, spelling errors and tones of misplaced urgency. And make sure that, if they do question an email’s legitimacy, they have a direct and easy way to report it. 

The concept of Zero Trust may be simple, but implementing it can prove to be far more difficult. With a focus on authentication and employee cybersecurity awareness training, you’ll be well on your way to defending against even the most sophisticated email impersonation attacks – and strengthening your organization’s overall security posture in the process. 

 Jeremy Ventura is a senior security strategist at Mimecast, where he helps organizations understand their cyber risks and benchmark their security posture.