How Do You Protect Users from Themselves?

As they seek to distribute ransomware and other malware, or to gain access to sensitive information and systems, cyber criminals have long been able to count on a huge community of allies: unwitting users. Despite the well-known risks associated with weaponized emails, some percentage of users will inevitably click on unfamiliar URLs in email messages or open email attachments that they shouldn’t.

Moreover, these users often click on suspicious links hidden within attachments, which look harmless, but open up phishing pages or websites hosting malware. Attackers use these complex threats to bypass detection, since many traditional email security solutions fail to stop them.

To counter these user-enabled email threats, Symantec developed our Email Threat Isolation (ETI) technology. Initially designed to protect users who inadvertently clicked on malicious links, we’re excited to announce that our ETI solution can now protect users from potentially malware-laden email attachments. This expanded protection is proving critical because attackers have started to favor email attachments as an infection vehicle, and while Symantec already blocks malicious attachments, there can be malicious content or links within attachments that evade detection.

This shift isn’t surprising, given that dangerous attachments can be relatively hard to identify. Rather than distributing easy-to-spot executables, attackers can hide scripts and other malware within innocuous files. To this end, attackers are increasingly inserting malware within Microsoft Office files, with the malware activated when users enable macros or open PDFs.

In fact, Microsoft Office files accounted for nearly half (48%) of all malicious email attachments in 2018, up from just 5% of all such attachments in 2017. No surprise then that our telemetry shows Microsoft Office users are the most at risk of falling victim to email-based malware.

To protect users and their organizations from risky email attachments, our ETI technology renders these attachments in web sessions, which are executed in a secure and disposable container. This is essentially the same approach that we use when dealing with embedded URLs – by virtualizing browsers in a container where we can safely execute links or attachments. This isolation approach allows us to identify and block any dangerous content, passing along only safely rendered content to users.

In addition, ETI technology isolates all suspicious links hidden in email attachments, since these documents are executed in a secure web container that contains all malicious activity. As a result, embedded links that lead to phishing sites or webpages hosting malware cannot trick users into handing over their credentials or accidentally downloading ransomware.

At the same time, ETI technology doesn’t impact users, as opening up attachments and clicking on links within this environment is performed seamlessly. All of this is done without blocking the entire email or making any modifications to the original attachment. Thus, Symantec is the first and only vendor in the email security industry to prevent suspicious links within email attachments without compromising the user experience.

Broad deployment of our ETI technology could all but eliminate the risks associated with malicious links and attachments. That would have a huge impact across the cyber security landscape because of cyber criminals’ heavy reliance on email to distribute malicious payloads of all types.

This is certainly true for ransomware attacks. According to the Symantec's 2019 Internet Security Threat Report, email campaigns that used spear phishing and other methods to ensnare victims became the primary method of distributing ransomware last year.

Identifying and countering these ransomware attacks has become particularly important for enterprises. While overall ransomware infections were down 20% in 2018 compared to 2017, enterprise infections were up by 12% and accounted for 81% of all ransomware infections last year.

When examining the success of email-based exploits – ransomware or other – it isn’t fair to simply blame unthinking and careless users. Cyber criminals now use sophisticated social engineering techniques and other methods that can sometimes fool even cautious recipients into believing that malicious emails are safe and legitimate.

That’s why it’s so important to go beyond simply educating users about safe email practices. It’s also necessary to implement defenses against the inevitable slips. To that end, we’ve made it simple for organizations to deploy our ETI technology, offering it as either an add-on to the Symantec Email Security solution or as a standalone service, to add a critical layer of protection to third-party email security solutions.

However it’s deployed, our enhanced ETI offering now serves as a critical component of the comprehensive Symantec Integrated Cyber Defense platform. It complements our Web Isolation technology, our Mirror Gateway, and our full portfolio of industry-leading cyber defense products and services.

To learn more, read our Email Threat Isolation Solution Brief or contact your local Symantec sales representative.