Teaching an Organization to Phish: Email Security Tactics

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

In this episode of The CyberPHIx, 25-year data security veteran Dan Reither explores email security strategies ranging from technical solutions, data loss prevention, and widespread education of your workforce regarding social engineering threats. Dan is the Manager of Information Security for Health Partners Plans and Vice President of the ISC2 Philadelphia Chapter.

In a recent HIMSS study, 59 percent of organizations reported that email phishing was the initial point of data compromise, and 69 percent reported email as the source of incidents at hospitals. Dan provides valuable insight to healthcare security managers in “deputizing” the workforce and vendor network to prevent email security threats.

Listen as Dan and Brian Selfridge, ITRM Partner at Meditology Services discuss email security trends and best practices including:
-

  • A look at the evolution of email attacks from basic phishing to more sophisticated social engineering campaigns. As email security has gotten stronger, there is a shift from taking advantage of technical inefficiencies to more targeted social engineering.
  • A discussion of best practices for securing email platforms and incident response approaches to reduce damaging email attacks.
  • An evaluation of technical solutions to handle spam, including antivirus and data loss prevention tools. A primary technical solution includes email security and a phishing solution.
  • Acknowledgement of the success that malicious actors are having with email-based attacks.
  • Talking to vendors and employees and underscoring the importance of identifying and properly handling suspicious email activity.
  • Deputizing all employees as security team members on the front line in detecting and handling email attacks.

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:16] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. Each episode, we will be bringing you pertinent information from thought leaders and healthcare information, security and privacy. In this episode, we are speaking with Dan Reither. Dan has over 25 years of healthcare information security experience in implementing security and technology solutions for provider and payer environments. Dan has a wide range of technical depth from security operations, architecture, threat intelligence, vulnerability management and much more. Dan currently serves as a manager of information security for Health Partners Plans and also as the vice president of the ISC Squared Philadelphia chapter. We're excited to speak to Dan today about securing email-based cyber attacks ranging from malware to phishing and much more. We'll be getting Dan's input on some of the types of email attacks we have seen both past and present and then get into protection solutions, incident response approaches, specifically for email based attacks. We would also like to hear from you. So if you have a specific topic or thought leader that you would like to hear from, just drop us a note at [email protected] that's [email protected]. Now let's get to our interview. 

Brian Selfridge: [00:01:43] This is Brian Selfridge, host of the CyberPHIx, the industry's leading podcast for information security and privacy, specifically for the healthcare industry. I'd like to welcome my guest, Dan Rather, who has over 25 years of healthcare information security experience in implementing security and technology solutions for provider and payer environments. And Dan currently serves as a manager of Information Security for Health Partners Plans and also is the vice president of the ISC Squared Philadelphia chapter. We will talk about how email attacks have evolved over the past several decades, as well as the current state of effective approaches for protecting, against and responding to email based attacks. Dan, thank you so much for joining us. Really excited to have you on the CyberPHIx. 

Dan Reither : [00:02:22] Thank you, Brian. I'm glad to be here. Very much appreciate it. 

Brian Selfridge: [00:02:25] Great. Well, we're going to talk about all about email today, particularly securing email. And we'll start with some of the attacks that we're seeing and have seen in the past. And then we'll get into some ways to protect against those and respond to them. But email attacks, email cyber threats, have been around as long as email has in a lot of ways. Right. So let's talk a little bit about the history of email attacks. Either malware based stuff or other sort of phishing or other types attacks. How have you seen email threats change over time? What did they look like in the past? And are we seeing the same attacks or have things changed and evolved from what you've seen? 

Dan Reither : [00:03:02] Well, we're definitely seeing things change from taking advantage of technical inefficiencies to more of a social engineering, because we know that the technical controls have gotten better, although those hackers and malicious actors are definitely adjusting their techniques. We know that they are not only inefficient in some of their areas, they're also looking for the shortest avenue to get to their results. So they're preying on people's desires to help others and benefit themselves. We know that social engineering has been a big deal in the last decade or so. Back in, you know, 10, 15 years ago, it was all a matter of let me attach an anti or a malware or things like that to an email and deliver it, because the technical tools at that time were not as adept as they are now as catching all the different techniques. 

Brian Selfridge: [00:03:53] So what type of protection mechanisms were we using back in the day when we were just getting those attachments, and the attacks were perhaps a little more consistent in their way of going about. What types of protection mechanisms did we have then and do those do those still work today? 

Dan Reither : [00:04:13] Well, back in the day, it was primarily the email entry point, the end point or the workstation had AV on it, and it looked for what was an attachment base. Even the gateways had some limited functionality, which has gotten much better over the years, and it was still more of an attachment based. We see that the difference today, it's more of impersonation protection. URL based where malicious actors are sending you URLs that tie back to download, drive by, clicks, links and things like that for malicious software. And then also you still have attachments, but they're using them differently. So they're not using them to attach malicious software. What they're doing is they're using those to go out just like the URLs to pull down malicious software. 

Brian Selfridge: [00:05:04] What are the latest flavors of attacks? I remember years ago it was like we would get an influx of you received a parking ticket, click here to open it or there was the your email inbox is full and click here to log in to fix it. Is it still the same types of attacks? What are the hot flavors of nasty emails today? 

Dan Reither : [00:05:27] Typically today they're still targeting some aspects of getting a benefit for doing very little reward, but much more of it is targeted. So instead of having a sense of the whole organization, it's targeted to a few areas where the reward, if they do click on the link or if they respond to it, are going to be more beneficial. So we see CEO and CFO and the financial areas that are very much targeted. But we also see some individuals in areas that are administrators targeted because if they're compromised, their accounts become compromised. It's an entryway for hackers to get into organizations. 

Brian Selfridge: [00:06:06] Are we still seeing the Nigerian Prince conglomerate's active? There's a surprising amount of those. There used to be a lot of Nigerian Princes and now they seem to have disappeared, or at least I haven't seen them much. Are those still out there, those attacks or anything like it? Wire me some money; I'm lost somewhere, those types of attacks.  

Dan Reither : [00:06:26] They still happen, but they're very infrequent. Again, the majority of them are very targeted. The blanket ones that are like that are individuals who are new in the field. They may be testing what kind of response they're getting. A lot of the cases you will also see emails that are coming through with no subjects or a subject and no message body, because what they're doing is testing to see if accounts are active, to see if they get any kind of response back. So they may use a targeted spam slash campaign in that regard. 

Brian Selfridge: [00:06:57] Let's talk about spam a little bit. Years ago, oh, gosh, almost 20 years ago, I used to work for the attorney general's office out of Pennsylvania tracking down spammers. And it was it was a big topic. We had the Canned Spam Act in California had just come out. Pennsylvania did its own version of that. And spam was sort of a dominant part of personal and professional life, unfortunately. Are we still not worried by spam anymore? I mean, is the traditional sort of marketing version of spam still effective or is quote on quote, spam email really just using an attack vector more than anything these days versus marketing? What are you seeing in the world of spam today compared to where it used to be? 

Dan Reither : [00:07:37] I definitely see a shift in spam maybe more targeted towards an older generation or a less technical group. And it is still out there. There are people still selling Viagra and other knock offs and things like that. But we realize that technical controls have really helped with spam. It would be nice if they helped with the phone calls. But within the email regard, we know that the technical gateways and things like that have definitely stepped up their capabilities. Spam doesn't trouble us a whole lot, because although we know that we haven't defeated it, it's still out, there's still that get through, the different vendors that have the products are constantly tweaking based on the volume. I can tell you, for instance, we have close to 50 percent of our emails that are spam based, and they're automatically dropped, so our employees don't even get a chance to see those. 

Brian Selfridge: [00:08:30] You mentioned the generational attack target of perhaps those spam techniques are a little more effective to certain generational demographics. Has the workforce evolved in their level of awareness, either generationally or just in terms of all the awareness and training that's been done? Have you seen the general workforce improving the resiliency and decreasing the likelihood of clicking on stuff just again compared to where we were 10, 15 years ago? Is that part of it getting better from what you've seen, or is it just about the same? We hire new people and then all of a sudden they fall for it, and it's a vicious cycle all over again. 

Dan Reither : [00:09:10] Well, we have seen a change in the responses for email. Even when we go through and do our own phishing campaigns, we see that older individuals still have that desire to trust or think of things as not a serious threat. Through the campaigns and things like and on our constant feedback, we've educated them. We see definitely a decline over our campaigns where individuals are more cautious. And I think newer individuals or younger workforce members are used to it. They're used to if something doesn't seem right, they're going to just delete it in most cases. What we've encouraged them to do is to report it, so that way we can also make sure that our controls are effective or make adjustments where we need to. So there are outliers in both areas as far as an older and younger generation, individuals that are technically savvy that have been around a long time, or individuals that are just getting into the workforce. In some cases we're seeing them too be more susceptible to a spam or an attempt at a phish. So those are the things that we keep in mind with our training program. Not only do we train individuals and do phishing campaigns on a routine basis, but we're also looking at the outliers. When individuals are new, how do we test them as early as possible to make sure that not only are they adept at identifying, but they're also reporting, they're also making sure that the feedback goes back into their practices. One of the things we also preach, primarily I've said it numerous times, is make it the same at home as it is in the office. And what will happen is you'll have a better employee overall, because they're going to be less affected personally and also professionally. We can see that that intelligence of what they're up against, so to speak, is definitely improved. And they're benefiting from it. They truly appreciate it. 

Brian Selfridge: [00:11:04] Let's talk about phishing a little bit, and how that's changed and evolved. The frank fraudulent emails of the latter day were pretty straightforward. Click here, enter your credentials type stuff, impersonating common retailers and things like that. And then we've evolved into spearphishing, which is the base of the very targeted, very personalized fake email. How have you seen phishing attacks change over the years? And how have the bad guys learned to be more effective with that particular attack, as it seems to be a really prominent one. It seems like they're getting better at it, rather than it sort of going away? Is that what you're seeing or how have you seen it evolve? 

Dan Reither : [00:11:51] Well, typically, as individuals are growing up and going to school, there's not a whole lot of individuals who like doing the homework. But we were finding in the way of phishing campaigns, individuals definitely are doing their homework. They are doing the, as you said, spearfishing. They're doing whaling. They're looking for very big targets. And they're also making sure that the information that they provide in their emails and any of their campaigns are very specific. We see the H.R. type of phishing campaigns. Somebody needs something adjusted very quickly. We've seen financial, where they needed to have money moved or requested to have money moved to different areas. And the important part, again, is going back to the training of your employees. If it doesn't seem right, go with your gut as far as questioning it, not go with your gut and start processing it if it doesn't seem right. It's a matter of the phishing campaigns, the individuals that are doing the attacks, they're not blanketing. Like I said before, they're not blanketing everyone in most cases. They're actually targeting specific areas, and they've got really good at doing their homework, not only using places like Facebook and LinkedIn, but also using other areas with pictures and different aspects of family life. We're seeing it, in some cases, even more with the personal, where they're trying to not only attack the person at work, but also at home, where they're looking for an in into that person's life with some what may seem private details that may have been shared. 

Brian Selfridge: [00:13:23] So the cybersecurity market of security solutions is certainly well aware of the prominence of email attacks, malware attacks, phishing attacks and the rest, and as a result, of course, you know, like every other cyber security area we have, there's just loads of potential technical approaches, solutions, tools, products out there on the market, all of which say they will slice your bread for you and make your life wonderful. For our listeners trying to navigate how to prioritize their limited time and budget, which is probably everybody, can you help us hone in on what types of solutions, what types of software security tools and products and processes actually work? What have you found the most bang for the buck? 

Dan Reither : [00:14:13] Well, it's interesting that you say that because some will promise not only to slice your bread, but also toast it and then butter it. So it's important to make sure you validate what the controls are that are being recommended. Secure e-mail gateways have a lot of different capabilities, definitely looking at the offerings of what it provides. You can't just go out and have a dictionary set up. It becomes more than that. Or their impersonation, is it close to matching of a domain name? Not just the technical aspects, again, of a you URL, you know, was it stood up recently, but also when you're getting into the DLP portions of it, it can be very challenging because you have a lot of false positives. You have got spent the time out there. And I think it is a multilayered solution. We talk about defense and depth and security. You still need to validate who you're sending information to. You still need to make sure that there are technical controls to encrypt in-transit the emails. But you also need to make sure that your staff keeps in mind, well, what are they sending? Is it PHI? Is it PII? Is it PCI related? So if you have your healthcare-related, your personal information or your financial related emails, are they taking the controls into consideration? So instead of letting the technical do it, they may need to put a word in the subject to have that encrypted. We also see the importance of trying to limit the number of tools you have, although it's great to have endpoint protection, advanced threat protection on your endpoint. You still need something in the gateway area as far as your emails that are coming in. Phishing is interesting in the sense that it's not always easily detected by a technical tool. So it has to do with the human portion of it. So the better that the tools get, we're not going to say that individuals have to think less because we still want them truly engaged. 

Brian Selfridge: [00:16:08] So I'm going to put you on the spot. Let's say you've got a very small budget, hypothetically, and you can only buy one solution this year or you can only upgrade to the next latest and greatest, maybe that's a better way to put it. So you're either going to go out and get the new Gateway product, or you're going to get the new DLP thing or the new phishing tool and awareness or new endpoint protection. What's the one thing you think that really gets you the most value if you had to choose sort of one layer in the onion to fortify? 

Dan Reither : [00:16:40] Well,  I'd definitely say it's going to be on the Gateway side of it, although I like to have faith in people, I look at the technical aspect of it, and it probably has a little bit more of a safeguard to it. Phishing is ideal. If you can get a tool that would have the technical safeguard in the Gateway and then also do the phishing aspect for campaigns and educate people, that would be ideal. But if you had to pick one or the other, there's always a new scam coming up. There's always a new way to fool human. Computers, it takes a little bit more level of detail or level of experience to be able to get past the technical, although we have a lot of threat actors that are out there and some of them are very clever. There's also a lot of individuals that are just doing the social engineering aspect, and they don't always have to be right every single time. Keep in mind, they only have to be right once. 

Brian Selfridge: [00:17:32] How about data loss prevention, so same deal, the email has been around forever, email tax has been around forever, as have attachments with sensitive patient information and other data sort of going out the door and flittering out. I know years ago, we had tools that were sort of keyword based, looking for patient identifiers, diagnoses, Social Security numbers, credit card numbers, those types of things, and just trying to flag those and block those. What's the email data loss space look like now? Is it the same types of protections? Have they gotten better or are there different types of algorithms out there that are trying to keep data from leaving the network? What's that look like these days? 

Dan Reither : [00:18:14] Well, some of the old controls are still in there. You still have data dictionaries that are looking for keywords, but you also have the capability of end users selecting areas for tools. So, for example, they have large files that they're sending. There's tools that are out there to make sure that they're encrypting them, that the person on the opposite end that's receiving it still has to go through some kind of validation that may be very basic or could be very detailed. So it is important where you can to to have encryption, but by default forced, but we realize that the user still needs to be involved. There still needs to be some accountability, especially when you're dealing with a new party that's external. You're dealing with a party that you've dealt with before. You know what kind of information is going back and forth. And you can trust to a level, but you still have to validate that what you're sending is securely protected. 

Dan Reither : [00:19:09] DLP is also interesting because it's not just data being sent out by end users that we look at. It's a matter of exfiltration of data. Some of the better or newer tools we'll say, like, for example, the cloud access security brokers, the CASBs, do have the capability of doing exact matching for PII based or PHI based. And there's concerns about, well, what about my data being out for that solution, especially if it's cloud based. And what they're doing today is they're actually hashing that data locally and then storing the hash in the cloud solution. So what will end up happening is, as that information is being transmitted by, say, a workforce member, they're sending PHI or PII out, the tool, actually hashes that data before it fully makes it out of the organization, out of its control, and it'll compare it. And if it has a pattern match, what we would traditionally think is pattern match, in this case, it's a true exact match. I see more tools going that route in the future, not just for email, but definitely for areas of web access, file transfers and things like that. 

Brian Selfridge: [00:20:23] You bring up a great point about the cloud solutions sort of bringing DLP to the table, inclusive of other functionality that they're providing. I know Microsoft, Office 365 now is baking in some data loss prevention functionality sort of with the email product itself. And it no longer seems to be you need a point solution that just does email DLP. That's sort of what I observed with a handful of products, are you seeing that being sort of a trend where the DLP, or maybe security more broadly, becomes baked into core products rather than something that the security person needs to go buy and bolt on and wrap around? Are you seeing that type of consolidation happening as well? 

Dan Reither : [00:21:09] Absolutely. Without a doubt. Microsoft. I mean, the Azure Sentinel moved for the seam side of things. There's functionality that can be utilized for DLP. Of course, after the horse is out of the gate, it's way too late to go through or do the preventative side of it. There's a follow up aspect of it. So it's much better to have a DLP function and whatever the tool is or whatever the the technique that you're utilizing that's sending data from internal and external. But I definitely see it being integrated. The challenge for DLP really is how do you set up consistent policies across all of your tools? Because they're not all on a level set where they all have the same functionality. So it's, again, a matter of knowing what information's in your organization, and where it's going to and how it should go there securely, and what mechanisms are out there. How is it being transmitted? Do those tools have DLP functionality? Are you mapping out the functionality and then trying to level set against the rules or what your expectations are for blocking data loss or identifying it? 

Brian Selfridge: [00:22:22] What does the process flow look like for the security team in terms of are you monitoring email DLP based events and having to look for anomalies and oops, somebody sent 5000 records out and an attachment somewhere. Do you have those types of manual processes of somebody following up and chasing things to ground? Or is it more just the tools can do their thing and encrypt where necessary and you can have the faith that they're going to catch what needs to be caught. 

Dan Reither : [00:22:53] You definitely need a level of engagement beyond just setting up the tools and letting it go, because not every single scenario is going to be caught by a set of rules that you have in place. And things do need to be followed up, because you definitely get false positives. And you could also get items that are happening in the environment that you're not aware of until you do the research. So we have eyes in what's going, both internal to external, external to internal, and then also laterally. We're looking to see what type of data is being transmitted, so that not only do we have a sense of awareness of what's going on, but we also have an action plan that's set up if there's something that needs to be investigated further or follow up on, and how it would need to be handled in a case where it needs to be escalated. 

Brian Selfridge: [00:23:42] So we've talked about the phishing attacks and the phishing, the whaling, the all these creative ways that the attacks are coming in. Do you see any particular types of tools and solutions on the technical side working better than others in terms of not only blocking, phishing attacks at the gateway level, but the sort of education, awareness and training aspect of that? What types of products do you see? You can name names or not, it doesn't matter, but what types of solutions do you find to be particularly impactful with actually detecting, preventing, responding to phishing attacks? 

Dan Reither : [00:24:20] In most cases, the phishing tools I'm thinking of when you were mentioning this or more in the way of doing your own campaign and your employee education. We talk about hacking the human concept and looking for areas where they are susceptible. We'll run campaigns based on what's currently going on in the organization because that's what's on people's minds. We may have done one not too long ago or sometime in the past regarding fire drills because we had a fire drill, and if you update the plan after a fire drill, people might think, well, they're taking an active response regarding the fire plan, we need to go through it and look at that. But they also need to look at the indicators of what's going on in the email. Is that typically coming from the same area where the other communications are coming from or are there anomalies that they should be looking at? So, again, the tools are great. The Wombats and the PhishMe and all those different solutions, they're all striving for the same area of market. And I think it's a lot of times neck and neck. There's some areas where one might capitalize better than another. So if individuals are doing their diligence, they're going to look at all of them. They're going to look and see what fits in their environment. 

Dan Reither : [00:25:35] But again, the human aspect is what we're targeting. So the human aspect has to come into it in what they're planning on. Is it fitting to your environment? Is it fitting to what is being heard in the news? And how are you providing feedback? Because it's not just testing your employees, it's not just doing a phishing campaign, it's a matter of what kind of feedback you're getting. If they report something and it's an attempt, not just your phishing campaign, are you providing them the details of, hey, great job of reporting this? Or if it's something where they're reporting it and they're not sure why, are you giving them the additional comfort that although, yes, you think it was a phish, here's the reason why it's a phish. Because, again, you can give a man a fish and feed him for the day. You can teach him how to fish. So in this case, we're teaching him how to anti phish.  

Brian Selfridge: [00:26:25] I was going to say, don't teach him how to phish. That's always the security thing is, I'm teaching you this, but don't do it.  

Dan Reither : [00:26:34] We're teaching our internal security individuals how to phish, but we're teaching our employees how to be on guard against the phish. 

Brian Selfridge: [00:26:44] So in what ways are you teaching the organization? Is it through a combination of onboarding, annual education, you mentioned phishing simulations and some of that on-the-spot type education? Do you hit it on all fronts or do you really focus on just using the tool, the simulation tool, as your primary educational mechanism? How do you get the word out? 

Dan Reither : [00:27:06] So the answer is yes, it's going to be what works best in each company's environment. Sometimes you've got to go outside of what's expected. So we definitely do it for onboarding. We do it for annual training. We do it for individuals who have been here for long periods of time. They're all included in how we do our phishing simulations. We do monthly campaigns. We'll actually go through and also do an annual security-based overall for Security Awareness Month. But what we'll do is we'll actually have special setups so that way when individuals come through, they look at all the other security things we're educating them on. We're pointing out certain things, we're asking them for what's their experience, have they been caught by a phish from our organization or phishing campaign, or have they been caught externally? And it ties into other areas of cybersecurity. You talk to individuals personally about how they've been educated about credit card theft. But, what's going on definitely heightens an individual's senses. So you have to take advantage of it. 

[00:28:16] And we'll also get games out of it. Individuals who are reporting the true phishes that come in, because not everything catches every single fish that comes in. When they're reporting it, what we're doing is we're providing also a leaderboard, the fact that individuals are being engaged. We'll also give them some swag. So that way they have the option of picking something, and it also is a reminder to them and they may mention it to other individuals. It may be a small trinket, but it might also be something that they can definitely utilize. One other area, before I forget, some of the training needs to be more pointed or higher impact. So I definitely believe in the stick and the carrot. I would prefer to go with the carrot side of things and the positive feedback. But there are times if individuals are having a challenge with it, you might have to limit your liability. We've already gone through and limited individual's internet access based on them being susceptible to phishing campaigns. We realize that it's important to the organization. It needs to be important to the employee. And sometimes, it requires an one on one session for education and driving home the points of when in doubt, report it. It's always your best answer to you're not sure. 

Brian Selfridge: [00:29:39] I've got small kids, this reminds me of like if you can't use it responsibly, I'm taking it away. That's an interesting gray area or at least a more in between compared to what I've seen culturally out of organizations. It's either, we're going to educate, educate, educate, even for repeat offenders, and we're never going to fire anybody. That's for a lot of healthcare organizations. Or some that say two strikes and you're out, you fall for the phish, and you're out of here. I think it's nice to hear there's some in between there. 

Dan Reither : [00:30:11] Yeah. I'm not an extremist. I don't believe in the extreme either way because people are different and techniques are different. But is it important to have that engagement? 

Brian Selfridge: [00:30:22] So let's talk a little bit about what happens after the phish has been successful. So as much as we've done everything we can, we put tools, we put gateways, we put alerts. We've educated. But there still seems to be that person that clicks and provides and goes through the process. It's like you get to these like 98 percent success rates and anti-phishing campaigns. There's still that two percent, right, which sometimes for organizations, that can be quite a few people. Can you tell us a little bit about how you then engage incident response? What does it look like to then go forward? What are some of the steps you take to put out the fire, so to speak? 

Brian Selfridge: [00:31:03] Well, responding to an email based attack is very similar to if somebody is doing a browsing to a website, and they're clicking on a link and it's trying to download malicious software. So typically your identification is from the end point, it may be from the user if things are not working the way they should be, things going awry. It also could be from a technical tool that says, hey, there's something trying to execute on this workstation that could be from our threat intelligence, from our firewall or even could individuals will say seem as dead. But the reality of it is it's definitely alive and healthy. It's tying back into individual's editors. So the importance of it is keeping your ear to the ground, making sure that you have an open forum for individuals to communicate when there's something happening, and being diligent about following up. Because if an item is reported, it may seem benign, but in many cases that's how it starts. We talk about people being groomed over time, where there's an email that has nothing out there in the way of a threat, but it might be the first part of the attack where they're trying to get recon. So, again, when you find that there's something that's happening, when it seems like there may be smoke, it's the importance of having your engagement too. An area of it is not just your security team, not just your helpdesk, but your engineers, your networking individuals, your server individuals. They ought to be cognizant of what may be going on and loop the other teams in. So most companies will have even a loose base incident response team. They still need to communicate. It's not a matter of back in the days where people could be siloed and do their job and communicate very little with other areas. So we see it's very important to have that communication and be very prompt and taking action. 

Brian Selfridge: [00:33:01] How about large scale attacks where it's not just one emails gotten through to one individual and then clicked it, and you're going to chase that down? Have you had situations where you've had just large volumes of the same attack getting through the gateway, getting down to end-users? Do you ever have to go to the route of doing sort of organization wide communication and on the spot to say, hey, we've got this attack heads up? Do you see that much anymore, or is it more still onesie twosies type stuff? 

Dan Reither : [00:33:30] I think it's still more targeted. We've had communication areas where we definitely need to make sure all members of the team were aware. We've also gone through and seen that threat intelligence is vital because we see campaigns in other sectors or other organizations, and we need to be cognizant of it. So we'll go back and do the research to make sure that those IPs where the emails were sourced, or those domains, was there anything sent to our environment? So it may not be an indicator that we have had something happen. It's more of a validation that we haven't and making sure that the blocking does occur so that we're limiting the potential risk. And we know that those things change daily, if not hourly, where individuals are using different domains. In many cases, they're compromising publicly well-known organizations, utilizing their email to be able to send off their campaigns. In most cases, it's a matter of being, again, proactive, being diligent in making sure individuals are educated. 

Dan Reither : [00:34:33] There are certain things that you do because you know it's good practice, and TLS is good practice. Again, we talked a little bit about the engagement of the employees as far as if you're sending files that have those kinds of details, making sure that that information is encrypted. They may use TLS, they may use another format, it all depends on what's being sent, who it's being sent to, why it's being sent. Keep in mind, I mean, what are the primaries of some of the standards of your encryption, not only when it's being transmitted, but also when it's being used and when it's at rest. At use is very difficult, but at rest and in transmission, those are definitely areas that need to be capitalized on. 

Brian Selfridge: [00:35:19] Dan, I have really appreciated your insights here. Do you have any closing words of wisdom or points that you think our listeners should be aware of as they're building their email protection schemes going forward over the next several years? Are there any technologies to watch out for or any sort of kernels of wisdom that you think we should have on our radar?  

Dan Reither : [00:35:39] Just the reminder, business email compromise is huge, and the reason why is because it's successful. Be diligent about the technical controls. If you're not sure, verify. Make sure that you talk to the vendors, make sure that you talk to individuals about the functionality. But also, have the engagement of your employees. We've talked about it over the years that individuals that are not in security should be deputized by security. What that means is that they have a security mindset, not just when they're in the office, but when they're at home. The easier it is for them to do it throughout their whole day, throughout their whole life, whether it's at home or at work, those are the things that they're going to make it easier for them to do at work. They're going to see the value of it. So make sure that you're engaged, you're reciprocating. When there's feedback coming from them, you're listening and you're taking action. We're all trying to get our jobs done and trying to get the work done. But we're also looking at it from the perspective of we need to secure the information. We know that there's many malicious actors, whether they're lone wolf, they're state actor, we realize that there are different levels of complexity, but the more diligent we are, the more we can limit or mitigate the risk that's to our environment through business email compromise. 

Brian Selfridge: [00:37:01] Well put and well said. Well, Dan, thank you so much for taking the time to join us today. It's been a fantastic conversation. We learned a ton. I learned a ton, at least anyway, and hopefully our listeners have as well. I really appreciate you taking the time out of your busy schedule to join us and sharing these great insights with us. 

Dan Reither : [00:37:16] Thank you, Brian. It's been a pleasure. Very much appreciated. 

Brian Selfridge: [00:37:28] Again, I would like to thank our guest, Dan Reither. I very much appreciated Dan's insights on getting a handle on emailed based attacks and protection mechanisms. These attacks have evolved quite a bit over the years, but the industry seems to be reacting well with coming up with some novel ways of educating, preventing, responding to email based threats. 

Brian Selfridge: [00:37:45] As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you would like to hear about or a thought leader you'd like to hear from. Our email address is CyberPHI[email protected]. I would also like to send a quick thanks to the band Steady State for providing our new CyberPHIx theme music. You can check them out at www.steadystateband.com. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for the next session coming up soon.