Cold Open On Hidden Risk

Nick Mellem 0:00

To most of these people that are using it, they're blind to it, right? Because they don't I you wouldn't think they would know what a good offering is. Let's say that, right? Like they get something in the door, they don't know what they're missing.

Joshua Schmidt 0:14

You're listening to the audit presented by IT Audit Labs. I'm your host, co-host, Joshua Schmidt. And today we're joined by Cameron Burkeland, IT Audit Labs member and the usual suspects, Nick Mellum and Eric Brown. How are you, gents, doing today? Good. Great. We're hanging in there. Coming off of a win streak here. Yeah, I heard you did well down uh in Vegas at the CTF.

Cameron Birkland 0:35

Yeah, as part of the conference. They they do a few capture the flags throughout the day every day and um made sure to hit every single one of them, at least every one that I could. And yeah, managed to snag a few first place wins. I know.

Nick Mellem 0:50

Cam, give yourself a little more credit. Was it three or four?

Cameron Birkland 0:53

It was so I did go four times. Um I got three first place wins. Then he got paid too.

Joshua Schmidt 1:00

He got he got some paper out of that. Yeah, did you go to the craps table after that to Eric talk you into spending that money? If if only they gave me cash.

Cameron Birkland 1:07

No, it was uh heard you were Kenny Rogers down there. Um yeah, you know, I managed to play a little bit here and there. I mean, when you're in Las Vegas, you gotta try a little at least.

Eric Brown 1:19

They say that when you're in Las Vegas, stuff stays in Las Vegas. Not on this podcast. Not on this podcast. I was just gonna we're changing the icebreaker. Kim, uh, you know, I don't want to call him out, but I will. He had a little outing after his winnings. He had a little um outing to a uh an adult-themed uh venue. Um, I don't want to say that.

Cameron Birkland 1:43

If I know what you're talking about, you were there too.

Why Email Is Still Exposed

Eric Brown 1:49

Okay. All right. You know, to clear the air, uh, Josh, at the place that Cam and I frequented one we went to once. Uh it's called Tap and Ash, and it is a cigar uh lounge.

Joshua Schmidt 2:07

Well, speaking about risk A, you know, we got people out there that don't know much about one of the biggest uh risk vectors um in any organization. It's one of the most exploited attack surfaces. We're here today today to talk about email security. And uh Cameron, we roped him in because he deals a lot with that. We also have some things in the works here at IT Audit Labs. Maybe, Eric, could you could share with what we have going on here, what you're comfortable sharing today? Trevor Burrus, Jr.

Eric Brown 2:32

Sure. Yeah, this one has been really the bane of our existence for quite some time as we work with a variety of organizations. It it seems that email security is really problematic and it just becomes more so. And unfortunately, many organizations are underprotected because they're using the the default out-of-the-box security that comes with Microsoft, and the product is just awful, and it it lets through a ton of phishing and malware and business email compromise. So we we've been hard at work here with a variety of solutions. Two that we really like are Proof Point and Abnormal, but those are really they they they're kind of stuck in the enterprise space for 250 users or larger from a price point perspective. They they have not figured out a way to come in at a at a lower at a lower market. Recently, ProofPoint bought a company called Hornet Security in an attempt to enter into the low market space, but we tested that product out uh a couple of weeks ago and it was terrible. So I certainly couldn't they slapped their name on it real quick. Um and we were working with uh um uh an organization that was trialing it, and they're like, Yeah, we got proof point. It's like, oh uh you only have 60 users. How are you how are you getting proof point? And turns out that it they were using this uh Hornet security. And so we did a side-by-side comparison with a product that we're gonna talk about here today, and we're gonna show you some live examples of it. But um Yeah, it it was letting it it was letting through quite a bit of things. So unfortunately, I think proof point hopefully proof point will clean it up, but as it is right now, not good.

Nick Mellem 4:29

Add to what Eric was already saying, you know, he squeezed the tomato pretty good. But I think there was always this space in the market because we would always struggle, like Eric said, with smaller organizations, doesn't matter the size, that there was never really a good offering, right? And uh to most of these people that are using it, they're blind to it, right? Because they don't, I you wouldn't think they would know what a good offering is. Let's say that, right? Like they get something in the door, they don't know what they're missing, right? So the maybe we come in, we show them checkpoint here that we're gonna see, and you put them together, you know, with something else that's not as good, right? And you see how much more this is catching. Um so I think the uh the market's probably hungry for something like this that let's say the the smaller business is the more common, right? They that most of people can't uh or organizations, unless you're very big, you can't afford proof point, right? It's an expensive tool. Is it the best? Probably, right? Is it worth it? Yeah, probably. Um, no doubt about that. But you know, I think you'll see here in this uh, let's say demo, you know, how much how good this is, especially for the price, right? And I think it uh it probably exceeds its value in the price. Yeah. Um, but uh I'll I'll leave it at that and we'll get into more as we go.

Eric Brown 5:45

And I'll just jump in and say that this product works in conjunction with Office 365. Now you you don't have to have if you're an Office 365 user and you have an E35 license, it comes with some form of email security. And you can see how the product performs in conjunction with it. As you'll see here when when we show it, that um it's showing the ones that are stopped by Office 365 and then the ones that that make it through that it stops. And there's no product that's perfect, right? You know, we talk about proofpoint, we talk about abnormal. Um and I've been in environments before where they are both running. Running um ProofPoint has a seg or a secure email gateway. So that's kind of think of it as an email firewall, and then it passes through that firewall into the Office 365 um repository, so to speak, and it's filtered there by Office 365, and you can use another tool like Abnormal or Checkpoint uh Harmony. That the way these tools work is it plugs into that repository and it's looking at email at the same time that it's being delivered to the user's inbox, which is an interesting concept. And the nice thing about it is it only takes a couple of minutes to set up where with an email gateway, um, you've got to change the way in which email is delivered and flows into your organization. So it hits that email firewall first. With what we're talking about here today, it essentially plugs into your email data store and is looking at the email in real time and making a decision on whether or not to quarantine it, deliver it, um, or just um market as spam or or what have you.

Joshua Schmidt 7:47

Great. Well, Cameron, you spend a lot of time in organizational inboxes. What do you see maybe one of the biggest misconceptions these organizations have about email security?

Cameron Birkland 7:58

Yeah. Well, one of the biggest actually is that they have email security, right? Um Microsoft offers email security out of the box. Um, they have Defender. It sounds pretty good, it sounds pretty cool, but the the the product is not all there. Microsoft isn't incentivized to make a good email security product, right? They they would want you to pay more for a better product. The way the way that I've seen it is Microsoft, what Microsoft does is they get you on the platform and then they sell security to you. Right. In order to be the most secure, you have to bump up your license, you have to pay for the E5, you have to pay for uh exchange add-on, this and that. Um that that's kind of their operation. So what you get out of the box with Defender Security is is pretty basic. Um it'll stop the most obvious business email compromise and phishing attacks. Um, but anything that's even slightly advanced uh gets right through.

Joshua Schmidt 9:06

And Harmony isn't just scanning email, correct? It's connecting to other parts of your of your organization as well.

The 14 Plus One Demo Offer

Cameron Birkland 9:14

That's correct. Um because phishing and malware can happen in many different areas of your Office 365 environment. And Harmony is I would call it a comprehensive security solution across your email, OneDrive, SharePoint um teams, you know, collaborating through Teams. Um Harmony offers uh phishing malware, data loss prevention for all these different products across the Office 365 ecosystem.

Eric Brown 9:44

So, Josh, we're coming out with uh a new offering here for the month of May. We're calling it 14 plus one. The idea that we can run this as a demo in your environment, it takes about 15 minutes to hook up because it's just plugging into the the email store and looking at email from a read-only perspective and making decisions on on uh the the email. It runs for 14 days, and uh at the end of that, we'll get a report to walk through with the organization to show them what it caught, what it didn't catch. And the 14 plus one is it runs for 14 days. The plus one is an hour, about 30 minutes to set up, about 30 minutes to show you the report. So um it takes about an hour of the organization's time with their IT administrator to get it hooked up. It runs for 14 days, and at the end of it, you'll get a better idea of email security in your environment. Hopefully, whatever tool you have is doing great. It's probably not unless you're using this tool or the other two that we talked about. It's probably going to find some things. And the other thing that I that I like that we'll show too is if you've exposed links inadvertently in your organization, or or maybe you did it intentionally, um there could be times where the link doesn't have an expiration. So you share a file, right? Like I share a file with Nick and it didn't set an expiration on that file. Well, that file just remains exposed in perpetuity until it's deleted or the permissions are are changed on it. So we typically recommend uh if you're going to share files, to set an expiration on them so they're not just lingering out there forever, and that you don't expose them to the general public, right? You'd you wouldn't want it to be open so that anybody with the link can view the file. You'd want to have named users, or if you're sharing to your organization, at least the anyone who has your organization's email, but just anyone who gets the link could access that and view the file if you don't get more restrictive with the permissions. And and where you get restrictive with those permissions is when you're sending the file, you have choices to make when you send that out. Email checkup, the the DLP piece that Cam was talking about, the data loss prevention will show that uh when when we go through the the reporting. But Cam, it looks like you've got it up here on the screen.

Cameron Birkland 12:33

Yeah. So we've got our kind of uh let's just call it a sample environment here with a little bit of data to look through. So this is the this is the Harmony dashboard, right? This is kind of your at-a-glance look of what Harmony's doing, what it's seeing. Um one of the interesting things that that Harmony does that we haven't mentioned yet is business email compromise. Um that's part of this login events map here. Um you'll notice that there's uh we see some logins from some interesting areas the other side of the world. Um we'd have some questions about why are people logging in from there, right? If most of our users are based in the United States. And and when Harmony observes that, it can shut that account down, right? Like it uses um machine learning to kind of get a baseline of what looks normal. And then if it sees something like this, like this little icon in red here, like that that looks off, it'll shut down that account until somebody can take action.

Joshua Schmidt 13:39

Do you find a lot of organizations that even have email security in place are missing things?

Cameron Birkland 13:44

Yeah, many of them won't. Um, because from an outsider's perspective, the built-in email security seems fine. Right? Like if you're doing what it's supposed to do, it's email security. Most people would think, yeah, that's, you know, it's email security, it'll do what it does. But but what what Harmony does is it is it works alongside it. It it has an API connection into your Microsoft tenant, it it scans through your incoming emails and and without taking action on anything, so it's not going to actually break anything when it first goes in there, it'll be able to say if Harmony was active, it would have identified this message as phishing, for example. Or it would have caught this malware in your OneDrive, or it it would have taken action on this sensitive file that has an anonymous sharing link. These are all the things that it s can say that it would have done if it was active. So we get over those 14 days a pretty good view into what is being missed in the environment across Office 365.

Joshua Schmidt 14:52

And how does that show up in there? And then what do you what do you do with that information?

Cameron Birkland 14:57

So um I don't have all of the items on this dashboard here, but let's take, for example, the malware piece. There's there was five malware events and three are pending. When when Harmony is in a uh sort of a detect mode, events that it sees will show up as pending. Um if I click on there, we can go in there. These are malware detected in OneDrive.

unknown 15:31

Right?

Cameron Birkland 15:32

So if I click on the event here, it it's actually in my OneDrive. Um the reason is because this is a template for a phishing email, so it makes sense that this would have caught it. So checkpoint was scanning through here and it saw this template. It's uh it's obviously phishing, right? Like it's an attempt to get somebody to click on a link. So it's saying it's a pending event because Microsoft wouldn't have done anything about it, but if Checkpoint was on, it would have quarantined this file. Right. And the same goes for emails.

Eric Brown 16:13

And the the way the the modern tools like Harmony here work is that they're they're actually looking at some of the context in the email. It used to just be all signature-based, where oh, did the did the hash match a malicious hash? Okay, it's you know, it's like a signature-based antivirus. Oh, it's uh it's okay, okay, it's bad. But nowadays it's actually looking at the context in the email of what what is the body of the email trying to achieve. And you might get some emails that are deemed phishing or business email compromise that don't actually have a payload in them, but they are trying to socially engineer the user to do something. So that as they get more sophisticated, the tools, the defensive tools like Harmony here, um, have to have to change the way in which they work in order to stay on top of it.

Joshua Schmidt 17:10

Should we dive back into some of the functionality here, Cameron?

Cameron Birkland 17:14

Yeah. Yeah, I think we want to talk a little more about business email compromise. That's kind of the the let's say post-exploitation component to email security. So what most threat actors are intending to do is compromise your user accounts, right? What we see a lot these days is a threat actor will purchase a phishing kit that they can use to compromise an organization, then they'll use a legitimate mailbox within that organization to send out emails to another, and it's kind of an ongoing chain where they're hopping from one organization to the next, looking for valuable data, um, grabbing whatever they can, and just kind of running amok. Um, in fact, this week alone, uh, we've seen probably over a hundred phishing emails come in from compromised third parties. And this is because those third parties probably didn't have visibility into the situation. They may not have had proper email security in place. Ultimately, what it comes down to is they were compromised. And and those phishing emails coming in from a legitimate mailbox adds an air of legitimacy as far as the end user is concerned. When somebody gets an email from somebody they may have emailed like a few months ago and they say, hey, here's I have an invoice for you, they'll be like, okay. And they open it up, click through, they've got to download this file, double-click on it, they're compromised. So that's where this business email compromise component comes in. Um as we said earlier, no tool is perfect. Uh, I believe that Harmony can stop a lot of attacks, but in the event that it lets one through, um, business the business email compromise protection helps you identify that. Um, take for example, we see uh unusual geoactivity, right? This user logged in for the first time from United Kingdom. Um if this user were usually logging in from the United States and they had no known travel, that this would that would be a situation where Harmony would shut that down right away. Same for China, right? Like we had a user login from China for the first time. That's an indicator that maybe the account is compromised and Harmony would shut that down.

Eric Brown 19:45

How would it know, Cam, if the threat actor was using a VPN, say, and they were connecting in from um a point of presence in the US through the VPN, would it still detect that it was potentially a business email compromise?

Cameron Birkland 20:03

It's I think it's also based on geolocation, but but yeah, I would I would say that for for VPNs, they are a little hard to trace because VPN providers are in the business of not having their IP addresses known to other parties, right? Um so there are there are organizations, there's companies out there that collect known VPN IP addresses so that you can see when, you know, if if you see a login from a certain IP address, well, it's on this list, so you know it's a low-cost VPN provider, and that's a sign that the account might be compromised.

Eric Brown 20:42

When they take over the accounts, and I think we've all seen these firsthand, the threat actor will compromise the account, and then they will quickly set up or try to set up rules that prevent detection. So it might be something like where the rules would would delete any emails that might be going to a certain user or coming from a certain user to really try to hide and obfuscate what they're doing. Sometimes they'll go into an uh and once they establish a foothold, then they set up a forwarding rule that forwards any email from that comes into the box to an outside email account or any email that comes in from a certain user, it forwards it to an outside email account. And you know, typically when when we go in and take a look at these things, we'll we'll recommend putting a policy in place that would not allow forwarding to third party uh email providers. But sometimes an organization may have a specific business use case where they they need to do that. But you could you can get pretty granular in how you set those things up and what you're watching for. But out of the box by default, Microsoft is. Not going to or it will allow the users to set up those forwarding rules to outside accounts. So that that's another thing to look out for. And Kim, I don't know if we're doing any sort of analysis on um mailbox rules as part of the 14 plus one. Maybe that's 14 plus two if we were going to do that.

Phishing Reports And Admin Workflows

Cameron Birkland 22:22

Yeah. Yeah. And actually as part of the 14 plus one we can. Um, right. So as part of that 14 plus one, we're able to take pretty much any piece of security-related information out of the tenant and analyze that. Um so yeah, absolutely.

Joshua Schmidt 22:42

So, you know, I know you guys are passionate about uh cybersecurity culture and not just implementing these tools, but also implementing a culture of security within an organization as well. So, you know, you're still encouraging people to click on that uh this is a phishing email or the warning or put things in their spam folder and use MFA and all that. But what does it look like on your end, Cameron, when someone reports a phishing email through Harmony?

Cameron Birkland 23:09

Yeah. So this is another great piece of Harmony, especially for administrators. Um it is able to collect up phishing reports for you. And it looks like we don't have any in our organization right now.

Joshua Schmidt 23:22

How does that benefit you? Is it because like before you have to claw through raw data and logs and things like that?

Managed Support And Ongoing Tuning

Cameron Birkland 23:29

Yeah. So especially when you're when you're a let's just say a medium organization, you're gonna get multiple phishing reports per day. Typically, what that will look like is you get a copy of the email sent to an inbox. And from there, you'll open up the email, analyze the metadata, um, check the URLs. Um it's it's kind of a long process, actually. You could spend, and in fact, I actually did one time spend a whole basically summer just handling phishing reports um for an organization of just under 5,000 users. So it can take up a lot of your time. What Harmony does is it is it adds, it makes your phishing process smart and it makes it uh it makes an easy spot for you to review them. Right? So what Harmony has is called workflows. You can choose how aggressive you want it to be. Um you can do it all manual if you'd like to. See everyone. You can do it semi-automatic, so that'll say if it's high confidence, it'll remove it from their mailbox. If it's low confidence, it'll send it back to them. If it's medium confidence, it'll have you review it. Um automatic, it'll it'll just take action every time. Um, where you don't have to review phishing emails at all. Right? But when you do get a phishing report, they they'll show up in this console. And and I wish I had a great example for this moment, but but what it looks like I'll I'll pull up a security event so we can see one. When somebody reports a phishing email, it it lets you um kind of scan through all the details of the email without having to open it. This is kind of what it looks like on my screen here. So it'll say, you know, Microsoft, high confidence phishing, checkpoint thinks it's phishing. Um here's who it's from, here's the the URLs, all the little details that you'd want to know about a phishing email to be able to make a determination. Um, what what AI models think about it, um, whether it's been, you know, whether there's been any communication with this person in the past, whether it passes SPF and other email security measures, um, where it came from, like this one came from Europe, for example, and that's a little weird. Um, how these links scan through through um checkpoint systems as well as virus total. Um the the link in here is a little odd, as you can see. Something set definitely seems off about that. And then finally, whether anybody else has received the email. So these these are all things that would take you know, probably 30 minutes plus for each email for you to do. Um, and it brings it all in one dashboard.

Eric Brown 26:27

So if people are interested after the 14 plus one of uh procuring the products, um we're able to offer that to them. And would we provide the continued reporting or what would our involvement be? Sure.

What Happens Without Email Security

Cameron Birkland 26:46

So if to a certain extent, if if somebody wanted to, we could run this product for them, right? Um we can review all the phishing reports in here, we can tune it, make sure it stays up and running uh to best practices. Um because harmony works so well at what it does, it doesn't require a ton of time to use every day, right? So so when when we take care of the environment, we will go through and set all the settings to you know as best practices as as possible, and then we will we can do the ongoing maintenance of the product as well and keep up with phishing reports and make sure that everything's being caught and there's no pending events and things like that. And on the other hand, because this is such an you know an easy product to use, if there's somebody at the organization that that would want to do that, that's an option as well.

Joshua Schmidt 27:46

So let's say we have a medium-sized or small-sized business, they don't have any email security solution in place. What does it look like from phishing email to damage to aftermath? Like walk us through that real quickly.

Cameron Birkland 28:00

Yeah, for an organization without email, without a dedicated email security product.

Joshua Schmidt 28:04

Yeah.

Cameron Birkland 28:05

Yeah. So the the the main thing is there's just a a lack of visibility. With just what comes with the default, you're not gonna be able to see any of this happen. You can go and dig for it and find find those logs and find that data, but nothing, there's going to be no alerts to bring it to your attention. And there's not going to be anything stopping it.

Eric Brown 28:27

So what'll be I was just sorry, Cam. No, I was gonna say that if you don't have email security, you're probably already breached.

Cameron Birkland 28:35

Yeah. Yeah. And that's that's kind of coming back to what we've just been seeing this week alone. Um, we've seen a couple of different variations of of you know, both computer and email compromise that have caught, I would say, probably smaller to medium organizations without all of those protections in place, right? Um I could I could talk in more detail about those, but that would take a look at it.

Joshua Schmidt 29:01

We'll do we'll do a little role-playing here. I'll be I'll be the uh the new business owner that has no idea what we're talking about. And I'm gonna say, but I have Gmail and I've never had a problem with my credit card, but I started this business five years ago, and I don't think I'm compromised. I don't have a problem with my email, so why should I have to pay for something like this? Or why should I even pay attention to this? It seems like a waste of time in my business, right?

Cameron Birkland 29:24

Yeah. Um well the first thing is threat threat actors aren't in the business of letting you know that they're there right away.

Joshua Schmidt 29:32

Um they could be in my environment already, even though nothing's happened yet? Exactly. Nothing will look off. It's not like a flashing thing like you've been hacked or like a identity theft happening right away. So what are they doing in there? Right.

Cameron Birkland 29:47

So they're they can go, they can take a number of different routes once they're in your system. But the main thing they'll do is start going through files and data and start watching your inbox. Ultimately, they're looking for something that is valuable to them, right? Like um, social security numbers. Yeah. Social security numbers, protected information, company secrets, um, things like that. And and from that point on, um, they can choose to maybe hold your data for ransom. And that would be after they've gotten all of the data out of your environment.

Joshua Schmidt 30:22

Well, thanks so much for joining us today, Cameron. Um, it's been enlightening. And we've got to uh get a sneak peek at this tool that we're we're starting to work with here with our partners and clients here at IT Audit Labs. So we give you a deep dive look into kind of behind the scenes and a little bit more in-depth coverage on what email security looked like from a practitioner's standpoint. Anything uh you want to add, Nick, before we wrap up today?

Nick Mellem 30:46

I think next time we need to have a Carvata session for the DLP uh portion. I was kind of licking my chops, waiting to get there. We'll have to do another one.

Cameron Birkland 30:55

Yeah, I think we we could dig quite a bit deeper into um how harmony works and what it does if we wanted to.

Joshua Schmidt 31:03

Well, we will certainly do that in the future. Until then, you've been joined by Nick Mellum, Eric Brown, and Cameron Birkland from IT Audit Labs. I am Joshua Schmidt, your co-host and producer. You've been listening to the audit. Please like, share, subscribe, and source us wherever you get your podcast content and leave us a review on Apple Podcasts if you get a chance, and subscribe to our YouTube channel. We also have SIP Cyber presented by Jen Lotsi and lots of webinar and resources on our website at ITAudit Labs.com. Thanks so much for listening and watching, and we'll see you in the next one.

Eric Brown 31:33

You have been listening to the audit presented by IT Audit Labs. We are experts at assessing risk and compliance while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or all our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, Joshua J. Schmidt, and our audio video editor, Cameron Hill. You can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials, and subscribing to this podcast on Apple, Spotify, or wherever you source your security content.