By: Trend Micro June 04, 2024 Read time: 3 min (709 words)
In its ninth year, the annual SANS Threat Hunting Survey delves into global organizational practices in threat hunting, shedding light on the challenges and adaptations in the landscape over the past year.
The 2024 survey highlights a growing maturity in threat-hunting methodologies, with a significant increase in organizations adopting formal processes.
This marks a shift towards a more standardized approach in cybersecurity strategies despite challenges such as skill shortages and tool limitations. Additionally, the survey reveals evolving practices in sourcing intelligence and an increase in outsourcing threat hunting, raising questions about the efficiency and alignment with organizational goals. This summary encapsulates the essential findings and trends, emphasizing the critical role of threat hunting in contemporary cybersecurity frameworks.
Participants
Figure 1: Survey demographics
This year’s survey attracted participants from a wide array of industries, with cybersecurity leading at 15% and 9% of respondents from the manufacturing sector, which has recently faced significant challenges from ransomware attacks. The survey participants varied in organization size, too, ranging from those working in small entities with less than 100 employees (24%) to large corporations with over 100,000 employees (9%).
The respondents play diverse roles within their organizations, highlighting the multidisciplinary nature of threat hunting. Twenty-two percent are security administrators or analysts, while 11% hold business manager positions, showcasing a balance between technical, financial, and personnel perspectives in threat-hunting practices.
However, the survey does note a geographical bias, with 65% of participants coming from organizations based in the United States, which could influence the findings related to staffing and organizational practices, though it’s believed not to affect the technical aspects of threat hunting.
Significant findings and implications
The survey examines the dynamic landscape of cyber threats and the strategies deployed by threat hunters to identify and counteract these risks. Notably, it sheds light on the prevalent types of attacks encountered:
Business email compromise (BEC): BEC emerges as the foremost concern, with approximately 68% of respondents reporting its detection. BEC involves malicious actors infiltrating legitimate email accounts to coerce individuals into transferring funds through social engineering tactics.
Ransomware: Following closely behind is ransomware, detected by 64% of participants. Ransomware operations encrypt data and demand payment for decryption, constituting a significant threat in the cybersecurity landscape.
Tactics, techniques, and procedures (TTPs): The survey found that TTPS are employed in different attack scenarios. In ransomware incidents, threat actors often deploy custom malware, target specific data for exfiltration, utilize off-the-shelf tools like Cobalt Strike, attempt to delete traces, and sometimes resort to physical intrusion into target companies.
Evolving threat-hunting practices
SANS also found that organizations have significantly evolved their threat-hunting practices, with changes in methodologies occurring as needed, monthly, quarterly, or annually.
Outsourced threat hunting is now used by 37% of organizations, and over half have adopted clearly defined methodologies for threat hunting, marking a notable advancement.
Additionally, 64% of organizations formally evaluate the effectiveness of their threat-hunting efforts, showing a decrease in those without formal methodologies from 7% to 2%. The selection of methods is increasingly influenced by available human resources, recognized by 47% of organizations.
The chief information security officer (CISO) plays a key role in developing threat-hunting methodologies, with significant involvement in 40% of cases.
Benefits of better threat-hunting efforts
Significant benefits from threat hunting include improved attack surface and endpoint security, more accurate detections with fewer false positives, and reduced remediation resources.
About 30% of organizations use vendor information as supplemental threat intelligence, with 14% depending solely on it. Incident response teams’ involvement in developing threat-hunting methodologies rose to 33% in 2024, indicating better integration within security functions.
Challenges such as data quality and standardization issues are increasing, underscoring the complexities of managing expanding cybersecurity data.
Final thoughts
The SANS 2024 Threat Hunting Survey highlights the cybersecurity industry’s evolution and focuses on improving cyber defense capabilities. Organizations aim to enhance threat hunting with better contextual awareness and data tools, with 51% looking to improve response to nuanced threats.
Nearly half (47%) plan to implement AI and ML to tackle the increasing complexity and volume of threats. There’s a significant planned investment in both staff and tools, with some organizations intending to increase their investment by over 10% or even 25% in the next 24 months, emphasizing threat hunting’s strategic importance.
However, a small minority anticipate reducing their investment, hinting at a potential shift in security strategy.
By: Trend Micro June 18, 2024 Read time: 4 min (1135 words)
The latest MITRE Engenuity ATT&CK Evaluations pitted leading managed detection and response (MDR) services against threats modeled on the menuPass and BlackCat/AlphV adversary groups. Trend Micro achieved 100% detection across all 15 major attack steps with an 86% actionable rate for those steps— balancing detections and business priorities including operational continuity and minimized disruption.
Trend took part in the MITRE Engenuity ATT&CK Evaluations for managed detection and response (MDR) services—building on a history of strong performance in other MITRE Engenuity tests. Key to that ongoing success is our platform approach, which provides high-fidelity detection of early- and mid-chain tactics, techniques, and procedures (TTPs) enabling quick and decisive counteractions before exfiltration or encryption can occur. Of course, we know real-world outcomes matter more than lab results. That’s why we’re proud to support thousands of customers worldwide with MDR that brings the most native extended detection and response (XDR) telemetry, leading threat intelligence from Trend™ Research and our Trend Micro™ Zero-Day Initiative™ (ZDI) under a single service to bridge real-time threat protection and cyber risk management.
The evaluation focused on our Trend Service One™ offering, powered by Trend Vision One, which included XDR, endpoint and network security capabilities. The results proved Trend Micro MDR is a great alternative to managed services that rely on open XDR platforms or managed SIEM platforms.
Our detection of adversarial activity early in the attack chain combined with our platform’s deeply integrated native response capabilities enables rapid mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR). At the same time, comprehensive visibility and protection gives security teams greater confidence.
Full detection across all major steps
This most recent MITRE Engenuity ATT&CK Evaluations for Managed Services featured attacks modeled on the real-world adversaries menuPass and BlackCat/AlphV. These took the form of advanced persistent threats (APTs) designed to dwell in the network post-breach and execute harmful activity over time.
Trend MDR achieved full detection coverage, reflecting and reinforcing our achievements in cybersecurity:
100% across all major attack steps
100% for enriched detail on TTPs
86% actionable rate for major steps
How Trend MDR delivers
To put its MDR evaluation in context, MITRE Engenuity conducted a survey prior to testing, gaining insights into market perceptions and expectations of managed cybersecurity services. More than half (58%) of respondents said they rely on managed services either to complement their in-house SOC or as their main line of defense. For companies with fewer than 5,000 employees, that tally increased to 68%.
Our MDR service at Trend helps meet those needs by combining AI techniques with human threat expertise and analysis. We correlate data and detect threats that might otherwise slip by as lower severity alerts. Our experts prioritize threats by severity, determine the root cause of attacks, and develop detailed response plans.
XDR is a key technology to achieve these security outcomes, extending visibility beyond endpoints to other parts of the environment where threats can otherwise go undetected: servers, email, identities, mobile devices, cloud workloads, networks, and operational technologies (OT).
Integrated with native XDR insights is deep, global threat intelligence. Native telemetry enables high-fidelity detections, strong correlations and rich context; global threat intelligence brings highly relevant context to detect threats faster and more precisely. Combined with a broad third-party integration ecosystem and response automation across vectors, Trend Vision One introduces a full-spectrum SOC platform for security teams to speed up investigations and frees up time to focus on high-value, proactive security work including threat hunting and detection engineering. In some cases, smaller teams rely on our MDR service completely for their security operations.
With Trend Vision One, teams have access to a continuously updated and growing library of detection models—with the ability to build custom detection models to fit their unique threat models.
Proven strength in delivering higher-confidence alerts
Security and security operations center (SOC) teams are inundated with detection alerts and noise. Our visibility and analytics performance achieves a finely tuned balance between providing early alerts of critical adversarial tactics and techniques and managing alert fatigue to improve the analyst experience. Our MDR operations team takes advantage of the platform advantage and knows only to alert customers when critical.
In each simulation during the MITRE Engenuity ATT&CK Evaluations, there was no scenario where menuPass and BlackCat/AlphV attack attempts successfully breached the environment without being detected or disrupted.
It’s important to note that MITRE Engenuity doesn’t rank products or solutions. It provides objective measures but no scores. Instead, since every service and solution functions differently, the evaluation reveals areas of strength and opportunities for improvement within each offering.
About the attacks
The menuPass threat group has been active since at least 2006. Some of its members have been associated with the Tianjin State Security Bureau of the Chinese Ministry of State Security and with the Huaying Haitai Science and Technology Development Company. It has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government targets—and in 2016–17 went after managed IT service providers. BlackCat is Rust-based ransomware offered as a service and first observed in November 2021. It has been used to target organizations across Africa, the Americas, Asia, Australia, and Europe in a range of sectors.
Putting our service to the test
In cybersecurity, actions speak louder than words. Our significant investment in research and development extend to our MDR service offering to support thousands of enterprises around the world.
We’re dedicated to continuous iteration and improvement to equip security teams with cutting-edge solutions to keep their organizations safe. As we evolve our solutions, MITRE Engenuity continues to evolve its evaluation approach as well. The category of “actionability” was new in this evaluation, determining if each alert provided enough context for the security analyst to act on. The actionability testing category is an area we’re investing in heavily from a process and technology standpoint to ensure contextual awareness, prioritization, and intelligent guidance are included while maintaining manageable communication cadences and minimizing false positive alerts.
Overall, areas for improvement surfaced through the test scenarios have been resourced with dedicated engineering and development efforts to match the high standard we hold ourselves to-and that our users expect. We are pleased to see our MDR service demonstrated a strong balance of detection capabilities across the entire attack chain, both within the service itself and embedded in the underlying Trend Vision One platform.
We invite all our MDR customers to take a look at the MITRE Engenuity ATT&CK Evaluations for Managed Services to better understand the strength of their defensive posture, and to come to us with any questions or thoughts.
Next steps
For more on Trend MDR, XDR, and other related topics, check out these additional resources:
At Trend, we are dedicated to continuous iteration and improvement to equip security teams with cutting-edge solutions to keep their organizations safe. These relevant areas of improvement surfaced through the scenarios have been resourced with dedicated engineering and development efforts to match the high standard we hold ourselves to and which our users expect.
There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats.
As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you’re only as secure as your weakest link. There’s still one group that can inadvertently open the gates to unwanted threat actors—your own people.
Security must be second nature for your first line of defense #
For your organization to thrive, you need capable employees. After all, they’re your source for great ideas, innovation, and ingenuity. However, they’re also human. And humans are fallible. Hackers understand no one is perfect, and that’s precisely what they seek to exploit.
This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend themselves against the treachery of hackers. That’s where security awareness training (SAT) comes in.
The overall objective of an SAT program is to keep your employees and organization secure. The underlying benefit, however, is demonstrating compliance. While content may differ from program to program, most are generally similar, requiring your employees to watch scripted videos, study generic presentations, and take tests on cyber “hygiene.” At their core, SAT programs are designed to help you:
Educate your employees on recognizing cybersecurity risks such as phishing and ransomware
Minimize your organization’s exposure to cyber threats
Maintain regulatory compliance with cyber insurance stipulations
These are all worthwhile goals in helping your organization thrive amidst ever-evolving cyber threats. However, attaining these outcomes can feel like a pipe dream. That’s because of one unfortunate truth about most SAT programs: they don’t work.
If you oversee cybersecurity for an organization, then you’re likely familiar with the pain that comes with implementing one, managing it, and encouraging its usage. Given their complexities, traditional SAT solutions practically force non-technical employees to become full-on technologists.
Challenges for Administrators
Challenges for Employees
Challenges for Your Organization
Complex, ongoing management is frustrating. Plus, through it all they just find poor results.
They’re bored. Unengaging content is detrimental, as it doesn’t lead to knowledge retention. Boring, unengaging content doesn’t help with knowledge retention.
Most SATs aren’t effective because they’re created by generalists, not real cybersecurity experts And many are designed with little reporting capabilities, leading to limited visibility into success rates
Because most SAT programs are complex to manage, they’re usually dismissed as a means to an end. Just check a box for compliance and move on. But when done right, SAT can be a potent tool to help your employees make more intelligent, more instinctive, security-conscious decisions.
Ask the Right Questions Before Choosing Your SAT Solution#
When it comes to choosing the right solution for your organization, there are some questions you should first ask yourself. By assessing the following, you’ll be better equipped to select the option that best fits your specific needs.
Learning-Based Questions
Are the topics covered in this SAT relevant to my organization’s security and compliance concerns?
Are episodes updated regularly to reflect current threats and scenarios?
Does this SAT engage users in a unique, meaningful manner?
Is this SAT built and supported by cybersecurity practitioners?
Is the teaching methodology proven to increase knowledge retention?
Management-Based Questions
Can someone outside of my organization manage the SAT for me?
Can it be deployed quickly?
Does it automatically enroll new users and automate management?
Is it smart enough to skip non-human identities so I don’t assign training to, say, our copy machine?
Is it simple and intuitive enough for anyone across my organization to use?
Your ideal SAT will allow you to answer a resounding “Yes” to all of the above.
A SAT solution that’s easy to deploy, manage, and use can have a substantial positive impact. That’s because a solution that delivers “ease” has considered all of your organization’s cybersecurity needs in advance. In other words, an effective SAT does all the heavy lifting on your behalf, as it features:
Relevant topics …based on real threats you might encounter.
What to look for:
To avoid canned, outdated training, choose a SAT solution that’s backed by experts. Cybersecurity practitioners should be the ones regularly creating and updating episodes based on the latest trends they see hackers leveraging in the wild. Additionally, every episode should cover a unique cybersecurity topic that reflects the most recent real-world tradecraft.
Full management by real experts …so you don’t have to waste time creating, managing, and assigning training.
What to look for:
Ideally, you want a SAT solution that can manage all necessary tasks for you. Seek a SAT solution that’s backed by real cybersecurity experts who can create, curate, and deploy your learning programs and phishing scenarios on your behalf.
Memorable episodes …with fun, story-driven lessons that are relatable and easy to comprehend.
What to look for:
Strive for a SAT solution that features character-based narratives. This indicates the SAT is carefully designed to engage learners of all attention spans. Remember, if the episodes are intentionally entertaining and whimsical, you’re more likely to find your employees conversing about inside jokes, recurring characters, and, of course, what they’ve learned. As a result, these ongoing discussions only serve to fortify your culture of security.
Continual enhancements …so episodes are updated regularly in response to real-world threats.
What to look for: Seek out a SAT solution that provides monthly episodes, as this will keep your learners up to date. Regular encounters with simulated cybersecurity scenarios can help enhance their abilities to spot and defend against risks, such as phishing attempts. These simulations should also be dispersed at unpredictable time intervals (i.e. morning, night, weekends, early in the month, later in the month, etc.), keeping learners on their toes and allowing them to put their security knowledge into practice.
Minimal time commitment …so you don’t have to invest countless hours managing it all.
What to look for: For your learners, choose a SAT solution that doesn’t feel like an arduous chore. Look for solutions that specialize in engaging episodes that are designed to be completed in shorter periods of time. For your own administrative needs, select a SAT that can sync regularly with your most popular platforms, such as Microsoft 365, Google, Okta, or Slack. It should also sync your employee directories with ease, so whenever you activate or deactivate users, it’ll automatically update the information. Finally, make sure it’s intelligent enough to decipher between human and non-human identities, so you’re only charged for accounts linked to real individuals.
Real results …through episodes that instill meaningful security-focused behaviors and habits.
What to look for: An impactful SAT should deliver monthly training that’s rooted in science-backed teaching methodologies proven to help your employees internalize and retain lessons better. Your SAT should feature engaging videos, text, and short quizzes that showcase realistic cyber threats you and your employees are likely to encounter in the wild, such as:PhishingSocial engineeringPhysical device securityand more
Measurable data …with easy-to-read reports on usage and success rates.
What to look for: An impactful SAT program should provide robust reporting. Comprehensible summaries should highlight those learners who haven’t taken their training or those whom a phishing simulation has compromised. Additionally, detailed reports should give you all the data you need to help prove business, insurance, and regulatory compliance.
Easy adoption ….that makes it easy to deploy and easy to scale with your organization.
What to look for: Choose a SAT solution that’s specially built to accommodate organizations with limited time and resources. A solution that’s easy to implement can be deployed across your organization in a matter of minutes.
Compliance …with a range of standards and regulations
What to look for: While compliance is the bare minimum of what a SAT should offer your organization, it shouldn’t be understated. Whether to meet insurance check boxes or critical industry regulations, every business has its own compliance demands. At the very least, your SAT solution should cover the requirements of: Health Insurance Portability and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI)Service Organization Control Type 2 (SOC 2)EU General Data Protection Regulation (GDPR)
The Threat Landscape is Changing. Your SAT Should Change With It. #
Cybercriminals think they’re smart, maliciously targeting individuals across organizations like yours. That’s why you need to ensure your employees are smarter. If they’re aware of the ever-changing tactics hackers employ, they can stand as your first line of defense. But first, you need to deploy a training solution you can trust, backed by real cybersecurity experts who understand emerging real-world threats.
Minimize time-consuming maintenance and management tasks
Improve knowledge retention through neuroscience-based learning principles
Update you and your employees on the current threat landscape
Establish a culture that values cybersecurity
Inspire meaningful behavioral habits to improve security awareness
Engage you and your employees in a creative, impactful manner
Assure regulatory compliance
Keep cyber criminals out of your organization
Discover how a fully managed SAT can free up your time and resources, all while empowering your employees with smarter habits that better protect your organization from cyber threats.
Say goodbye to ineffective, outdated training. Say hello to Huntress SAT.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
In 2007, there was a study from the University of Maryland proving that internet-connected systems were attacked every 39 seconds on average. Today, that number has grown more than 60%. Cisco sees 64 attempts to connect to ransomware infrastructure every second. The world is becoming digitized, and hybrid, which creates an environment that criminals target with increasing sophistication. It’s too much for human-scale, and so a hybrid world requires a hybrid approach that sits between humans and machines.
Envision an AI Assistant that serves as a reliable partner for incident responders, offering precise, real-time guidance on the subsequent steps to take, tailored to the specific state of the incident at hand and allowing SOC (Security Operations Center) teams to respond faster and do more with less. I am pleased to announce the launch of the AI Assistant in XDR as a part of our Breach Protection Suite.
In our RSAC 2023 announcement, we introduced a vision of our Cisco SOC Assistant, designed to expedite threat detection and response. Today, this vision is realized and available in private preview. It enhances our Breach Protection Suite which is powered by Cisco XDR’s capabilities. It significantly speeds up investigations and responses, enabling security teams to safeguard their environments more efficiently and cost-effectively.
Assist with Information Discovery
In 2024, the global shortfall of 3.5 million security professionals, as reported by ISC2, underscores the importance of retaining and recruiting skilled personnel to counter increasingly sophisticated cyber threats and safeguard enterprises. Moreover, the lack of appropriate tools often leads to ineffective cyber risk management and professional burnout, adversely affecting staff retention and the SOC’s capacity to thwart attacks.
The AI Assistant in XDR acts as a potent enhancer, empowering SOC teams to maximize their efficiency and effectively close the personnel and skill gap. When an incident occurs, the assistant will contextualize events across email, the web, endpoints, and the network to tell the SOC analyst exactly what happened and its impact on their environment. It presents a short description of the incident that quickly answers what, when and how an incident happened. It also provides a long description of the incident which explains the timeline of events that have happened in this active incident.
Figure 1: Short Description of Incident Details generated by the AI AssistantFigure 2: Long Description of Incident Details and Events Timeline
Moreover, our AI Assistant utilizes XDR’s patented ability to prioritize critical incidents, reducing alert fatigue for the SOC team and enhancing their efficiency in handling active incidents.
Figure 3: Targeted Prioritization of Incidents by AI Assistant that Need Immediate Attention
Augment and Elevate SOC Teams with Best Practice Recommendations
Today’s SOCs often struggle with a fragmented technology stack, making it difficult to respond effectively to cyber threats. Alert fatigue is a major hurdle for modern SOC teams, hindering proactive threat hunting and leading to overlooked alerts and burnout. The Cisco AI Assistant comes to the rescue and jumpstarts the incident response process for a modern SOC team.
Our AI Assistant, powered by Cisco XDR the platform for Cisco’s Breach Protection Suite, synthesizes data from email, web, processes, endpoints, cloud, and network domains, offering precise action recommendations to effectively contain ongoing cyber-attacks. It works at machine scale to identify patterns and potential attacks that humans might miss because of alert fatigue, if a defender is only looking at one domain in isolation, or while trying to manually correlate data. The AI Assistant is context aware, meaning it tracks the state of the incident in real-time and generates tailored recommendations specific to that incident.
Figure 4: Tailored Recommendations for an Incident by the AI Assistant
Mean Time to Detection (MTTD) and Mean Time to Respond (MTTR) are two primary metrics that SOC teams want to optimize for. Cisco XDR with our AI Assistant enables security teams to reduce these metrics by jumpstarting investigations and incident response by providing tailored recommendations for that specific incident.
Enable Seamless Collaboration Across Security Teams
The Cisco AI Assistant, embedded within XDR, facilitates team collaboration using Webex, Teams, or Slack. This empowers security teams to swiftly assemble the right experts for an active incident, thereby speeding up the MTTR. The AI Assistant unifies the team by setting up WAR rooms, summarizing messages, and logging them in XDR for instant audit-readiness.
Figure 5: AI Assistant creates a Webex WAR Room and brings the right experts together for Incident Response
Automate Workflows to Neutralize Threats Across the Enterprise
Today’s SOCs often lack a cohesive technology stack to respond to cyber threats efficiently and consistently. As the IT environment grows beyond the on-premises data center to cloud, hybrid-cloud and multi-cloud country specific data centers, organizations accumulate point solutions to monitor and protect pieces of the environment. As a result, SOC analysts must do a lot of the heavy lifting required to detect and respond to an attack. This includes logging into different tools to execute workflows that contain an attack.
Our AI Assistant taps into advanced workflows and atomics with Cisco XDR’s 90+ integrations. Our AI assistant enables the execution of workflows at a single click, guided by the AI Assistant’s personalized recommendations that consider the incident’s playbook and current state in real-time.
Figure 6: Execution of Automated Workflows by the AI Assistant to Contain an Incident
Gone are the days when security teams had to juggle multiple isolated products and execute workflows in each to mitigate an attack. With Cisco Breach Protection Suite, billions of security events can be correlated and recommended actions can be generated and executed all in one place. This is the transformative power of the Cisco XDR combined with Cisco’s AI Assistant revolutionizing enterprise security.
Conclusion
By leveraging comprehensive telemetry data from various sources in Cisco XDR and combining that with our AI Assistant, we enable SOC teams to rapidly respond to active incidents and fortify defenses against complex threats. The AI Assistant amplifies the SOC’s existing knowledge, streamlines routine tasks, and empowers analysts to focus on strategic initiatives. This boosts analyst productivity and job satisfaction, leading to improved staff retention and SOC effectiveness, ultimately resulting in precise, consistent, and accurate security outcomes.
By: Shannon Murphy, Greg Young March 20, 2024 Read time: 2 min (589 words)
On February 26, 2024, the National Institute of Standards and Technology (NIST) released the official 2.0 version of the Cyber Security Framework (CSF).
What is the NIST CSF?
The NIST CSF is a series of guidelines and best practices to reduce cyber risk and improve security posture. The framework is divided into pillars or “functions” and each function is subdivided into “categories” which outline specific outcomes.
As titled, it is a framework. Although it was published by a standards body, it is not a technical standard.
https://www.nist.gov/cyberframework
What Is the CSF Really Used For?
Unlike some very prescriptive NIST standards (for example, crypto standards like FIPS-140-2), the CSF framework is similar to the ISO 27001 certification guidance. It aims to set out general requirements to inventory security risk, design and implement compensating controls, and adopt an overarching process to ensure continuous improvement to meet shifting security needs.
It’s a high-level map for security leaders to identify categories of protection that are not being serviced well. Think of the CSF as a series of buckets with labels. You metaphorically put all the actions, technology deployments, and processes you do in cybersecurity into these buckets, and then look for buckets with too little activity in them or have too much activity — or repetitive activity — and not enough of other requirements in them.
The CSF hierarchy is that Functions contain many Categories — or in other words, there are big buckets that contain smaller buckets.
What Is New in CSF 2.0?
The most noteworthy change is the introduction of Governance as a sixth pillar in the CSF Framework. This shift sees governance being given significantly more importance from just a mention within the previous five Categories to now being its owna separate Function.
According to NIST the Govern function refers to how an organization’s, “cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.” This is a positive and needed evolution, as when governance is weak, it often isn’t restricted to a single function (e.g. IAM) and can be systemic.
Governance aligns to a broader paradigm shift where we see cybersecurity becoming highly relevant within the business context as an operational risk. The Govern expectation is cybersecurity is integrated into the broader enterprise risk management strategy and requires dedicated accountability and oversight.
There are some other reassignments and minor changes in the remaining five Categories. CSF version 1.0 was published in 2014, and 1.1 in 2018. A lot has changed in security since then. The 2.0 update acknowledges that a review has been conducted.
As a framework, the CISO domain has not radically changed. Yes, the technology has radically evolved, but the greatest evolution in the CISO role really has been around governance: greater interaction with C-suite and board, while some activities have been handed off to operations.
So How Will This Impact Me in the Short Term?
The update to the NIST CSF provides a fresh opportunity to security leaders to start or reopen conversations with business leaders on evolving needs.
The greatest impact will be to auditors and consultants who will need to make formatting changes to their templates and work products to align with version 2.0.
CISOs and security leaders will have to make some similar changes to how they track and report compliance.
But overall, the greatest impact (aside from some extra billable cybersecurity consulting fees) will be a boost of relevance to the CSF that could attract new adherents both through security leaders choosing to look at themselves through the CSF lens and management asking the same of CISOs.
Hornetsecurity is implementing an update to enhance email security by enforcing checks on the “Header-From” value in emails, as per RFC 5322 standards. This initiative is driven by several key reasons:
Preventing Email Delivery Issues: Historically, not enforcing the validity of the originator email address has led to emails being accepted by our system but ultimately rejected by the final destination, especially with most customers now using cloud email service providers that enforce stricter validation.
Enhanced Protection Against Spoofed Emails: By strictly validating the “Header-From” value, we aim to significantly reduce the risk of email spoofing.
Enhance Email Authentication for DKIM/DMARC Alignment: By enforcing RFC 5322 compliance in the “Header-From” field, we can ensure better alignment with DKIM and DMARC standards, thereby significantly improving the security and authenticity of email communications.
The cause of malformed “From” headers often stems from incorrect email server configurations by the sender or from bugs in scripts or other applications. Our new protocol aims to rectify these issues, ensuring that all emails passing through our system are fully compliant with established standards, thus improving the overall security and reliability of email communications.
Implementation Timeline
Stage 1 (Starting 4 March 2024): 1-5% of invalid emails will be rejected.
Stage 2 (Second week): 30% rejection rate.
Stage 3 (Third week): 60% rejection rate.
Final Stage (By the end of the fourth week): 100% rejection rate.
Impact Assessment
Extensive testing over the past six months indicates that the impact on legitimate email delivery is expected to be minimal. However, email administrators should be prepared for potential queries from users experiencing email rejections.
Handling Rejections
When an email is rejected due to a malformed “Header-From”, the sender will receive a bounce-back message with the error “510 5.1.7 malformed Header-From according to RFC 5322”. This message indicates that the email did not meet the necessary header standards.
Identifying Affected Emails
Email administrators can identify affected emails in the Hornetsecurity Control Panel (https://cp.hornetsecurity.com) using the following steps:
Navigate to ELT in the Hornetsecurity Control Panel.
Select your tenant in the top right field.
Choose a date range for your search. A shorter range will yield quicker results.
Click in the “Search” text box, select the “Msg ID” parameter, and type in “hfromfailed” (exact string).
Press ENTER to perform the search.
When email administrators identify emails affected by the “Header-From” checks in the Email Live Tracking (ELT) system, immediate and appropriate actions are necessary to verify if the email application or server settings are correctly configured to comply with RFC 5322 standards. This will help maintain email flow integrity.
Defining Exceptions
In implementing the new “Header-From” checks, Hornetsecurity recognizes the need for flexibility in certain cases. Therefore, we have provisioned for the definition of exceptions to these checks.
This section details how to set up these exceptions and the timeline for their deprecation:
Creating Exception Rules: Within the Compliance Filter, you can create rules that define exceptions to the “Header-From” checks. This should be based on the envelop sender address.
Applying the Exceptions: Once defined, these exceptions will allow certain emails to bypass the strict “Header-From” checks.
Timeline for Deprecation of Exceptions applied to the new Header-From checks
Initial Implementation: The ability to define exceptions is available as part of the initial rollout of the “Header-From” checks.
Deprecation Date: These exception provisions are set to be deprecated by the end of June 2024.
The provision for exceptions is intended as a temporary measure to facilitate a smoother transition to the new protocol. By June 2024, it is expected that all email senders would have had sufficient time to align their email systems with RFC 5322 standards. Deprecating the exceptions is a step towards ensuring full compliance and maximizing the security benefits of the “Header-From” checks.
Conclusion
The enhancement of our RFC-compliance is a significant step toward securing email communications. Adherence to these standards will collectively reduce risks associated with email. For further assistance or clarification, please reach out to our support team at support@hornetsecurity.com.
Invalid “Header From” Examples:
Header From
Reason
From: <>
Blank addresses are problematic as they cause issues in scenarios requiring a valid email address, such as allow and deny lists.
From: John Doe john.doe@hornetsecurity.com
Non-compliant with RFC standards. The email address must be enclosed in angle brackets (< and >) when accompanied by a display name.
While technically RFC-compliant, such formats are often rejected by M365 unless explicit exceptions are configured. We do accept certain email addresses with comments.
From: John, Doe <john.doe@hornetsecurity.com>
Non-compliant with RFC standards. A display name containing a comma must be enclosed in double quotes.
From: “John Doe <john.doe@hornetsecurity.com>”
Non-compliant with RFC standards. The entire ‘From’ value is incorrectly enclosed in double quotation marks, which is not allowed.
From: “John Doe <john.doe@hornetsecurity.com>” john.doe@hornetsecurity.com
Non-compliant with RFC standards. The display name is present, but the email address is not correctly enclosed in angle brackets.
From: “John Doe”<john.doe@hornetsecurity.com>
Non-compliant with RFC standards due to the absence of white-space between the display name and the email address.
Updated: Jan 31, 2024, 13:03 PM By Claire Broadley Content Manager REVIEWED By Jared Atchison Co-owner
Do you want to set up Postmaster Tools… but you’re not sure where to start?
Postmaster Tools lets you to monitor your spam complaints and domain reputation. That’s super important now that Gmail is blocking emails more aggressively.
Thankfully, Postmaster Tools is free and easy to configure. If you’ve already used a Google service like Analytics, it’ll take just a couple of minutes to set up.
You should set up Postmaster Tools if you meet any of the following criteria:
1. You Regularly Send Emails to Gmail Recipients
Postmaster Tools is a tool that Google provides to monitor emails to Gmail users.
Realistically, most of your email lists are likely to include a large number of Gmail mailboxes unless you’re sending to a very specific group of people, like an internal company mailing list. (According to Techjury, Gmail had a 75.8% share of the email market in 2023.)
Keep in mind that Gmail recipients aren’t always using Gmail email addresses. The people who use custom domains or Google Workspace are ‘hidden’, so it’s not always clear who’s using Gmail and who isn’t. To be on the safe side, it’s best to use it (it’s free).
2. You Send Marketing Emails (or Have a Large Website)
Postmaster Tools works best for bulk email senders, which Google defines as a domain that sends more than 5,000 emails a day.
If you’re sending email newsletters on a regular basis, having Postmaster Tools is going to help.
Likewise, if you use WooCommerce or a similar platform, you likely send a high number of transactional emails: password reset emails, receipts, and so on.
If you don’t send a large number of emails right now, you can still set up Postmaster Tools so you’re prepared for the time you might.
Just note that you may see the following message:
No data to display at present. Please come back later. Postmaster Tools requires your domain to satisfy certain conditions before data is visible for this chart.
This usually means you’re not sending enough emails for Google to be able to calculate meaningful statistics.
It’s up to you if you want to set it up anyway, or skip it until your business grows a little more.
How to Add a Domain to Postmaster Tools
Adding a domain to Postmaster Tools is simple and should take less than 10 minutes.
To get started, head to the Postmaster Tools site and log in. If you’re already using Google Analytics, sign in using the email address you use for your Analytics account.
The welcome popup will already be open. Click on Get Started to begin.
Next, enter the domain name that your emails come from.
This should be the domain you use as the sender, or the ‘from email’, when you’re sending emails from your domain. It will normally be your main website.
If your domain name is already verified for another Google service, that’s all you need to do! You’ll see confirmation that your domain is set up.
If you haven’t used this domain with Google services before, you’ll need to verify it. Google will ask you to add a TXT record to your DNS.
To complete this, head to the control panel for the company you bought your domain from. It’ll likely be your domain name registrar or your web host. If you’re using a service like Cloudflare, you’ll want to open up your DNS records there instead.
Locate the part of the control panel that handles your DNS (which might be called a DNS Zone) and add a new TXT record. Copy the record provided into the fields.
Note: Most providers will ask you to enter a Name, which isn’t shown in Google’s instructions. If your provider doesn’t fill this out by default, you can safely enter @ in the Name field.
Now save your record and wait a few minutes. Changes in Cloudflare can be near-instant, but other registrars or hosts may take longer.
After waiting for your change to take effect, switch back to Postmaster Tools and hit Verify to continue.
And that’s it! Now your domain has been added to Postmaster Tools.
How to Read the Charts in Google Postmaster Tools
Google is now tracking various aspects of your email deliverability. It’ll display the data in a series of charts in your account.
Here’s a quick overview of what you can see.
As I mentioned, keep in mind that the data here is only counted from Gmail accounts. It’s not a domain-wide measurement of everything you send.
Spam Rate
Your spam rate is the number of emails sent vs the number of spam complaints received each day. You should aim to keep this below 0.1%.
You can do that by making it easy for people to unsubscribe from marketing emails and using double optins rather than single optins.
It’s normal for spam complaint rates to spike occasionally because Google measures each day in isolation.
If you’re seeing a spam rate that is consistently above 0.3%, it’s worth looking into why that’s happening. You might be sending emails to people who don’t want to receive them.
IP Reputation
IP reputation is the trustworthiness of the IP address your emails come from. Google may mark emails as spam if your IP reputation is poor.
Keep in mind that IP reputation is tied to your email marketing provider. It’s a measure of their IP as well as yours.
If you see a downward trend, check in with the platform you’re using to ask if they’re seeing the same thing.
Domain Reputation
Domain reputation is the trustworthiness of the domain name you’ve verified in Postmaster Tools. This can be factored into Google’s spam scoring, along with other measurements.
The ideal scenario is a consistent rating of High, as shown in our screenshot above.
Wait: What is IP Reputation vs Domain Reputation?
You’ll now see that Google has separate options for IP reputation and domain reputation. Here’s the difference:
IP reputation measures the reputation of the server that actually sends your emails out. This might be a service like Constant Contact, ConvertKit, or Drip. Other people who use the service will share the same IP, so you’re a little more vulnerable to the impact of other users’ actions.
Domain reputation is a measure of the emails that are sent from your domain name as a whole.
Feedback Loop
High-volume or bulk senders can activate this feature to track spam complaints in more detail. You’ll need a special email header called Feedback-ID if you want to use this. Most likely, you won’t need to look at this report.
Authentication
This chart shows you how many emails cleared security checks.
In more technical terms, it shows how many emails attempted to authenticate using DMARC, SPF, and DKIM vs. how many actually did.
Encryption
This chart looks very similar to the domain reputation chart we already showed. It should sit at 100%.
If you’re seeing a lower percentage, you may be using outdated connection details for your email provider.
Check the websites or platforms that are sending emails from your domain and update them from an SSL connection to a TLS connection.
Delivery Errors
Last but not least, the final chart is the most useful. The Delivery Errors report will show you whether emails were rejected or temporarily delayed. A temporary delay is labeled as a TempFail in this report.
If you see any jumps, click on the point in the chart and the reason for the failures will be displayed below it.
Small jumps here and there are not a huge cause for concern. However, very large error rates are a definite red flag. You may have received a 550 error or a 421 error that gives you more clues as to why they’re happening.
Here are the 3 most important error messages related to blocked emails in Gmail:
421-4.7.0 unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.
550-5.7.1 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for example.com did not pass with ip: 192.186.0.1.
If you’re seeing these errors, check that your domain name has the correct DNS records for authenticating email. It’s also a good idea to examine your emails to ensure you have the right unsubscribe links in them.
Note: WP Mail SMTP preserves the list-unsubscribe headers that your email provider adds. That means that your emails will have a one-click unsubscribe option at the top.
If you’re using a different SMTP plugin, make sure it’s preserving that crucial list-unsubscribe header. If it’s not there, If not, you may want to consider switching to WP Mail SMTP for the best possible protection against spam complaints and failed emails.
Are your emails from WordPress disappearing or landing in the spam folder? You’re definitely not alone. Learn how to authenticate WordPress emails and ensure they always land in your inbox.
Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.
If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.
Just in time for Data Privacy Day 2024 on January 28, the EU Commission is calling for evidence to understand how the EU’s General Data Protection Regulation (GDPR) has been functioning now that we’re nearing the 6th anniversary of the regulation coming into force.
We’re so glad they asked, because we have some thoughts. And what better way to celebrate privacy day than by discussing whether the application of the GDPR has actually done anything to improve people’s privacy?
The answer is, mostly yes, but in a couple of significant ways – no.
Overall, the GDPR is rightly seen as the global gold standard for privacy protection. It has served as a model for what data protection practices should look like globally, it enshrines data subject rights that have been copied across jurisdictions, and when it took effect, it created a standard for the kinds of privacy protections people worldwide should be able to expect and demand from the entities that handle their personal data. On balance, the GDPR has definitely moved the needle in the right direction for giving people more control over their personal data and in protecting their privacy.
In a couple of key areas, however, we believe the way the GDPR has been applied to data flowing across the Internet has done nothing for privacy and in fact may even jeopardize the protection of personal data. The first area where we see this is with respect to cross-border data transfers. Location has become a proxy for privacy in the minds of many EU data protection regulators, and we think that is the wrong result. The second area is an overly broad interpretation of what constitutes “personal data” by some regulators with respect to Internet Protocol or “IP” addresses. We contend that IP addresses should not always count as personal data, especially when the entities handling IP addresses have no ability on their own to tie those IP addresses to individuals. This is important because the ability to implement a number of industry-leading cybersecurity measures relies on the ability to do threat intelligence on Internet traffic metadata, including IP addresses.
Location should not be a proxy for privacy
Fundamentally, good data security and privacy practices should be able to protect personal data regardless of where that processing or storage occurs. Nevertheless, the GDPR is based on the idea that legal protections should attach to personal data based on the location of the data – where it is generated, processed, or stored. Articles 44 to 49 establish the conditions that must be in place in order for data to be transferred to a jurisdiction outside the EU, with the idea that even if the data is in a different location, the privacy protections established by the GDPR should follow the data. No doubt this approach was influenced by political developments around government surveillance practices, such as the revelations in 2013 of secret documents describing the relationship between the US NSA (and its Five Eyes partners) and large Internet companies, and that intelligence agencies were scooping up data from choke points on the Internet. And once the GDPR took effect, many data regulators in the EU were of the view that as a result of the GDPR’s restrictions on cross-border data transfers, European personal data simply could not be processed in the United States in a way that would be consistent with the GDPR.
This issue came to a head in July 2020, when the European Court of Justice (CJEU), in its “Schrems II” decision1, invalidated the EU-US Privacy Shield adequacy standard and questioned the suitability of the EU standard contractual clauses (a mechanism entities can use to ensure that GDPR protections are applied to EU personal data even if it is processed outside the EU). The ruling in some respects left data protection regulators with little room to maneuver on questions of transatlantic data flows. But while some regulators were able to view the Schrems II ruling in a way that would still allow for EU personal data to be processed in the United States, other data protection regulators saw the decision as an opportunity to double down on their view that EU personal data cannot be processed in the US consistent with the GDPR, therefore promoting the misconception that data localization should be a proxy for data protection.
In fact, we would argue that the opposite is the case. From our own experience and according to recent research2, we know that data localization threatens an organization’s ability to achieve integrated management of cybersecurity risk and limits an entity’s ability to employ state-of-the-art cybersecurity measures that rely on cross-border data transfers to make them as effective as possible. For example, Cloudflare’s Bot Management product only increases in accuracy with continued use on the global network: it detects and blocks traffic coming from likely bots before feeding back learnings to the models backing the product. A diversity of signal and scale of data on a global platform is critical to help us continue to evolve our bot detection tools. If the Internet were fragmented – preventing data from one jurisdiction being used in another – more and more signals would be missed. We wouldn’t be able to apply learnings from bot trends in Asia to bot mitigation efforts in Europe, for example. And if the ability to identify bot traffic is hampered, so is the ability to block those harmful bots from services that process personal data.
The need for industry-leading cybersecurity measures is self-evident, and it is not as if data protection authorities don’t realize this. If you look at any enforcement action brought against an entity that suffered a data breach, you see data protection regulators insisting that the impacted entities implement ever more robust cybersecurity measures in line with the obligation GDPR Article 32 places on data controllers and processors to “develop appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, “taking into account the state of the art”. In addition, data localization undermines information sharing within industry and with government agencies for cybersecurity purposes, which is generally recognized as vital to effective cybersecurity.
In this way, while the GDPR itself lays out a solid framework for securing personal data to ensure its privacy, the application of the GDPR’s cross-border data transfer provisions has twisted and contorted the purpose of the GDPR. It’s a classic example of not being able to see the forest for the trees. If the GDPR is applied in such a way as to elevate the priority of data localization over the priority of keeping data private and secure, then the protection of ordinary people’s data suffers.
Applying data transfer rules to IP addresses could lead to balkanization of the Internet
The other key way in which the application of the GDPR has been detrimental to the actual privacy of personal data is related to the way the term “personal data” has been defined in the Internet context – specifically with respect to Internet Protocol or “IP” addresses. A world where IP addresses are always treated as personal data and therefore subject to the GDPR’s data transfer rules is a world that could come perilously close to requiring a walled-off European Internet. And as noted above, this could have serious consequences for data privacy, not to mention that it likely would cut the EU off from any number of global marketplaces, information exchanges, and social media platforms.
This is a bit of a complicated argument, so let’s break it down. As most of us know, IP addresses are the addressing system for the Internet. When you send a request to a website, send an email, or communicate online in any way, IP addresses connect your request to the destination you’re trying to access. These IP addresses are the key to making sure Internet traffic gets delivered to where it needs to go. As the Internet is a global network, this means it’s entirely possible that Internet traffic – which necessarily contains IP addresses – will cross national borders. Indeed, the destination you are trying to access may well be located in a different jurisdiction altogether. That’s just the way the global Internet works. So far, so good.
But if IP addresses are considered personal data, then they are subject to data transfer restrictions under the GDPR. And with the way those provisions have been applied in recent years, some data regulators were getting perilously close to saying that IP addresses cannot transit jurisdictional boundaries if it meant the data might go to the US. The EU’s recent approval of the EU-US Data Privacy Framework established adequacy for US entities that certify to the framework, so these cross-border data transfers are not currently an issue. But if the Data Privacy Framework were to be invalidated as the EU-US Privacy Shield was in the Schrems II decision, then we could find ourselves in a place where the GDPR is applied to mean that IP addresses ostensibly linked to EU residents can’t be processed in the US, or potentially not even leave the EU.
If this were the case, then providers would have to start developing Europe-only networks to ensure IP addresses never cross jurisdictional boundaries. But how would people in the EU and US communicate if EU IP addresses can’t go to the US? Would EU citizens be restricted from accessing content stored in the US? It’s an application of the GDPR that would lead to the absurd result – one surely not intended by its drafters. And yet, in light of the Schrems II case and the way the GDPR has been applied, here we are.
A possible solution would be to consider that IP addresses are not always “personal data” subject to the GDPR. In 2016 – even before the GDPR took effect – the Court of Justice of the European Union (CJEU) established the view in Breyer v. Bundesrepublik Deutschland that even dynamic IP addresses, which change with every new connection to the Internet, constituted personal data if an entity processing the IP address could link the IP addresses to an individual. While the court’s decision did not say that dynamic IP addresses are always personal data under European data protection law, that’s exactly what EU data regulators took from the decision, without considering whether an entity actually has a way to tie the IP address to a real person3.
The question of when an identifier qualifies as “personal data” is again before the CJEU: In April 2023, the lower EU General Court ruled in SRB v EDPS4 that transmitted data can be considered anonymised and therefore not personal data if the data recipient does not have any additional information reasonably likely to allow it to re-identify the data subjects and has no legal means available to access such information. The appellant – the European Data Protection Supervisor (EDPS) – disagrees. The EDPS, who mainly oversees the privacy compliance of EU institutions and bodies, is appealing the decision and arguing that a unique identifier should qualify as personal data if that identifier could ever be linked to an individual, regardless of whether the entity holding the identifier actually had the means to make such a link.
If the lower court’s common-sense ruling holds, one could argue that IP addresses are not personal data when those IP addresses are processed by entities like Cloudflare, which have no means of connecting an IP address to an individual. If IP addresses are then not always personal data, then IP addresses will not always be subject to the GDPR’s rules on cross-border data transfers.
Although it may seem counterintuitive, having a standard whereby an IP address is not necessarily “personal data” would actually be a positive development for privacy. If IP addresses can flow freely across the Internet, then entities in the EU can use non-EU cybersecurity providers to help them secure their personal data. Advanced Machine Learning/predictive AI techniques that look at IP addresses to protect against DDoS attacks, prevent bots, or otherwise guard against personal data breaches will be able to draw on attack patterns and threat intelligence from around the world to the benefit of EU entities and residents. But none of these benefits can be realized in a world where IP addresses are always personal data under the GDPR and where the GDPR’s data transfer rules are interpreted to mean IP addresses linked to EU residents can never flow to the United States.
Keeping privacy in focus
On this Data Privacy Day, we urge EU policy makers to look closely at how the GDPR is working in practice, and to take note of the instances where the GDPR is applied in ways that place privacy protections above all other considerations – even appropriate security measures mandated by the GDPR’s Article 32 that take into account the state of the art of technology. When this happens, it can actually be detrimental to privacy. If taken to the extreme, this formulaic approach would not only negatively impact cybersecurity and data protection, but even put into question the functioning of the global Internet infrastructure as a whole, which depends on cross-border data flows. So what can be done to avert this?
First, we believe EU policymakers could adopt guidelines (if not legal clarification) for regulators that IP addresses should not be considered personal data when they cannot be linked by an entity to a real person. Second, policymakers should clarify that the GDPR’s application should be considered with the cybersecurity benefits of data processing in mind. Building on the GDPR’s existing recital 49, which rightly recognizes cybersecurity as a legitimate interest for processing, personal data that needs to be processed outside the EU for cybersecurity purposes should be exempted from GDPR restrictions to international data transfers. This would avoid some of the worst effects of the mindset that currently views data localization as a proxy for data privacy. Such a shift would be a truly pro-privacy application of the GDPR.
Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.
To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.
Updated: Jan 22, 2024, 15:17 PM By Claire Broadley Content Manager REVIEWED By Jared Atchison President and co-owner
Is Gmail blocking emails that you send? You’re not alone.
Google has always been strict in blocking rogue senders in its fight against spam.
In 2024, it’s tightening up the rules and enforcing tighter anti-spam limits. That means emails you send to Gmail mailboxes won’t arrive if you’re not compliant.
The amount of spam emails that Google’s servers deal with is mind-bogglingly huge. About half of all emails sent daily are spam, and according to The Tech Report, about 1.8 billion people use Gmail. It has a vested interest in keeping spam out of its customers’ inboxes.
This article explains who’s impacted by Google’s new sending requirements, what exactly will change this year, and what you need to do to ensure your emails are delivered.
Gmail is likely blocking your emails for one of 2 reasons. Either you’re on a spam blacklist already, or you don’t comply with its new requirements for bulk senders.
Reason 1. Google Put Your Domain On a Spam Blacklist
It only takes a few people to click Mark as Spam in Gmail for your domain reputation to be impacted. This can result in Gmail adding your email to a blacklist if the spam complaints build up.
Once you’re on a blacklist, you’ll have to earn the trust of email providers to be removed.
“Getting off a blacklist is often not a straightforward task. It’s usually not just a case of requesting your removal – you’ll also have to show what you’ve done to resolve the issues that lead to your blacklisting in the first place. ”
-Rachel Adnyana, Email Deliverability Expert at SendLayer
Blacklists are not new, but the threshold for being added to one is lower than it once was.
The telltale sign that you’re on a blacklist is an error like this:
421-4.7.0 unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.
550-5.7.1 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.
You may see a different 500 error when sending an email if you’re impacted by this. You can look through the SendLayer error library if you see an error you don’t understand.
We’ll explain how you can resolve this problem in just a minute. First, let’s look at the other possible cause of emails to Gmail being blocked.
Reason 2. Your Emails Aren’t Authenticated
Emails are often sent without authentication, but they are sometimes delivered anyway.
If you have a WordPress website, it’ll send emails without authentication by default. You will likely find them in your spam folder.
Some Gmail users will find their contact form emails don’t arrive at all.
As email providers become less tolerant of unauthenticated emails, we’re seeing more support tickets from customers whose WordPress emails go to spam. Some say they used to be delivered, but now aren’t. It’s confusing when this happens. “I didn’t change anything, so why did my emails stop sending?”
It’s not that your website changed. It’s more likely that the rules for detecting spam got tougher. Soon, senders who don’t authenticate their emails will be blocked from emailing Gmail recipients at all.
The telltale sign is an error like this:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for example.com did not pass with ip: 192.186.0.1.
As you can see, Google is cracking down on domains that don’t have SPF, DMARC, and DKIM configured. If you’re not sure what that means, I’ll explain more in the next section.
Who Do Gmail’s New Rules Apply To?
Initially, the SPF, DMARC, and DKIM requirement will apply to bulk senders. Google defines a bulk sender as a domain that has, at some point, sent more than 5,000 emails to Gmail recipients in a single day.
‘Gmail recipients’ means anyone with an email ending @gmail.com or @googlemail.com, and people who are using custom domains or Google Workspace to receive emails.
You only need to send 5,000 emails once to be considered a bulk sender forever. Remember: this applies to all emails you send from your domain.
Email authentication is best practise and should be set up to maintain good deliverability — even if you’re not considered a bulk sender.
How to Stop Gmail Blocking Your Emails
Now to the important part. How do you stop Gmail blocking the emails you send?
Email deliverability issues can seriously harm your business. If you use Google Workspace, they could even prevent you from sending emails to your own employees.
If your newsletters are considered to be spam, and people mark them as such, that could mean your purchase receipts don’t get through in the future.
No matter why Gmail is blocking your emails, the solutions are the same. First, let’s set up a free reporting tool so you can see your email spam complaints.
1. Set Up Google Postmaster Tools (Bulk Senders)
Google Postmaster Tools is a free tool that will show you exactly what your spam complaint rate is.
If you send a large number of emails, it’s worth creating an account because it will allow you to understand your current standing with Gmail.
You’ll need to authenticate your domain before your spam complaint rate appears. If you’ve already authenticated it for services like Google Analytics, you may find that setup is almost instant.
If you see any spikes in Postmaster Tools’ spam reporting, or you’re consistently maintaining a level of spam complaints over 0.1%, you might not be able to send emails to Gmail recipients (and that includes customers on Google Workspace).
The absolute maximum spam complaint rate that Google will tolerate is 0.3%.
If your spam complaints are trending higher, it’s a sign you need to get to the bottom of the causes. People could be marking emails as spam for all kinds of reasons, but here are a few that Google has specifically highlighted:
You might be sending emails to people who are not expecting to receive them.
Trying to get people on a mailing list to inflate the size can be tempting. After all, you’ll cast a wider net when you send out a marketing email.
But it will could your deliverability too. More people will mark your emails as spam if you don’t give them any choice.
You might not be making it easy for people to unsubscribe.
You need to have a way for people to unsubscribe from your emails. You also need to implement a one-click unsubscribe list header if your email marketing platform supports that.
People could be sending spam through your website forms.
This is surprisingly common. If you don’t protect your contact form from spam, the junk email that passes through it hurts your deliverability because it appears to come from your domain.
You have a security issue on your website and you’re spamming people without even knowing.
In WordPress, there are a few common causes of poor security:
Poor security on your WordPress admin account, meaning your passwords are easy to guess and other people can get into your dashboard.
Nulled plugins, which can contain malicious code, including code that sends spam or phishing emails.
Poor security on your hosting account; for example, if you have a VPS, you need to watch out for hackers getting access and setting up SMTP relays that blast out emails without you knowing.
All in all, this is about keeping a close eye on what you’re sending and who you’re sending to.
2. Authenticate Emails From WordPress
If you’re still using WordPress without an SMTP plugin, we highly recommend that you install one to stop messages to Gmail from being blocked.
WP Mail SMTP steps in to handle all outgoing email from your WordPress site, routing it through a proper email provider. That authenticates the emails and stops them from being blocked.
WP Mail SMTP easy to set up thanks to the Setup Wizard and it supports many popular email platforms.
You can also purchase the additional plugin setup service if you need a hand getting your email authentication working.
The Pro version of WP Mail SMTP is worth it because it adds lots of useful email logging and routing features. But if you just need to fix blocked emails to Gmail, the free version of WP Mail SMTP will do that.
We already talked about issues that can arise without proper authentication.
You can authenticate your emails by ensuring they have the correct email headers: DKIM, SPF, and DMARC.
These 3 records prove that the emails you send are from you — the domain owner — not a random person pretending to be you.
In the past, you could get away without setting up these records, but Google will no longer allow you to skip this. If you’re seeing the 5.7.26 error from Gmail, you need to review your DNS records to figure out what’s missing.
Your email provider(s) will typically provide all 3 records and explain how to add them to your DNS. If you need a little more help, we have a few blog posts to help you understand what’s required:
Just to add: Google also requires a PTR record, which is sometimes called forward reverse DNS, or full circle DNS.
Your web host or email provider should handle the creation and management of your PTR record, but it’s worth checking that it has been set up, just to rule out any future problems. See our post on What is a PTR record? to find out more.
The From Email is the sender email — the email address your emails appear to come from.
You should send emails from an email address at the same domain as your website. In other words, don’t authenticate your domain and send emails from a totally different account elsewhere. Make sure everything matches.
WP Mail SMTP has settings specifically to allow you to set the from email (and the corresponding from name):
What about real email addresses vs fake ones? It’s good practise to avoid using noreply@domain.com (or any non-existent email address) as a From Email.
5. Send Email With TLS
When you’re sending emails through WordPress (or any other platform) using an SMTP server, you should use a provider that uses TLS to make the connection.
TLS stands for Transport Layer Security. It’s better than SSL because it’s more secure, and the end goal is that TLS will eventually replace the older SSL protocol.
We don’t need to go into a huge amount of detail on this. Most email providers will support TLS so you may already be using it. But it’s worth double-checking your account to make sure you’re using the latest settings.
6. Add Unsubscribe Links to Marketing Emails
Most businesses send transactional emails and marketing emails.
So what’s the difference?
Transactional emails are emails that are necessary for the normal operation of your business. Password reset emails, renewal reminders, and receipts are all transactional. These kinds of emails usually need to be delivered immediately to be effective.
Marketing emails are emails you send to promote your products and services. They don’t necessarily need to be sent immediately, and they are not essential for a customer.
There are 2 things to think about here.
First, marketing emails must have an unsubscribe link in the footer of the email. The link doesn’t have to be huge, but it has to be clearly visible.
Second, you should also make sure that your newsletters have a one-click unsubscribe link at the top.
In Gmail, this link triggers an instant unsubscribe popup. This is going to be important if you want to prevent your emails from being blocked in the future.
The one-click unsubscribe link near the subject line is triggered by list unsubscribe headers. Your email provider should be able to add these headers for you.
If you’re not sure what to ask for, the header is the technical part of the email that we don’t normally see; here’s what it looks like:
One question we’re asked a lot is this: Do transactional emails need to have unsubscribe links? They do not. However:
Include unsubscribe links in all marketing emails.
Don’t send emails that have a mixture of transactional and marketing content in them to try to get around this rule.
It’s OK to give people the choice of which email marketing lists they want to be subscribed to, but Google is clear that you must also provide an option to unsubscribe from all marketing emails.
7. Use Double Optins Where Possible
Google recommends that everyone who sends marketing emails uses double optins.
A double optin means that someone has to choose to join your list and confirm their choice, usually by clicking a confirmation link.
While Google won’t block emails to Gmail if you don’t use double optins, the truth is that single optins result in higher spam complaints. So implementing them will keep that important spam complaint rate low.
The downside of double optins is that you’ll grow your list more slowly because you will sign up fewer leads.
Recovering From a Gmail Block
If your WordPress emails are being blocked to Gmail recipients, running through this guide should help you to figure out the reason why.
If Google is rejecting emails from your domain because it’s missing some crucial DNS records, adding them might resolve the problem quickly.
If your domain or IP is on a blacklist, it’ll take longer to recover. You’ll need to earn the trust of email providers and slowly improve your domain or IP reputation.
Make it easy for people to leave your mailing lists and don’t send them emails they don’t want. This will reduce the likelihood of them marking emails as spam, therefore keeping your spam complaint rate low.
It can take time to clean up your lists, but removing people who aren’t opening your emails is a good first step. Re-engagement workflows typically unsubscribe people who aren’t responsive, helping to reduce spam complaints, and automatically unsubscribing invalid email addresses can also help.
Email providers like Brevo or SMTP.com are used to helping customers with these issues. If you’re concerned, reach out to them for advice. They may be able to change your sender IP or help you look into your bounce rates to diagnose the problem.
It’s difficult to say how long recovery will take. It depends on the reason you were blocked and the severity of the problem. Either way, prevention is always better than the cure.
If WordPress emails are not being delivered to Gmail and you can’t figure out why, our support team is standing by to help.
Ready to fix your emails? Get started today with the best WordPress SMTP plugin. If you don’t have the time to fix your emails, you can get full White Glove Setup assistance as an extra purchase, and there’s a 14-day money-back guarantee for all paid plans.
If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.
By: Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot, Ian Kenefick January 09, 2024 Read time: 8 min (2105 words)
A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of which was taken down by law enforcement in August 2023. An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot — hinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another temporary replacement in the wake of the takedown).
Pikabot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server. Pikabot is a sophisticated piece of multi-stage malware with a loader and core module within the same file, as well as a decrypted shellcode that decrypts another DLL file from its resources (the actual payload).
In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot.
Pikabot, which gains initial access to its victim’s machine through spam emails containing an archive or a PDF attachment, exhibits the same behavior and campaign identifiers as Qakbot.
Figure 1. Our observations from the infection chain based on Trend’s investigation
Initial access via email
The malicious actors who send these emails employ thread-hijacking, a technique where malicious actors use existing email threads (possibly stolen from previous victims) and create emails that look like they were meant to be part of the thread to trick recipients into believing that they are legitimate. Using this technique increases the chances that potential victims would select malicious links or attachments. Malicious actors send these emails using addresses (created either through new domains or free email services) with names that can be found in original email threads hijacked by the malicious actor. The email contains most of the content of the original thread, including the email subject, but adds a short message on top directing the recipient to open the email attachment.
This attachment is either a password-protected archive ZIP file containing an IMG file or a PDF file. The malicious actor includes the password in the email message. Note that the name of the file attachment and its password vary for each email.
Figure 2. Sample email with a malicious ZIP attachmentFigure 3. Sample email with a malicious PDF attachment
The emails containing PDF files have a shorter message telling the recipient to check or view the email attachment.
The first stage of the attack
The attached archive contains a heavily obfuscated JavaScript (JS) with a file size amounting to more than 100 KB. Once executed by the victim, the script will attempt to execute a series of commands using conditional execution.
Figure 4. Files extracted to the attached archive (.zip or .img)Figure 5. Deobfuscated JS command
The script attempts command execution using cmd.exe. If this initial attempt is unsuccessful, the script proceeds with the following steps: It echoes a designated string to the console and tries to ping a specified target using the same string. In case the ping operation fails, the script employs Curl.exe to download the Pikabot payload from an external server, saving the file in the system’s temporary directory.
Subsequently, the script will retry the ping operation. If the retry is also unsuccessful, it uses rundll32.exe to execute the downloaded Pikabot payload (now identified as a .dll file) with “Crash” as the export parameter. The sequence of commands concludes by exiting the script with the specified exit code, ciCf51U2FbrvK.
We were able to observe another attack chain where the malicious actors implemented a more straightforward attempt to deliver the payload. As before, similar phishing techniques were performed to trick victims into downloading and executing malicious attachments. In this case, password-protected archive attachments were deployed, with the password contained in the body of the email.
However, instead of a malicious script, an IMG file was extracted from the attachment. This file contained two additional files — an LNK file posing as a Word document and a DLL file, which turned out to be the Pikabot payload extracted straight from the email attachment:
Figure 6. The content of the IMG file
Contrary to the JS file observed earlier, this chain maintained its straightforward approach even during the execution of the payload.
Once the victim is lured into executing the LNK file, rundll32.exe will be used to run the Pikabot DLL payload using an export parameter, “Limit”.
The content of the PDF file is disguised to look like a file hosted on Microsoft OneDrive to convince the recipient that the attachment is legitimate. Its primary purpose is to trick victims into accessing the PDF file content, which is a link to download malware.
Figure 7. Malicious PDF file disguised to look like a OneDrive attachment; note the misspelling of the word “Download”
When the user selects the download button, it will attempt to access a malicious URL, then proceed to download a malicious JS file (possibly similar to the previously mentioned JS file).
The delivery of the Pikabot payload via PDF attachment is a more recent development, emerging only in the fourth quarter of 2023.
We discovered an additional variant of the malicious downloader that employed obfuscation methods involving array usage and manipulation:
Figure 8. Elements of array “_0x40ee” containing download URLs and JS methods used for further execution
Nested functions employed array manipulation methods using “push” and “shift,” introducing complexity to the code’s structure and concealing its flow to hinder analysis. The presence of multiple download URLs, the dynamic creation of random directories using the mkdir command, and the use of Curl.exe, as observed in the preceding script, are encapsulated within yet another array. The JavaScript will run multiple commands in an attempt to retrieve the malicious payload from different external websites using Curl.exe, subsequently storing it in a random directory created using mkdir.
Figure 9. Payload retrieval commands using curl.exe
The rundll32.exe file will continue to serve as the execution mechanism for the payload, incorporating its export parameter.
Figure 10. Payload execution using rundll32.exe
The Pikabot payload
We analyzed the DLL file extracted from the archive shown in Figure 6 and found it to be a sample of a 32-bit DLL file with 1515 exports. Calling its export function “Limit”, the file will decrypt and execute a shellcode that identifies if the process is being debugged by calling the Windows API NtQueryInformationProcess twice with the flag 0x7 (ProcessDebugPort) on the first call and 0x1F ProcessDebugFlags on the second call. This shellcode also decrypts another DLL file that it loads into memory and then eventually executes.
Figure 11. The shellcode calling the entry point of the decrypted DLL file
The decrypted DLL file will execute another anti-analysis routine by loading incorrect libraries and other junk to detect sandboxes. This routine seems to be copied from a certain GitHub article.
Security/Virtual Machine/Sandbox DLL files
Real DLL files
Fake DLL files
cmdvrt.32.dll
kernel32.dll
NetProjW.dll
cmdvrt.64.dll
networkexplorer.dll
Ghofr.dll
cuckoomon.dll
NlsData0000.dll
fg122.dll
pstorec.dll
avghookx.dll
avghooka.dll
snxhk.dll
api_log.dll
dir_watch.dll
wpespy.dll
Table 1. The DLL files loaded to detect sandboxes
After performing the anti-analysis routine, the malware loads a set of PNG images from its resources section which contains an encrypted chunk of the core module and then decrypts them. Once the core payload has been decrypted, the Pikabot injector creates a suspended process (%System%\SearchProtocolHost) and injects the core module into it. The injector uses indirect system calls to hide its injection.
Figure 12. Loading the PNG images to build the core module
Resolving the necessary APIs is among the malware’s initial actions. Using a hash of each API (0xF4ACDD8, 0x03A5AF65E, and 0xB1D50DE4), Pikabot uses two functions to obtain the addresses of the three necessary APIs, GetProcAddress, LoadLibraryA, and HeapFree. This process is done by looking through kernel32.dll exports. The rest of the used APIs are resolved using GetProcAddress with decrypted strings. Other pertinent strings are also decrypted during runtime before they are used.
Figure 13. Harvesting the GetProcAddress and LoadLibrary API
The Pikabot core module checks the system’s languages and stops its execution if the language is any of the following:
Russian (Russia)
Ukrainian (Ukraine)
It will then ensure that only one instance of itself is running by creating a hard-coded mutex, {A77FC435-31B6-4687-902D-24153579C738}.
The next stage of the core module involves obtaining details about the victim’s system and forwarding them to a C&C server. The collected data uses a JSON format, with every data item using the wsprintfW function to fill its position. The stolen data will look like the image in Figure 13 but with the collected information before encryption:
Figure 14. Stolen information in JSON format before encryption
Pikabot seems to have a binary version and a campaign ID. The keys 0fwlm4g and v2HLF5WIO are present in the JSON data, with the latter seemingly being a campaign ID.
The malware creates a named pipe and uses it to temporarily store the additional information gathered by creating the following processes:
whoami.exe /all
ipconfig.exe /all
netstat.exe -aon
Each piece of information returned will be encrypted before the execution of the process.
A list of running processes on the system will also be gathered and encrypted by calling CreateToolHelp32Snapshot and listing processes through Process32First and Process32Next.
Once all the information is gathered, it will be sent to one of the following IP addresses appended with the specific URL, cervicobrachial/oIP7xH86DZ6hb?vermixUnintermixed=beatersVerdigrisy&backoff=9zFPSr:
70[.]34[.]209[.]101:13720
137[.]220[.]55[.]190:2223
139[.]180[.]216[.]25:2967
154[.]61[.]75[.]156:2078
154[.]92[.]19[.]139:2222
158[.]247[.]253[.]155:2225
172[.]233[.]156[.]100:13721
However, as of writing, these sites are inaccessible.
C&C servers and impact
As previously mentioned, Water Curupira conducts campaigns to drop backdoors such as Cobalt Strike, which leads to Black Basta ransomware attacks.It is this potential association with a sophisticated type of ransomware such as Black Basta that makes Pikabot campaigns particularly dangerous.
The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot.
Lastly, we have observed distinct clusters of Cobalt Strike beacons with over 70 C&C domains leading to Black Basta, and which have been dropped via campaigns conducted by this threat actor.
Security recommendations
To avoid falling victim to various online threats such as phishing, malware, and scams, users should stay vigilant when it comes to emails they receive. The following are some best practices in user email security:
Always hover over embedded links with the pointer to learn where the link leads.
Check the sender’s identity. Unfamiliar email addresses, mismatched email and sender names, and spoofed company emails are signs that the sender has malicious intent.
If the email claims to come from a legitimate company, verify both the sender and the email content before downloading attachments or selecting embedded links.
Keep operating systems and all pieces of software updated with the latest patches.
Regularly back up important data to an external and secure location. This ensures that even if you fall victim to a phishing attack, you can restore your information.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before ransomware can do any damage.
Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
The indicators of compromise for this blog entry can be found here.
