Email is the first attack vector exploited by pirates, but the continuing war they are waging against traditional methods of protection make the latter less and less effective. A set of technologies, however, makes it possible to react and substantially improve email defense: Artificial Intelligence.
Since its origin, email relies on a protocol that respects its initial specification, and which bears very little security. Its exploitation for immoral purposes proves simple enough for the pirates to be able to deceive the attentiveness of the users and the traditional solutions that are entrusted to protect them. This is how the enterprise email solutions responsible for detecting the legitimacy of email content and discarding those that present a danger are proving to be less and less efficient. They use simple rules which work well when the threat is identified. But today, these rules, which depend particularly on lists and attack signatures, are proving to be rigid and difficult to evolve at the same pace as the threats themselves. And above all, the pirates never stop improving their methods of attack. More than ever, email recipients are in danger and their enterprise along with them.
To protect professional messaging, to withstand the explosion in the volume of emails, to detect the waves of attacks, and to qualify the legitimate contents that must be delivered to their recipients while discarding those that present a danger or a risk, new tools are needed. These will have to meet the goals in terms of volumes and speed of handling but also be capable of making predictions in order to anticipate new, highly dynamic threats. Furthermore, it is not necessary to reject all the solutions currently in place, because they have proven their worth by identifying the known threats, still present and dangerous, especially when the defenses related to the new tools are not up to date.
The pirates understand it well. To be more efficient in order to achieve their wrongdoings, they have to shy away from massive attacks that are easy to detect and fight, to turn themselves towards personalized attacks, towards polymorphic malwares in which the content is transformed to avoid detection, towards phishing and spear phishing emails which use social engineering to deceive the individual, and no longer the mass of individuals. They multiply the waves of attacks in small volumes and short timeframes, seeking in this way not to be detected. In contrast, the defender, the solution for monitoring emails and detection of threats, will seek to anticipate these new attacks that are multiplying. For that, it must adopt very reactive tools, but also and especially predictive, capable of automating the threat learning process and therefore protecting the user without them noticing it.
Artificial Intelligence (AI), and more specifically Machine Learning (ML), meet this expectation. AI uses algorithms that will integrate detection rules defining the models of infected or healthy emails, as well as any links or attachments within the messages, and determine a result with the application of a process. The email is excluded if it presents a threat or continues its path until it reaches its recipient if it is clean. The analysis of the emails thus relies on the rules that fuel the algorithms; on huge volumes of data processed in Big Data mode which bring a mass of information and the ability to compare in order to detect changes; and on the learning ability via Machine Learning. That which can awaken human attention is automated in the algorithms.
AI and ML, in the fight against threats weighing on emails, are not coming to replace the traditional tools, but are coming to complete them by bringing two dimensions: the predictive and the reactive. Note that if the signatures of emails and malwares are known, the classic tools are perfectly capable of detecting and blocking an attack. On the other hand, machine learning provides facilities to detect attacks that are not known, and to add new rules more quickly and efficiently. Not to mention the essential role of control and validation provided by the people in charge of these solutions. It is for this reason that the establishment of ML as a complement to ‘classic’ solutions offers more control and precision to provide almost perfect results.
Let us not forget that at the same time, fraudsters are looking for faults in AI, which makes it possible to affirm that it also has its limits. The combination of the three approaches – traditional, AI and human – allows organizations to achieve the best results, and also to be able to combat enterprise email attacks with the highest level of sophistication, such as spear phishing to the example of attacks on the president, the most difficult to detect, those that have priority because they target human error with strong mafia-like ambitions.