Cyber war is a reality. Ever evolving geo-political tensions shape and modify the cyber risk for organisations and states.
The quick escalation of the current war in Europe led the national CSIRTs (Computer Security Incident Response Teams) to issue guidelines for mitigating risks related to potential cyber-attacks to companies, institutions, infrastructure and communication systems.
Email is the most used (and abused) communication channel between organisations, most of the breaches start with an email. Targeted campaigns are a common attack vector for state actors and politically motivated cybercriminals. The most common way of weaponizing email is through phishing and malware attacks.
We expect that also the “usual” malicious actors will quickly abuse this tension and the fear it brings along for all kinds or financially motivated scams, for phishing and for ransomware campaigns. They learned to move fast and to quickly abuse topics that draw attention and trigger emotions. They did it effectively with the pandemic and they already started to use this new topic.
We are anticipating a high volume of malicious campaigns on this theme but it isn’t this kind of activity that most worries the CSIRTs. They are not referring to the usual financially motivated cybercriminal gangs changing once again topic in their campaigns, they are mostly worried about state-sponsored and politically-motivated attacks to critical infrastructure and organisations.
This kind of attacks will not necessarily leverage topics related to the geo-political tensions or to military escalations. Such attacks will be mostly designed by skilled actors who will try to stay below the radar and hit the victims with targeted campaigns. What I am saying is that the most dangerous phishing emails won’t necessarily be what you expect them to be.
Geo-Blocking is one of the tools that can be used to minimize the attack surface in regards to email attacks being originated from specific countries.
Attackers can, of course, route the attacks through different countries but this involves additional steps and increases the chances of the attacks being detected.
Even if Geo-Blocking isn’t a silver bullet, it may be one of the rational mitigation measures to be implemented when the geo-political situation increases the chances of attacks from certain geographical areas.
Every organisation has its own needs. Some organisations are exposed to frequent communications to some countries, some other organisation aren’t. For some organisations plainly blocking traffic from some countries is feasible, for some other organisations it isn’t and a more elaborated approach is needed.
Possible strategies about geo-blocking email
You have basically two strategies for geo-blocking email: rejecting and quarantining.
Rejecting email at the SMTP level can be done by dropping connections from IP addresses belonging to a specific country. It is simple and effective in terms of resource usage but it leaks information to the potential attacker: they will immediately know that you’re adopting this kind of mitigation measure and they will change strategy.
Rejecting has also another disadvantage: you have no visibility on what email traffic has been rejected, you don’t know whether there was some legit traffic among it and you’re not aware of targeted attack attempts.
Finally: rejecting email relies on the geo-location of the connecting IP address and this is sub-optimal. The email might have been relayed through a country you’re not blocking even though it has been originated in a country you would like to block.
Quarantining, on the other hand, involves accepting and analysing all email but silently quarantining (not delivering) email from specific origins.
One advantage of quarantining versus rejecting is that by accepting such email traffic you’re not leaking any information to the potential attacker.
By quarantining you also have full visibility on the blocked traffic and you can analyse the email samples in order to detect attempted attacks and investigate the technical tools and strategies the attackers are using (our analysts are always here to help you in this task).
Also, the quarantining strategy can be defined not only on the last-hop (the final relay that is attempting to deliver the email) but also on any of the intermediate hops. You can also decide to block email that has been originated (first-hop) or relayed through (intermediate-hop) a specific country.
Finally, with a quarantining strategy you’re free to define exceptions and, for example, block email from an entire country unless originated from a few specific organisations you entertain relationships with.
All this said, we do generally suggest a quarantining strategy. Only under very particular circumstances a reject strategy can be evaluated.
Rodolfo Saccani, CTO @ Libraesva
If you'd like any more information on this topic, feel free to request a
Managed Security Services
If this is a topic you want to know more about you can contact a specialist at NetUtils who will be happy to help you learn more