Threat Insight

Threat Operations Center

Threat Basics

Email Delivered Threats S/H

Impostor email (business email compromise, BEC or CEO Fraud)

How does it work?

Impostor emails trick people into sending money—sometimes hundreds of thousands of dollars in a single wire transfer—or sensitive corporate or personal data. They appear to come from the CEO or other high-level executive and urge the recipient to keep the details confidential.  Eager to please the boss, the recipient complies—realizing only later that the whole thing was a scam.

Impostor email threats have been successful across a wide range of geographies and industries. According to the FBI, this type of scam has siphoned more than $2.3 billion from more than 17,000 victims—and those are just reported incidents. Targets range from the largest banks to some of the smallest schools across the U.S., Europe, and Asia.

Impostor emails succeed for three primary reasons:

  • They look and feel legitimate.
  • They do not include a malicious link or malware attachment.
  • They do not arrive in high enough volumes to raise red flags in most anti-spam tools.

Because these threats do not use malicious attachments or URLs, they can evade solutions that look for only malicious content or behavior.

How do I protect against it?

Many security defenses look for malicious documents or known blacklisted URLs to identify emails as suspicious. Impostor emails threats, though, rarely have these tell-tale features. They rely instead on social engineering and busy, tired, or naive employees responding to fake requests for money and information. Vigilant employees are the last line of defense against impostor threats.

As with so many phishing schemes and other email-based attacks, impostor email threats bear common hallmarks that should send up a red flag for users if these messages make it past your organization's defenses:

  • High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
  • Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
  • Requests that bypass normal channels: Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
  • Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
  • “Reply To” addresses that do not match sender addresses: This is rarely obvious in email clients or webmail applications, but impostor email threats are generally characterized by spoofed sender addresses. They may also use lookalike domains to fool recipients at a glance (yourc0mpany.com instead of yourcompany.com, for example).

Here are a few tips to keep organizations safe in the face of these increasingly common attacks:

  • Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
  • If something doesn't feel right, it probably isn't. Encourage employees to trust their instincts and ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through our portal?"
  • Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.

Perhaps the most important message is that robust email, network, and endpoint security solutions must work alongside user-education initiatives.

Download our Business Email Compromise white paper, “The Impostor In The Machine,” and visit the Business Email Compromise Threat Reference page for more information.

 
Expand Collapse

Ransomware

How Does it Work?

Ransomware a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever.

Popular variants include Cryptolocker, Cryptowall, TeslaCrypt, and more recently, Locky. Discovered by Proofpoint in February 2016, Locky spreads through phishing email that contains Word documents with embedded malicious macros.

Popular variants include Cryptolocker, Cryptowall, TeslaCrypt, and more recently, Locky. Discovered by Proofpoint in February 2016, Locky spreads through phishing email that contains Word documents with embedded malicious macros.
 

While originally focused largely on personal computers, ransomware has increasingly targeted server-class machines. Attackers assume, correctly, that businesses will pay more to unlock critical systems and resume daily operations than to unlock individual users’ machines.

Enterprises ransomware infections usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised.

At that point, the ransomware agent is installed and begins encrypting key files.  It encrypts not only the victim’s PC but all of the attached file shares—in other words, critical shared resources for an entire division, company, or agency.

After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises, they’ll get a code to unlock their data.

Ransomware can be costly and disruptive. Beyond the ransom itself—which can be tens of thousands of dollars for a single infection—restoring lost data and fixing infected systems consumes time and resources. If key files are lost permanently, critical operations could grind to a halt.

How can I protect against it?

Before you’re infected:

  • Defend your email. Email phishing and spam are the main way that ransomware is distributed.  Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents and URLs in emails that lead to malicious application and documents being delivered to user computers.
  • Defend your mobile devices. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools can analyze apps on your users devices and immediately alert users and IT to any apps that might compromise your environment.
  • Defend your web surfing. Secure web gateways can scan your user’s web surfing traffic to identify malicious web ads that might lead them ransomware.
  • Monitor your server and network. Monitoring tools can detect unusual file access activities, network C&C traffic, and CPU loads—possibly in time to block ransomware from activating.
  • Back up key systems. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck. Copy on a regular basis and test often to be sure crucial data is correctly backed up and can be reinstalled if the worst happens.

If you’re already infected:

  • Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems aren’t compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
  • Restore your data. If you’ve followed best practices and kept system backups, you can restore your systems and resume normal operations. 

Download our Ransomware Survival Guide and visit the Ransomware Threat Reference page for more information.

 

 

 
Expand Collapse

Spam

What is it?
Spam, also known as Unsolicited Commercial Email (UCE), is often questionable, mass-emailed advertisements. At its peak, spam accounted for 92% of all email traffic, and most of the spam was non-malicious.

Spammers might buy a mailing list and that list may be legitimate. More likely, however, they’ll use web-scraping to collect publicly posted email addresses across the web. And if they’re not doing that, they’ll be generating aliases through permutations of names and domains, like kevina@gmail.com or kevinb@gmail.com, in the expectation of getting lucky.

Spammers can then easily system-generate and email the same message to the entire list they have created. Sometimes they’ll add randomly generated phrases or words to the end of the message, aiming to make each look different and fool automated email filters.

The email content itself usually extols the virtue of a product or service and provides contact details for readers to place an order.

Why is it a threat?
While spam volumes are not at peak levels, the spammers have become more sophisticated. They now use Traffic Distribution Systems (TDS) to run their campaigns, essentially giving them the ability to use the same campaign to be more effective, serve up different types of spam, and even malware, to different types of machines in different locations. These more sophisticated distribution techniques to send volumes of email increase the risk and costs faced by enterprises. At the same time, for certain users, it’s critical to distinguish between spam, unwanted bulk mail, and wanted bulk mail which creates an interesting challenge for most IT organizations trying to grapple with different user needs and risk.

The receipt, processing, classification, and disposal of spam and unwanted mail consumes system and employee bandwidth, creating a service quality issue. Since typical spam email is very easily identified by most enterprise users when it ultimately reaches there inbox, dealing with spam is perceived to be more frustrating as it’s a more visible nuisance.

How can I protect against it?
The focus of basic spam protection should be on avoiding Denial of Service or service quality issues, and minimizing delivery to reduce user frustration. Look for an email gateway product with ability to protect an organization from Distributed Denial of Service (DDoS), technology that enables high catch-rate and low false positives when identifying spam based on unique content analysis techniques.

For more sophisticated spam that uses TDS and other techniques to deliver campaign email and malicious threats, ideally use a hybrid cloud or full-cloud email gateway solution that offers unique Big Data analysis features. This typically includes utilization of large datasets such as historicals and velocity tracking to build behavioral models that can catch emerging sophisticated campaigns, regardless of volume and velocity of the email received.

 
Expand Collapse

Information Seeking Scams

How does it work?
Scammers want information, and they try to extract it by tricking recipients of emails. The information they collect could be an organization chart - or as significant as usernames and passwords to corporate resources. 

First, attackers collect email addresses – from public postings, social sites and guesses at a company’s email address format, such as a.lastname@company.com. Next, they email a compelling offer, pretend to be a service provider, or try to impersonate the IT team among other tricks.

In most cases, this is a very convincing and short text-only message – for example: “Your mailbox has reached the enterprise limit, click here or reply to this email to request an increased mailbox size from IT if required”, to much more sophisticated, “I’m an administrator for your company’s benefits program and am contacting you to take a look at the changes we will be soon making to the program, click here to see the details before we schedule a quick call to discuss.”

Some recipients who do fall for these tricks will reply to the offer, and sometimes it also results in an actual conversation between the user and the attacker that will lead to an innocent but significant request if a two-way dialogue is entertained by the user.

How can I protect against it?
User education is a good step. Additionally, look for an email gateway with a machine-learning function and real-time IP reputation scanning. Ability to detect suspicious language and sender aspects is key. Solutions must also be capable of separating such scams from the user-releasable quarantine to avoid any risks of users getting access to such kinds of phish.

 
Expand Collapse

Hostile Email Attachments

How does it work?
Attackers attach files to email that indirectly launch an executable program that can destroy data, steal and upload information to outsiders, or can silently use the infiltrated computer for other tasks – all without the user’s knowledge.

Most email systems automatically block obvious executable programs. Attackers usually conceal an exploit inside other types of files – Microsoft Word documents, a ZIP or RAR files, Adobe PDF documents, or even image and video files. The exploit takes advantage of known software vulnerabilities and then downloads additional payload to the computer for persistence. The attackers typically send these email attachments and provide email content that is sufficiently convincing to get the user to believe it is plausibly legitimate communication.

A user just needs to open the email file attachment in an attempt to access the content and they can trigger the malicious scripts or exploit embedded within the document to execute. Users won't even notice that their machine is being infected.

How can I protect against it?
Start with user education, but back it up with email attachment security solutions.

Install endpoint and server-based antivirus scanners. Be aware though of a time lag between attackers creating new malware and those malware signatures appearing in anti-virus (AV) databases.  Recent tests show only 10% of endpoint AV engines recognize a threat a full 24 hours after it was delivered; part of this is due to the polymorphic malware approached adopted by many attackers.

Implement an email gateway with a machine-learning function and real-time IP reputation scanning that can detect suspicious language and sender aspects. Ensure the gateway can unpack nested archive files (like .zip and .rar) and block executables to look for potentially malicious programs. It is also typically best practice to consider using a different gateway AV than what is used on the endpoint to provide diversity and increase likelihood of detection.

For optimal results, look for a security solution with email attachment scanning, performed in the cloud via static and dynamic (sandbox) malware analysis, so email attachments are checked for bad behavior before they're delivered, and not just known bad reputation or known signatures which tend to miss zero-day and polymorphic malware attacks.

 
Expand Collapse

Phishing

How does it work?

Phishing is a socially engineered attack that uses embedded URL links to extract information from the user or take control of their computer. Attackers typically send emails designed to encourage recipients to click on an embedded URL – “check on the status of your package” or “notification for usage of your miles” for example.

Clicking on a link opens a browser, and the user is taken to a site that’s been setup as a trap by the attackers to either:

  • Harvest credentials: The site typically appears familiar and persuades the user to hand over data, asking them, for example, to “Enter your username and password to proceed outside the corporate network” or “Enter your username and password to validate your account”
  • Deliver malware: The site typically exploits a vulnerability in the web browser to silently download and install a virus, trojan, spyware, or rootkit on the user’s machine.

How can I protect against it?

User education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful user machine compromises. However, since user behavior is not predictable, typically security solution-driven phishing detection is critical.

Some email gateway reputation-based solutions do have the ability to catch and classify phish based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.

Opt instead for a system that identifies suspicious email based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads.

 
Expand Collapse

How does it work? 
Mass customized phishing messages that are typically engineered to look like they are only arriving in small quantities, mimicking targeted attacks. Attackers leverage approaches used by mass marketing campaigners to generate millions of dissimilar messages. They do this with mail-generating code and infrastructure that can rotate email content, subject lines, sender IP addresses, sender email accounts and URLs. This means that for every organization no more than 10-50 emails will look alike, enabling the malicious emails to fly under the radar of all spam and content scanning systems. Typically no attachment is included, thus minimizing the chance of detection by antivirus or other signature-based solutions. Additionally, the multiple IP addresses, sender email accounts, and URLs used in the campaign are typically legitimate but compromised.

This inherently provides ‘good’ reputation characteristics to the emails, helping them to evade any reputation-based detection approach. To prolong the attacks time-till-detection, attackers will ensure that the compromised site delivers ‘polymorphic’ malware to user machines. Every user gets a unique version of the malware, essentially defeating the value of new signatures that may be created as the attack starts to be detected. How can I protect against it? Given the sophistication of the content and compromised infrastructure that are typically seen in Longlining attacks, combatting these threats by leveraging a Big Data-driven security solution will likely be more effective. Such a solution should typically not just rely on signatures and reputation controls. The goal of the solution should be to look for patterns based on historical traffic, analyze new traffic in real-time, and make predictions about what needs to be analyzed in a cloud-based advanced malware detection service.

Look for a security solution that can identify mass customized campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase detection. Additionally, the security solution should have an approach to manage the messages that do get through. With Longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The security solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimize the amount of effort required in clean-up and remediation.

 
Expand Collapse

Watering Hole

How does it work?
A targeted attack designed to compromise users within a specific industry or function by infecting websites they typically visit and luring them to a malicious site. Watering Hole attacks, also known as strategic website compromise attacks, are limited in scope as they rely on an element of luck. They do however become more effective, when combined with email prompts to lure users to websites. 

Attackers that are attempting opportunistic attacks for financial gain or to build their botnet can achieve this by compromising popular consumer websites. But the targeted attackers that are after more than financial gains tend to focus on public websites that are popular in a particular industry, such as an industry conference, industry standards body, or a professional discussion board. They will look for a known vulnerability on the website, compromise the site, and infect it with their malware before they lie in wait for baited users.  

Attackers will even prompt users to visit the sites by sending them ‘harmless’ and highly contextual emails directing them to specific parts of the compromised website. Often, these emails do not come from the attackers themselves, but through the compromised website’s automatic email notifications and newsletters that go out on a constant basis.  This makes detection of the email lures particularly problematic.

As with targeted attacks, typically the user’s machine is transparently compromised via a drive-by download attack that provides no clues to the user that his or her machine has been attacked.

How can I protect against it?
Web gateways to defend the enterprise against opportunistic drive-by downloads that match a known signature or known bad reputation can provide some detection capability against opportunistic Watering Hole attacks. To defend against more sophisticated attackers, enterprises should consider more dynamic malware analysis solutions that check for malicious behavior on the most suspicious destination websites that user’s browse to.

To protect against targeted email lures to Watering Holes, look for an email solution that can apply similar dynamic malware analysis at the time of email delivery and at click-time by the users. Additionally, to defend the organization effectively, the solution must provide for mechanisms to protect the user whether or not they are on the corporate network and traversing through on-premise security controls. 

 
Expand Collapse

Spear Phishing

How does spear phishing work?
Socially-engineered and sophisticated threats sent to an organization’s users that are typically designed to steal information. Spear phishing is a phishing attack where attackers typically personalize messages to the user based on publicly available information about them. This can range from topics surrounding the recipient’s area of expertise, public appearances at conferences, neighborhood and tax information that is public record, and any information that attackers can glean from social networks. When an organization’s senior executives are targeted using spear phishing, it is also referred to as Whale Phishing.

An example of a spear-phishing attack can be something simple like “Wade, based on your love of the early reds this year, I’d suggest a visit to Domaine Maleficient, which Bob also loved. Check out their e-store.” This spear phishing example can be highly effective if Wade’s public information indicates he is a wine enthusiast, a friend of Bob who also loves wine, and the email is coming from a Facebook connection through a spoofed email address or compromised account.

How can I protect against spear phishing?

Look for email protection solutions that use anomalytics to detect suspicious emails. Dynamic malware analysis that can analyze the destination websites for malicious behavior and simulate a real user system such that evasive techniques built into malware can be countered, driving the malware to reveal itself in a sandboxed environment. Sandboxing at the time of delivery of a suspicious email and when users click on a URL is likely to result in greater detection of these highly targeted threats.

 
Expand Collapse

Advanced Persistent Threat

How does it work?
Mostly nation-state-sponsored attacks aimed at compromising an organization to carry out espionage or sabotage goals, but which aim to remain undetected for a longer period of time.

The term Advanced Persistent Threat (APT) is often misused. Rather than a specific technical approach to a threat, it is meant to describe the attacker (or group of attackers) and the attacker’s motivations behind the threat they pose, which are not simply one-time espionage, financial gain, and crime.

Advanced Persistent Threats (APTs) are either motivated by corporate espionage designed to steal valuable trade secrets and intellectual property, or to sabotage an organization’s plans and infrastructure.

Advanced Persistent Threat attackers use a variety of email-based techniques to create attacks, supported by other physical and external exploitation techniques. There are some typical characteristics of an Advanced Persistent Threats that are not found in other forms of attack:

  • Recon: Advanced Persistent Threat attackers typically have reconnaissance intelligence and know who the specific user targets and what the systems are that can help them achieve their goals. This information is often gleaned through social engineering, public forums and, most likely, nation-state security intelligence.
  • Time-to-live: Advanced Persistent Threat attackers employ techniques to avoid detection for extended periods of time, not just looking for a short-lived infection period that is typically seen in financial gain motivated attacks. They attempt to clean up their trail and usually perform their functions during non-business hours. They always leave backdoors so they can re-enter, just in case their original access is detected. This allows them to remain persistent.
  • Advanced Malware: Advanced Persistent Threat attackers use the full spectrum of known and available intrusion techniques, and in any given attack combine a number of methodologies to reach their goal. Advanced Persistent Threat attackers do make use of commercially available crimeware and kits, but many also typically have the technology and expertise to create their own custom tools and polymorphic malware when required for customized environments and systems.
  • Phishing: Most Advanced Persistent Threats, employing internet-driven exploitation techniques start with social engineering and spear-phishing. Once a user machine is compromised or network credentials are given up, the attackers actively take steps to deploy their own tools to monitor and spread through the network as required, from machine-to-machine, and network-to-network, until they find the information they are looking for.
  • Active Attack: In Advanced Persistent Threats there is a significant level of coordinated human involvement from the attacker, rather than fully automated malicious code which just sends back data collected to the attacker in typical crimeware attacks. The adversary in this case is a well-funded, motivated, skilled, and highly directed attacker making their approach and response extremely active.

How can I protect against Advanced Persistent Threats?
There is no one silver bullet to protecting a company against APT actors. These advanced persistent threats and the attackers are looking to remain persistent once they are inside the organization, so utilizing a combination of technologies that can triangulate logs and identify out-of-norm behavior within the enterprise network is key. The focus of the defense strategy should be to pick best-in-class detection solutions that together can provide intelligence on the targets, the methods used by the attackers, the frequency of their activity, the origination of the advance persistent threat, and the risk associated with the attacker’s motives.

Based on the Verizon Data Breach Investigations Report, 95% of targeted threats and APTs using some form of spear phishing as a starting point of the attack, and hence a part of APT defense strategy for an enterprise should include a detection solution that attempts to look for targeted threats in email based on unusual patterns in traffic, rewrites the embedded URLs in suspicious emails, and then maintains a constant watch on the URL for malicious behavior in a sandbox. Such an approach would potentially protect and/or detect such attacks, and knowing which users have been compromised, when, and for how long is a major advantage in learning more about the APT adversary and their motivations.

 
Expand Collapse

Endpoint-Delivered Threats


Endpoint-Delivered Threats

Endpoint-delivered threats usually enter an organization through:

  • a user-infected device introduced into the corporate network which then delivers malware that can spread laterally
  • an infected portable device
  • users who are tricked into downloading and installing malicious software by claims that they are antivirus, disk cleanup or other utility software

Attackers can use strategies such as leaving an infected USB drive around the organization’s parking lot in anticipation that an employee will pick it up and plug it into a network connected system. However, pulling off such an attack is expensive and much more risky for the attackers, especially if they are remote and need a trained human asset in-country to assist with the attack.

Endpoint protection becomes more complicated as users connect their own devices into the corporate network and as more users work remotely. An organization has to accept that not all traffic on the user’s device will go through the corporate security controls, and in many cases the organization may not have device control to enforce a specific endpoint security solution.

Opportunistic attackers and those attempting targeted threats on organizations tend to use socially-engineered emails sent to corporate email accounts to compromise user endpoints.

This strategy is easy to execute and cost effective as attackers can execute the attack remotely, enabling attacks across multiple users, and at multiple different times.  

The 2013 Verizon Data Breach Investigations report explains that running a campaign with just three targeted phishing emails gives the attacker a better than 50% chance of getting at least one user to click and have their machine compromised; sending ten almost guarantees getting at least one user to click and compromise their device.  

Once compromised, the endpoint can give up a mountain of an organization’s information along with access credentials that are keys to critical systems and data. The risk of exposure further increases when the compromised endpoint connects to the network and allows the attackers to spread laterally through the organization’s networked endpoints.

The strongest defense is a layered security approach which includes best-in-class security solutions on the endpoint to check for malicious behavior, signature matching, and other solutions that can inspect traffic going to and from the device. Additionally, detection and protection from email delivered threats early in the lifecycle of a threat is a primary strategy in stopping a large volume of endpoint delivered threats into organizations.


Network-delivered Threats


Network-delivered Threats

Network-delivered threats are typically of two basic types:

  • Passive Network Threats: Activities such as wiretapping and idle scans that are designed to intercept traffic traveling through the network.
  • Active Network Threats: Activities such as Denial of Service (DoS) attacks and SQL injection attacks where the attacker is attempting to execute commands to disrupt the network’s normal operation.

To execute a successful network attack, attackers must typically actively hack a company’s infrastructure to exploit software vulnerabilities that allow them to remotely execute commands on internal operating systems. DoS attacks and shared network hijacking (example: when corporate user is on a public WiFi network) of communications are exceptions.

Attackers typically gain access to internal operating systems via email-delivered threats which first compromise a set of machines, then install attacker controlled malware, and so provide ability for the attacker to move laterally. This increases the likelihood of not being detected up front while providing an almost effortless entry point for the attacker.

According to a recent Microsoft security intelligence report, more than 45% of malware requires some form of user interaction, suggesting that user-targeted email, designed to trick users, is a primary tactic used by attackers to establish their access.

Some threats are designed to disrupt an organization’s operations rather than silently gather information for financial gain or espionage. The most popular approach is called a Denial of Service (DoS) attack. These attacks overwhelm network resources such as web and email gateways, routers, switches, etc. and prevent user and application access, ultimately taking a service offline or severely degrading the quality of a service. These do not necessarily require active hacking, but instead rely on attackers’ ability to scale traffic towards an organization to take advantage of misconfigured and poorly protected infrastructure. This means they often make use of a network of compromised computer systems that work in tandem to overwhelm the target, known as a Distributed Denial of Service (DDoS) attack. In many cases, attackers will launch DoS and DDoS attacks while attempting active hacking or sending in malicious email threats to camouflage their real motives from the information security teams by creating distractions.

While detection, perimeter hardening, and patching processes are required to mitigate threats from active and passive network delivered threats, as a basic starting point organizations need to protect themselves especially from the email-delivered threats that subsequently enable network-threats to be successful.