ITU-T X.1236 Security Requirements
Types of Targeted Inbound Email Attacks
Targeted Inbound Email Attacks
Security requirements for countering zero-day malware
Inspect Behavior-Based Analysis
Report Malware Behavior
Inspect Behavior-Based Analysis
Inspect Behavior-Based Analysis
Importance: Required / Reference to ITU-T X.1236 8.1.1 (1)
- Conducting behavior-based analysis inspections to detect newly discovered novel viruses is a crucial security functionality requirement. This requirement is used to identify novel malware or malicious activities that cannot be detected by traditional virus definition files.
- Behavior-based analysis involves executing viruses or malicious software in a virtual environment to detect specific behaviors or malicious activities. For example, it analyzes behaviors such as file system changes, registry modifications, network communication patterns, process execution, etc., to identify malicious activities.
- To achieve this, continuous monitoring of the characteristics and patterns of novel malware is necessary, and immediate response measures should be in place when such activities are detected.
Report Malware Behavior
Targeted Inbound Email Attacks
Security requirements for countering malware in email attachments
Inspect File Extension
Analyze Email Reputation
Inspect File Extension
Inspect File Extension
Importance: Required / Reference to ITU-T X.1236 8.1.2 (1)
- Inspecting various file types with potentially forged or hidden file extensions is a critical security requirement to enhance security.
- Malicious code or malicious programs often manipulate file extensions, enabling them to execute malicious code when users open or download files.
- File extension inspection involves comparing file extensions with actual file formats to detect altered extensions and identify malicious files. Detected files are then blocked from access to maintain system security.
- Examples of forged file extensions include:
- Using a .doc file extension for an executable file: Executable files typically have extensions like .exe, .dll, .bat, etc. However, attackers may use a .doc file extension to disguise an executable file.
- Using a .exe file extension for an image file: Image files typically have extensions like .jpg, .png, .gif, etc. However, attackers may use a .exe file extension to disguise an image file.
- Using an .mp3 file extension for a text file: Text files typically have extensions like .txt, .doc, .pdf, etc. However, attackers may use an .mp3 file extension to disguise a text file.
Analyze Email Reputation
Targeted Inbound Email Attacks
Security requirements for countering malware in email URLs
Track Final URLs
Inspect Post-URLs
Deactivate URLs
Track Final URLs
Track Final URLs
Importance: Required / Reference to ITU-T X.1236 8.1.3 (1)
- When analyzing multi-linked URLs, it is crucial to track and verify all intermediate and final URLs. This process is a critical step in confirming whether each URL contains malicious code.
- Attackers may lead or confuse users through various intermediate URLs, so it is essential to thoroughly analyze each URL to identify the final destination URL.
- Examine whether each URL originates from a trusted source, has a security certificate, and does not contain strange strings or obfuscated code to ensure its integrity.
Inspect Post-URLs
Deactivate URLs
Targeted Inbound Email Attacks
Security requirements for countering forged headers
Detect Reply-to Email Address Change
Verify Mail Communication Protocol Compliance
Detect Reply-to Email Address Change
Detect Reply-to Email Address Change
Importance: Required / Reference to ITU-T X.1236 8.1.4 (1)
- When replying to an email, it is necessary to compare the reply email address with the sender’s address in the original email and alert or block the user if they differ.
- This helps prevent attackers from tampering with the original email to confuse users.
- Users receive a warning about any changes in email addresses before sending a reply, preventing fraudulent activities and maintaining trusted communication.
Verify Mail Communication Protocol Compliance
Targeted Inbound Email Attacks
Security requirements for countering look-alike domains
Notify Risk Similarity Level
Detect Differences in Email Address Character Count
Register Suspicious Similar Email Addresses
Manage Similar Email Addresses with Different TLDs Separately
Notify Risk Similarity Level
Notify Risk Similarity Level
Importance: Required / Reference to ITU-T X.1236 8.2.2 (1)
- Analyze the sender’s email address or domain of the received email and collect the cumulative email history of that sender to determine the Risk Similarity Level if the sender’s email address or domain is considered a similar domain. If a similarity is detected, alert the user and, if necessary, block the email.
- For example, if a user has received malicious emails from similar domains in the past, the system should detect similarities and warn the user or block the email accordingly.
- Risk Similarity Level Notification is a crucial feature in email security systems that informs users of potential risks when the sender’s email address or domain is identified as a similar domain.
- The Risk Similarity Level is determined based on algorithms and policies embedded in the email security system.
- The Risk Similarity Level is typically categorized as follows:
- Low: Similar domains are detected, but significant risks are not identified.
- Medium: Similarities in some emails are detected.
- High: High similarity is detected in the email.
- Once the Risk Similarity Level is determined, it should be communicated to the user. Users should be able to see that the received email has been categorized as a similar domain and check the Risk Similarity Level associated with that domain.
Detect Differences in Email Address Character Count
Register Suspicious Similar Email Addresses
Manage Similar Email Addresses with Different TLDs Separately
Targeted Inbound Email Attacks
Security requirements for countering account take-over (ATO)
Detect Sender’s Location (IP) Changes
Detect Mail Server IP Address Changes
Detect Changes in Email Delivery Paths
Detect Sender’s Location (IP) Changes
Detect Sender’s Location (IP) Changes
Importance: Required / Reference to ITU-T X.1236 8.2.3 (1)
- When receiving an email, it’s essential to verify the sender’s IP address, and if it differs from previous received emails, the user should be alerted or the email should be blocked.
- This verification helps validate the source of the email and is a critical security measure to protect against potential threats.
- For example, if a user’s account is accessed from a different location or using a different IP address than before, detecting and alerting the user can help prevent illegal access or account intrusion attempts.
- Attackers may attempt to deceive users by changing IP addresses, so detecting differences from previous emails is crucial.
Detect Mail Server IP Address Changes
Detect Changes in Email Delivery Paths
Targeted Inbound Email Attacks
Security requirements for countering URL phishing
Track Final Destination of URLs
Track Final Destination of URLs
Track Final Destination of URLs
Importance: Required / Reference to ITU-T X.1236 8.2.4
- Analyzing the URL or link clicked by the user to track and verify the ultimate destination of that URL is crucial.
- URL redirection is one of the attack techniques that can lead users through multiple stages to a phishing web page.
- Therefore, it is necessary to trace all URL redirections that occur in between in a chain to understand where the user will ultimately land and prevent malicious activities on web pages designed to induce personal information input.