Streeterville Group M. Aghajanian, M. Blackburn, T. Heller Defending Against Users Executing Malware Code via Email
Jan 21, 2016
Streeterville GroupM. Aghajanian, M. Blackburn, T. Heller
Defending Against
Users Executing
Malware Code via Email
Case of Confounded Confections, Inc.
Introduction
• Ultra-secure network to protect their sweet secrets:1. Enterprise firewalls.2. Only necessary services with required
authentication.3. Tightly managed systems.
•Anomalies begin to appear.
•CIO wants to know…
Investigation
Why?!Why?!
Quick Review
Risk Analysis
• Risk analysis (quantitative)• Policy• Design• Prevention• Response or countermeasures• Implementation• Control• Rinse and repeat...
Classifications
• State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy.
• Size of host population: small (binomial), large (poisson).
• Diversity of hosts (mix of operating systems)
• Weight of susceptibility
• Weight of business value
Risk Analysis
Risk Analysis
General Cost of Malware
• Paradigm shift to more indirect costs than direct costs overall.
• Largest expenses:
• Staff hours for support.• Staff hours from downtime.
• Hardware, software, vendor support and IT training.
• Legal, human resources, and training.
Risk Analysis
Design Solutions
• Layered schema for malware detection.
• Prevention by inspection at various points at the edge and perimeter.
• ClamAV (open source hardware solution)
• Microsoft perspective (proprietary software solution)
• Future approaches at the edge or perimeter (next sections)
Prevention at the Edge and Perimeter
Prevention at the Edge and Perimeter
Layered Protection Microsoft Approach
Exploitations
Responding to User Actions: Clicking on Links
Drive-By Downloads
o Exploit browser vulnerabilities.
JavaScript/ECMAScript
Content Parsing
o Exploit vulnerabilities in browser add-ons.
Flash
Adobe Reader
Java
Countermeasures
Responding to User Actions: Clicking on Links
• DNS Blacklistingo Used by spam filtering software.o Repurposed to everyday DNS.o Prevent access to sites known to host
malware.o 11.25¢ per user/year.
• SSL Proxy with malcode detectiono Prevent all malcode delivery.o Including within encrypted sessions.
Prevention—Human Factor
Responding to User Actions: Clicking on Links
• User Trainingo Detect Suspicious emails.o Close Browser if concerned.
• Acceptable Use Policyo Discourage promiscuous behavior.o "Scare tactic" heightens stakes.
• Ongoing Communicationo Ongoing remediation costs = foregone
benefits.o Reinforce desired behavior.
Mitigation—Technical Approaches
Responding to User Actions: Clicking on Links
• Application Selectiono Remove Adobe Reader: 55% of all attacks.o Remove IE6, 5% of all attacks.
• Update policieso Use Microsoft Group Policy
Update MS products automatically.o Communicate & inform userso Perform software audits
Not feasible in decentralized networks.
Mitigation—Human Factor
Responding to User Actions: Clicking on Links
• User cooperation
o Accept new updates
o Don't install unknown plugins
• Vendor support
o Push updates to all clients
o Centralized patch level monitoring
o Create vendor compliance standards
Antivirus Signatures
Responding to User Actions: Opening Attachments
o Typical approachBit-by-bit signatures (a.k.a. "hash")
o New approachBehavioral signature
o InfluenceScript Kiddies
o Policy and enforcementAdditional software may be requiredPerformance hitInstrumentation, Legacy systems
Policies and Enforcement
Responding to User Actions: Opening Attachments
• Antivirus/OS update policies and procedureso Responses to malware/vulnerabilities, a.k.a.
Patcheso Admins: greater freedom/power or computer
securityo If users choose when to update...o If admin chooses when to update...o "Managed" antivirus software
Shows who is doing what: Privacy issues• Distributed Support System
o Typical of universitieso Policies and enforcement up to non-IT personnel
OS Countermeasures
Responding to User Actions: Opening Attachments
• User privilege managemento Usually centralized
Environment and staff affect leniencyResearch environment requires more user privilegesLess IT staff requires more user privileges
Requirements, Reactions & RiskUsers have different tasks, downtime, productivity requirements
• Vendor/Instrumentation/Legacy computerso Limited support, no software patching (Vendor not liable)o Various versions of antivirus softwareo User POV
Updating is confusing, lengthy, slower computer and system re-boot
Execution and Service Management
Responding to User Actions: Opening Attachments
• OS's require password authorization before executiono Protects against "accidentally" installing unwanted
softwareo Users can enter password and move on
• DEP & ASLRo Windows XP SP2, Mac OS Xo Effective as individual solutiono Exploits written for IE8 and Firefox (Mac & Win)o Defense-in-Depth: Makes exploits slower
Layering defenses: more obstacles, more opportunities
Future Approaches
• Network level sandboxo Users adept to waiting for emails
• Deep-scanning email clientso Number of cores/cpu's growing & Privacy issues
• Research: Extent of malware coders sharing/upgrading malware
• Executable signatures• Non IT Policies
o High level policies (HIPPA, SOX)Cause more IT support funding and detailForce everyone to abide (legal consequences)
• Northwestern Universityo Proactive policies, training
Responding to User Actions: Opening Attachments