Recently, we have been hearing from our customers and partners of a concerning increase in the number of sophisticated malware attacks which are striking organizations. These are not simple attacks, but involve compromising reputable web servers in order to deliver malware infected content. The good news is that there is a solution to this – but why are traditional methods simply not working?
What about anti-virus and sandboxing – why aren’t these the solution?
In the past anti-virus (AV) solutions were a great solution to combat malware, however today they have become less effective. This is due to the advance of targeted malware which is ‘unique’ or has very few instances for any AV solution to detect. AV is based upon seeing multiple instances of the same malware, often a million times over, and then creating a signature to detect and therefore block it. Without the quantity it becomes difficult to spot. But don’t remove your AV solution (!) – it is still very effective against millions of other viruses. However, with AV being ineffective against new targeted malware a different approach was needed – introducing the sandbox.
The sandbox is an isolated execution environment where unknown executables can be ‘tried’ and then their behaviour analyzed. This could be an application, but increasingly this is malware which has been embedded in innocuous looking documents utilizing their ability to support active-content. Active-content can be legitimate, for example macros, but the control it offers means that it is readily subverted for malware. If the analyzed behaviour is suspicious, such as calling out to a known ‘bad’ website, uploading or downloading additional content, then the document or executable can be assumed infected and therefore blocked. The challenge comes with the amount of time that it takes to run the sandbox. This can create a delay, often of more than 15 minutes, to receiving a document - which is seen as unacceptable in today’s agile business; add to this, that the latest generation of embedded malware can even detect if it is running in a sandbox.
And so, to combat todays’ sophisticated threats hidden within active content, hidden within seemingly legitimate files, while maintaining the speed of communication required by business – there needs to be a different approach.
Structural Sanitization is the answer, inherent in the latest adaptive security solutions which automatically remove active content from documents, including Microsoft Office, Open Office and PDFs, preventing infection at source. A blanket policy, i.e. applying it to all incoming documents (in emails or downloaded from the web) is a straightforward and effective solution to the problem. The content of an email can be delivered immediately without the fear of malware. The original, with attachment can be sent to a sandbox for offline analysis if required.
Targeted attacks - but how do they know who to target?
We often hear about cyber-criminals using social media as a means of gathering information on employees and so there is now an understanding on what should and what shouldn’t be posted. Within some organizations, there is a corporate policy that employees must not post details about who they work for and where they work, and / or pictures of their workplace or colleagues. However, there is another rich source of information – the corporate website. This is not about the obvious details found on the website, but the information which can be harvested from the meta-data in the documents posted there.
When documents are created, information is stored in the meta-data in the document. This often contains the author’s name, and sometimes the corporate login name. Further information can be found relating to departments and even system names. All this information is useful to the external cyber-attacker. System names and login names can be useful in creating an attack, while names and departments can be used to help craft a phishing attack. There are a number of open-source utilities which can automatically download documents from a public facing website and then extract and analyse the meta-data they contain.
Within document creation tools, such as Microsoft Office, there are options to be able to remove meta-data, but it relies upon the user to know about the functionality and how to use it as well as remembering to use it before publishing a document to the website. Fortunately the next generation of adaptive security solutions can enable a policy to be set so that this can be done automatically – and consistently. We call this Document Sanitization, as it removes the information which could create a leak. Granularity on the policy ensures that, if required, certain pieces of meta-data remain untouched, for example classification information.
In using both structural and document sanitization organizations are able to negate the ability of cyber criminals to target an attack, but should one transpire remove the malicious part of active content from inbound communications whilst allowing the business critical communication to continue, safely, to the required recipient.
As threats become increasingly sophisticated so too do the solutions that can mitigate them. Understanding how cyber-criminals are adapting their approach to attacks, means that you can secure your organization against them with advanced adaptive solutions – tomorrow’s game changing technology, here today.