- Disable macros at the policy level A very common point of entry for malware, be it botnet, remote access trojan, or ransomware, is through the built-in scripting language of Microsoft Office: macros. In fact, the middle of 2016 saw a very large campaign of spammed Office malware leveraging macros within Macro-enabled Document Templates. (Molyett & Lee, 2016) With Windows 10 and new updates to Office the enterprise level configuration, Group Policy, can enable "Block macros from running in Office files from the Internet" (Khanse, 2016) which is a feature that should always be used. Any person on the network that needs to open such files should be provided a virtual machine for reading those files.
- Submit all email attachments and links to a sandbox scanner Other than Office macros, spam carries with it malware executables, links to exploit kits, and various nested file solutions to execute malcode. An effective network protection policy is to have all incoming emails be submitted to an automated scanner. (Eckstein, 2015) Such a solution does delay emails by a few minutes, but avoiding a ransomware infection is well worth it.
- Two factor authentication The last common delivery through email are directions to phishing websites for collecting user credentials. When a user falls for one of these sites, which often can look pixel perfect due to the same technologies being available to the scammer as to the original web developer, then the attacker gains the user login and password for the copied service. This was how the Hilary Clinton campaign chairman, John Podesta, had his email's hacked in 2016. (Vaas, 2016) By accidentally logging into a fake Google Mail support page, attackers collected his credentials. Two factor authentication usually means that, in addition to knowing the secret password and the not-so-secret username, a user must also possess a physical device to successfully login. Phishing attacks then fail to provide access even once credentials have been harvested.
Eckstein, P. (2015). AMP Threat Grid Extends and Bolsters Our Ability to Combat Malicious Malware. Cisco. Retrieved from https://blogs.cisco.com/ciscoit/b-sec-10232015-amp-threat-grid-combats-malicious-malware
Khanse, A. (2016). Prevent and block Macros from running in Microsoft Office using Group Policy. The Windows Club. Retrieved from http://www.thewindowsclub.com/block-macro-malware-microsoft-office
Molyett, M. & Lee, M. (2016). Macro Intruders: Sneaking Past Office Defenses. Cisco Talos. Retrieved from http://blog.talosintel.com/2016/08/macro-intruders-sneaking-past-office.html
Vaas, L. (2016). DNC chief Podesta led to phishing link ‘thanks to a typo’. Sophos. Retrieved from https://nakedsecurity.sophos.com/2016/12/16/dnc-chief-podesta-led-to-phishing-link-thanks-to-a-typo/
No comments:
Post a Comment