Maksim Kabakou - Fotolia

Security Think Tank: 10 control areas to mitigate against malware attacks

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

The WannaCry ransomware attack at the beginning of May 2017 has brought home to many organisations just how vulnerable they are to malware.

According to Isaca’s global State of cyber security 2017 study, just half (53%) of organisations have a process in place to deal with ransomware attacks.

But despite the use of the NSA’s EternalBlue exploit in this case (leaked by the Shadow Brokers earlier this year), the core issue that allowed the attack to be as successful as it was comes down to basic cyber security hygiene.

The problem is that security has always been seen as a cost centre, and any return on investment (ROI) in cyber is very difficult to articulate.

Boards and senior leaders need to be made aware of the risks and the associated costs. Cyber security needs to be viewed as a strategic area for a company’s survival, not just as something that is “nice to have”.

Most organisations with a mature security function have strong technical perimeter controls – such as firewalls and antivirus – which means the preferred route for attackers for some time now has been to target the human.

Persuading a member of staff to click on a link allows the attacker to develop a presence on the network, bypassing all the perimeter controls. Combined with generally open internal networks, this allows attackers or malware to search through the organisation, find interesting data and exfiltrate it – or bring in the WannaCry attack – to cause damage.

Unfortunately, there is no silver bullet, so controls need to be layered to be effective.

I have developed this list of 10 control areas any organisation should consider, as they all provide a measurable reduction in likelihood or impact of an attempted attack:

  1. Email authentication protocols such as Dmarc help prevent emails with spoofed addresses, removing one of the largest attack techniques at the perimeter. Email risk scoring tools can then be used to identify suspect emails and quarantine them for analysis.
  2. Phishing awareness training shows rapid improvement in the identification of phishing emails, especially combined with escalating training for those who fail. Providing a button on the email client to report suspected phishing/malware allows the user to be part of the defence structure.
  3. Organisational culture change can have dramatic effect. Moving away from shaming individuals who fall foul of phishing to a model which encourages disclosure has been shown to strengthen the entire team and organisation. 
  4. Another change of culture is for the organisation to be the example they want to give. Organisations typically include links in their emails, so trying to persuade staff and customers to stop clicking on links is difficult. Moving to an information-led communication system, where the customer is told to log in to their usual portal to see new messages, dramatically reduces phishing attack success.
  5. Classification and marking of all data in an organisation, along with complete information asset registers, allow proactive control over data flow, greater cost effectiveness over protective controls, and a rapid time to full discovery in the event of a breach, which will be a direct financial benefit under the General Data Protection Regulation (GDPR).
  6. Antivirus on the gateway and desktop identify known malware but, to deal with the ever-greater problem of zero-day or brand-new malware, the use of behavioural alerting tools to identify new malware based on its activity, looking for anomalous outbound connections or accesses is an essential step.
  7. Network segregation prevents malware from moving in the organisation, limiting any impact to the immediate entry point and local network. Combined with intrusion detection or prevention agents on crown jewels, and strong role-based access control, attackers can be effectively prevented from accessing sensitive data. 
  8. Patching should be an automatic and regular process, but many organisations put off patches to avoid downtime, minimise cost or because applications will require rework. Combined with overly long end of life processes, this can lead to a significant server and desktop estate that is vulnerable.
  9. Data loss prevention tools should be implemented on all egress points, with rules ranging from signature matching and watermark or classification detection to heuristic analysis.
  10. Brand monitoring services should also be employed to scan darkweb sites to identify files that have been leaked so that the organisation can mitigate impact.

Read more from Computer Weekly’s Security Think Tank about blocking malware attachments

Read more on Hackers and cybercrime prevention