Maksim Kabakou - Fotolia

Security Think Tank: Minimise malware risks through education, process and technology

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

For many attackers, sending malware attachments can be a simple numbers game. They maximise their chances of success by targeting many people within an organisation, knowing that they only need one person to open the attachment.

These emails can often be easy to spot, but more sophisticated social engineering techniques targeting a specific individual can be far more difficult to detect. Blaming people is not the solution – we are all human. A more proactive strategy is to improve the security environment so that these risks are minimised through education, process and technology.

It is extremely difficult to completely eradicate these types of threats, but to tip the balance in your favour, educating users to question suspicious emails and having a simple mechanism for them to report their suspicions is key.

The first step for users is to recognise suspicious emails – for example, scanned documents sent from email addresses outside the organisation. But to really affect change, users need to go beyond just spotting malicious attachments, and start reporting them to security teams so that they can be properly investigated. It only takes one user to open an attachment to enable the attack, but equally, only one user reporting a suspicious email can trigger a quick response, with other emails being identified and any infected hosts isolated before significant damage is done. What is essential here is that the reporting mechanism is simple and well known. 

When it comes to technical protection, start with the basics. Using antivirus filtering on email traffic and complementary antivirus on PCs is the first step. It costs relatively little and is easy to set up, so there are few barriers to entry for even the smallest organisations, where this is often provided by a hosted email service. These types of solutions are not 100% effective but will help to get rid of a lot of the “background noise” and therefore allow security teams to focus on more sophisticated threats.

Similarly, patching operating systems and applications is a fundamental part of the defence against known malware. Most attacks take advantage of vulnerabilities that are already known, so if you patch routinely and as quickly as practicable, this can protect the organisation against a lot of existing malware.

Some organisations need to test patches before deploying them, to ensure that they don’t interfere with existing software, but the patching still needs to be done within days of the patches coming out. This is because as soon as the patches are issued, hackers identify the vulnerabilities and develop new malware to exploit them.

Another way of reducing unwanted email is to use techniques for detecting “spoof” emails purporting to come from one domain, while they come from another. This can be as simple as using software that highlights spoofed addresses, or links in an email, of full blown message authentication such as domain-based message authentication, reporting and conformance, (Dmarc), an email validation system designed to detect and prevent email spoofing. This is effective at combatting emails with forged sender addresses that appear to originate from legitimate organisations.

Dmarc is normally deployed by the largest enterprises and public sector organisations running their own mail services. In the case of small to medium-sized enterprises, it is something to check is being used by the ISP or email provider.

Application whitelisting

Another basic strategy is to protect servers through application whitelisting, controlling which applications can run and ensuring email accounts are not run on any of the servers. In other words, making sure malicious email attachments never get to execute with administrator privileges on a critical server. System administrators can read their mail just as well on a locked down user machine.

Moving up in sophistication, another useful tool for large organisations is email filtering using a network appliance before the email reaches the server. Typically, these will execute untrusted programs or code in a virtual environment (sandbox), detecting both host and network activity to detect unknown malware. But while this technique can be effective, a lot of the latest, most successful malware used by attackers incorporates sandbox evasion techniques, to try and prevent it from being investigated in this way.

Typically, providers of such devices also use techniques to counter the attacker’s evasion techniques and use other analysis and heuristic techniques to detect zero-day malware. Similarly, deploying endpoint security software using host intrusion detection on PCs is another line of defence to combat these threats. The best solutions do not depend on signatures, or simple heuristics, but detect the techniques used to exploit vulnerabilities such as buffer overflows enabling them to detect most zero-day attacks.

Ultimately, the only way that attackers will reduce the volume of malware delivered via email attachments is if it becomes easier or more effective for them to deliver malware in a different way. Therefore, the best strategies for defence are to increase the reporting of malicious attachments by users, having a strategy to deal with them, and to equip your environment with technologies needed to make these attachments less effective.

Read more on Hackers and cybercrime prevention