Graeme Batsman | 25 September 2018
Malware, love it (if you are a researcher) or hate it (if you have to defend against it). It has been around since the birth of computing which is decades ago, and the aim has moved away from being a joke or deleting the MBR (master boot record), to stealing your data or your money. Just when you thought you have seen everything, a new infection vector comes along which can bypass your recent technical controls you just configured. A large percentage of well-known breaches started off with an infection – think RSA (2011) and Target (2013). Today the main entry points are email (with a link or attachment), websites (drive by downloads or watering hole attacks) and physical (USB or less likely a CD or DVD).
Crafty is a word which sums up malware. Old infection methods re-appear along with new ones and for more targeted attacks, zero days. You need to be as cunning as a fox and think ahead, not just setup a standard email security gateway with the defaults on and install bog standard endpoint antimalware. Go beyond file blocks (still good if done right) and RBLs (real-time block lists) or signatures. In this article we will cover true defence in depth with some one-foot high fences, three feet high fences and some less known seven feet high fences. Technical controls need to be multi-layered and multi-aspect (don’t repeat the same AV engine on the endpoint and on the gateway).
Let’s start off by exploring the infection methods…
- Email, “mass marketing”: where emails are sent out to tens of thousands of potential victims with generic contents and exploit or payload.
- Email, semi targeted “mass marketing”: like the above but sent to an entire membership organisations, e.g. ICAS (Institute of Chartered Accounts of Scotland). Rather effective if the email is personalised per target.
- Email, targeted (spear phish): also known as whaling (if going after the big fish). This method is where each target is researched and the email is crafted to their “likening”. Typically, only sent to a handful of people at organisation x.
- Web, “mass marketing”: a genuine website is compromised thus serving malware to all visitors. Malwaretising is another method where an ad network serves ads which re-direct to an infected website.
- Web, watering hole: fairly targeted or completely targeted. If an attacker knew victim x at organisation x visited a specialised & unique website, they could infect that website to compromise them. This could infect “collateral damage” as well.
- USB device (or CD/DVD though seldom): this would be targeted and would involve handing the victim a USB device or leaving it in an obvious place. Mouse and keyboards can be “spiked” to, and can even bypass an air gapped network at times.
- Instant messing (IM): though not very common Skype (business or personal) and IRC (internet relay chat) can be used to pass malicious files or links.
Numbers 1-5 involve the victim receiving an email with an attachment in or link. Direct web-based infection involves a browser exploit kit fingerprinting the victims machine and if it fails with an automatic exploit (and payload) a prompt to down a .exe is presented. Now we have covered the main infections points let’s move over to defence in depth areas…
Standard boundary defences
If a burglar or hacker breaks into your building or network, he/she needs to get out with or without his/her loot. It is of course not good if someone breaks in but if they can extract a diamond or file even worse… Not that you want a burglar trapped in your house permanently! The aim of most hackers is to exploit a vulnerability, download a payload or open an SSH connection for future use and then extract the organisations secrets. General un-targeted mass market ransomware is the same, once it downloads the .exe it needs to reach out to generate a public/private key pair. If it can’t reach out or the domain name is blocked by the web filter, the decryption process will not happen.
You are a right a standard stateful firewall only cares about source port/ip and destination port/ip and it has no visibility beyond that. Ninja rules inbound and more importantly outbound can stop the spread or the infection from fully infecting an endpoint. Firstly, you should be blocking all inbound ports apart from your mail server and web server which are hopefully isolated anyway. Then comes the outer firewall which sends endpoint traffic out. It should only permit port 80 & 443/TCP outbound. Other ports should be permitted on a case by case basis and locked down to an external IP or URL to a particular user. DNS should be locked down to the internal DNS server or external provider. Endpoint firewalls should filter outbound ports to. Though this may not block vast infections, every little helps!
More intelligent boundary defences (IPS & level-7 firewalling)
Intrusion prevention systems do have some signatures in for blocking inbound or outbound malware calls. Within most modern IPS’s is a bot blocker database included or available for a small additional fee. Each inbound or outbound request from servers or end users can be compared to the vendors ever changing list of 50,000-100,000 known bad IPs. IPS’s are usually placed one notch above the firewall and should be configured based on your infrastructure (endpoint and server operating systems). Enabling bot blocker and endpoint signatures is going to stop some less targeted infections.
Level-7 firewalling is similar to a WAF (web application firewall) but it’s job is to inspect and filter outbound traffic not inbound traffic. Port 80 & 443/TCP also known as HTTP(s) is very broad and many services & products run through it. Microsoft Skype, Microsoft Outlook, Microsoft ActiveSync, file sync products, browsers and a tonne more flow through both ports (mainly HTTPs). An application layer firewall built into your UTM (unified threat management) or web filter can permit and deny products from running beyond the realms of a stateful firewall. If you block Skype for instance you have reduced your infection surface by a small amount.
A quick win which you maybe doing already. Have end users log in as a user account not administrator account. Less privileges may slow down or stop infections from happening in the first place. If end users need administrator right create a dot name account (e.g. joe.green) and each time they need to run something with full rights they right click “right as administrator”. This account should not have login privileges.
Seldom do large organisations force users to install antimalware on their smartphones. Phones can get infected, usually through apps rather than an exploit. If you are an IoS, Windows Phone or old BlackBerry user there is less of a worry and getting antimalware for these operating systems is hard and at times adds little security. Android has up to 95% market share of malware of all of the operating systems out there. If you are an Android-house ensure the device (and apps) are patched, users cannot install apps directly, block jail broken devices, use an MDM (to manage and containerise) the device and install good antimalware which will scan links, texts, emails and apps.
An odd topic you may think? Though it is rather unlikely to actually stop an infection, it can stop data from being stolen or decrypted once exfiltrated. If a file was encrypted using AES or PGP, be it a 20+ character password or a big encryption key, without either the attacker will seriously struggle to decrypt it. That said if an endpoint has been infected what stops them from keylogging the passwords or stealing the key from memory? True encryption would involve storing the encryption key on a specialised USB stick thus the attacker would need to steal the physical key to decrypt the files.
Domain name service sees everything, regardless of port or product. Whether it be Firefox requesting the IP address or Skype mapping a domain name to an IP address. Outside of 184.108.40.206 (Google DNS) others can automatically block calls to CnC (command & control) servers, spam sites and infected sites. On top of this it can even filter browsing categories, i.e. gambling, webmail, file transfer etc. If a website has a malicious re-direct in it or an endpoint is already infected and reaches out to a CnC server, it can block the request if it’s in its database. Specialist services can tell you what is already infected by analysing outbound calls. DNS can be used as an outbound whitelist - see the next section.
Website security gateway
Think Bluecoat, Barracuda or your UTM’s web filter module. WSG’s have existed for over 15 years and filter outbound access by category or URL. Needless to say, you should be blocking all security risk categories by now. On top of this you should be filtering downloads and malware scanning all general traffic & downloads. MSI, EXE, SCR, PS1 etc. should be blocked for standard users. If you cannot block obvious downloads then have them held and scanned by a few AV engines, then release it if safe.
As mentioned above a whitelist approach is a strong idea. Why let end users browse billions of “safe” sites and block a few million bad ones. It is impossible to win in this case due to ever-changing URLs. A better way is only permit 5000 or so URLs outbound. Send end users a survey, vet them along with HR and deny anything but this list. Then current infections will possibly (more likely if whitelisted at DNS) cease communication back “home” and new infections will greatly reduce to.
General hardening is a good start which entails changing the defaults, removing un-needed software & plugins and of course patching frequently everything. Endpoints be it a desktop, laptop, tablet or smartphone is the end target for attackers. Defences should not be a like touch even if you have various layers before, scanning and blocking attempts. Take HTTPS as a very common example, the IPS & website security gateway rarely bothers to scan it since it is of course encrypted. Decrypting it has a few problems around it: privacy, end user speed, security, CPU/RAM hammering on the hardware and software & protocols breaking. If HTTPs is not being scanned then your visibility is poor and the endpoint is likely the only layer offering any protection at all.
Endpoint security falls into two main areas; 1. tweaking existing settings and 2. security software.
For tweaking this would include: turning off autorun, blocking USB sticks from running, blocking the execution of PowerShell & Bat scripts, disabling macros from running in Microsoft Office, disabling auto download & preview in Microsoft Outlook, logging in as an non-administrator, removing software & services you do not need, using a more secure browser and consider NoScript (plugins) for more high risk environments.
Security software for the endpoint needs to move beyond the old bog standard single engine defence which was first used over a decade ago. Standard antimalware using either signature detection along with behaviour and/or heuristic. While the latter two sounds good, in practice often all three methods fail to detect zero-hour un-targeted malware. It is impossible to keep up with signatures. Malware these days often does not start off as… malware. Firstly, a vulnerability is exploited and a payload (malware) pushed out. Anti-exploit technology or as bundled in with a product is a step up. It aims to stop the exploit (think PDF or Java), thus by stopping the exploit the malware cannot be pushed down. These work without signatures and monitor commonly exploited products: browsers and add-ins (Java, Flash, Silverlight etc.). Application whitelisting is another very strong defence. It permits everything currently on the endpoint and denies anything new which does not have a valid approved digital signature in the database
Email security gateway
An email usually kicks off the whole infection process or breach (credential phishing) thus defences should be very strong at this point. At the very least you should be blocking 50+ known bad file extensions and it should check within archives to. In case someone has renamed the file to evade detection it should check the file type as well as the extension. Encrypted files should be quarantined or even blocked. Then on to the humble AV engine and this should be as many as possible - some gateways allow up to six! An AV engine should be to on the server and even on the UTM if possible scanning SMTP.
If an attacker cannot smuggle a file through your defences, he/she will often try a “blended attack” – a URL in simple English. The gateway needs to database check these, scan them and the most important repeat the process each time the URL within the email is clicked not just on entry.
A combination of lighter defences is needed to, which include: anti spoofing (SPF, DKIM & DMARC), real-time block lists for emails & URLs, grey listing, reverse lookups and even geo-blocking. Outbreak prevention can help catch zero-hour spam & malware by being part of a massive intelligence database. It can speed up detection of new emails from hours to minutes.
Now on to the “big guns”. We have all have heard of sandboxing, think FortiSandbox or Fireye. Great and expensive these maybe, they are only accurate to 97% or so. The bad guys and girls can still evade these, and some smart malware wont “detonate” if it detects a virtual environment.
For the final two which are less known about. Deep file inspection and structural sanitization.
Deep file inspection is similar to level seven outbound firewalling. It breaks down the contents. Take a PDF, within the PDF there is lots of text, code, images and maybe script. This process extracts all elements into individual elements, scans them and blocks (if you specify a ruleset). Say there was a .vbs file embedded in a Word file, it would extract it and block the entire file. Standard defences may not necessary block the script since it is embedded in a legitimate file and is not malware per se.
Lastly, a newish less known technology which takes a zero-tolerance approach. Instead of wondering if it is safe, sandboxing it and hoping it will detonate why not just neutralise the chance? This method is known as code stripping or structural sanitization. A PDF, Word or image is passed through it, and to put it simply it chops the file in halve, removes any code and presents you with the GUI version. Any scripts or even zero days are killed, and it does not need signature updates. This method is 99% - 99.9% accurate for the file types it can handle!
For the best defence… airgap it - offline your critical data.
Understanding and Analysing Malware
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.