Streeterville GroupM. Aghajanian, M. Blackburn, T. Heller

Defending Against

Users Executing

Malware Code via Email

Case of Confounded Confections, Inc.

Introduction

• Ultra-secure network to protect their sweet secrets:1. Enterprise firewalls.2. Only necessary services with required

authentication.3. Tightly managed systems.

•Anomalies begin to appear.

•CIO wants to know…

Investigation

Why?!Why?!

Quick Review

Risk Analysis

• Risk analysis (quantitative)• Policy• Design• Prevention• Response or countermeasures• Implementation• Control• Rinse and repeat...

Classifications

• State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy.

•  Size of host population: small (binomial), large (poisson).

• Diversity of hosts (mix of operating systems)

• Weight of susceptibility

• Weight of business value

Risk Analysis

Risk Analysis

General Cost of Malware

• Paradigm shift to more indirect costs than direct costs overall.

• Largest expenses:

• Staff hours for support.• Staff hours from downtime.

• Hardware, software, vendor support and IT training.

• Legal, human resources, and training.

Risk Analysis

Design Solutions

• Layered schema for malware detection.

• Prevention by inspection at various points at the edge and perimeter.

• ClamAV (open source hardware solution)

• Microsoft perspective (proprietary software solution)

• Future approaches at the edge or perimeter (next sections)

Prevention at the Edge and Perimeter

Prevention at the Edge and Perimeter

Layered Protection Microsoft Approach

Exploitations

Responding to User Actions: Clicking on Links

Drive-By Downloads

o Exploit browser vulnerabilities.

JavaScript/ECMAScript

Content Parsing

o Exploit vulnerabilities in browser add-ons.

Flash

Adobe Reader

Java

Countermeasures

Responding to User Actions: Clicking on Links

• DNS Blacklistingo Used by spam filtering software.o Repurposed to everyday DNS.o Prevent access to sites known to host

malware.o 11.25¢ per user/year.

• SSL Proxy with malcode detectiono Prevent all malcode delivery.o Including within encrypted sessions.

Prevention—Human Factor

Responding to User Actions: Clicking on Links

• User Trainingo Detect Suspicious emails.o Close Browser if concerned.

• Acceptable Use Policyo Discourage promiscuous behavior.o "Scare tactic" heightens stakes.

• Ongoing Communicationo Ongoing remediation costs = foregone

benefits.o Reinforce desired behavior.

Mitigation—Technical Approaches

Responding to User Actions: Clicking on Links

• Application Selectiono Remove Adobe Reader: 55% of all attacks.o Remove IE6, 5% of all attacks.

• Update policieso Use Microsoft Group Policy 

Update MS products automatically.o Communicate & inform userso Perform software audits 

Not feasible in decentralized networks.

Mitigation—Human Factor

Responding to User Actions: Clicking on Links

• User cooperation

o Accept new updates

o Don't install unknown plugins

• Vendor support

o Push updates to all clients

o Centralized patch level monitoring

o Create vendor compliance standards

Antivirus Signatures

Responding to User Actions: Opening Attachments

o Typical approachBit-by-bit signatures (a.k.a. "hash")

o New approachBehavioral signature

o InfluenceScript Kiddies

o Policy and enforcementAdditional software may be requiredPerformance hitInstrumentation, Legacy systems

Policies and Enforcement

Responding to User Actions: Opening Attachments

• Antivirus/OS update policies and procedureso Responses to malware/vulnerabilities, a.k.a.

Patcheso Admins: greater freedom/power or computer

securityo If users choose when to update...o If admin chooses when to update...o "Managed" antivirus software

Shows who is doing what: Privacy issues• Distributed Support System

o Typical of universitieso Policies and enforcement up to non-IT personnel

OS Countermeasures

Responding to User Actions: Opening Attachments

• User privilege managemento Usually centralized

Environment and staff affect leniencyResearch environment requires more user privilegesLess IT staff requires more user privileges

Requirements, Reactions & RiskUsers have different tasks, downtime, productivity requirements

• Vendor/Instrumentation/Legacy computerso Limited support, no software patching (Vendor not liable)o Various versions of antivirus softwareo User POV

Updating is confusing, lengthy, slower computer and system re-boot

Execution and Service Management

Responding to User Actions: Opening Attachments

• OS's require password authorization before executiono Protects against "accidentally" installing unwanted

softwareo Users can enter password and move on

• DEP & ASLRo Windows XP SP2, Mac OS Xo Effective as individual solutiono Exploits written for IE8 and Firefox (Mac & Win)o Defense-in-Depth: Makes exploits slower

Layering defenses: more obstacles, more opportunities

Future Approaches

• Network level sandboxo Users adept to waiting for emails

• Deep-scanning email clientso Number of cores/cpu's growing & Privacy issues 

• Research: Extent of malware coders sharing/upgrading malware

• Executable signatures• Non IT Policies

o High level policies (HIPPA, SOX)Cause more IT support funding and detailForce everyone to abide (legal consequences)

• Northwestern Universityo Proactive policies, training

Responding to User Actions: Opening Attachments