Upload
breena
View
29
Download
0
Embed Size (px)
DESCRIPTION
Defending Against Users Executing Malware Code via Email. Streeterville Group M. Aghajanian, M. Blackburn, T. Heller. Introduction. Ultra-secure network to protect their sweet secrets: Enterprise firewalls. Only necessary services with required authentication. Tightly managed systems. - PowerPoint PPT Presentation
Citation preview
Streeterville GroupM. Aghajanian, M. Blackburn, T. Heller
Defending Against
Users Executing
Malware Code via Email
Case of Confounded Confections, Inc.
Introduction
• Ultra-secure network to protect their sweet secrets:1. Enterprise firewalls.2. Only necessary services with required
authentication.3. Tightly managed systems.
•Anomalies begin to appear.
•CIO wants to know…
Investigation
Why?!Why?!
Quick Review
Risk Analysis
• Risk analysis (quantitative)• Policy• Design• Prevention• Response or countermeasures• Implementation• Control• Rinse and repeat...
Classifications
• State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy.
• Size of host population: small (binomial), large (poisson).
• Diversity of hosts (mix of operating systems)
• Weight of susceptibility
• Weight of business value
Risk Analysis
Risk Analysis
General Cost of Malware
• Paradigm shift to more indirect costs than direct costs overall.
• Largest expenses:
• Staff hours for support.• Staff hours from downtime.
• Hardware, software, vendor support and IT training.
• Legal, human resources, and training.
Risk Analysis
Design Solutions
• Layered schema for malware detection.
• Prevention by inspection at various points at the edge and perimeter.
• ClamAV (open source hardware solution)
• Microsoft perspective (proprietary software solution)
• Future approaches at the edge or perimeter (next sections)
Prevention at the Edge and Perimeter
Prevention at the Edge and Perimeter
Layered Protection Microsoft Approach
Exploitations
Responding to User Actions: Clicking on Links
Drive-By Downloads
o Exploit browser vulnerabilities.
JavaScript/ECMAScript
Content Parsing
o Exploit vulnerabilities in browser add-ons.
Flash
Adobe Reader
Java
Countermeasures
Responding to User Actions: Clicking on Links
• DNS Blacklistingo Used by spam filtering software.o Repurposed to everyday DNS.o Prevent access to sites known to host
malware.o 11.25¢ per user/year.
• SSL Proxy with malcode detectiono Prevent all malcode delivery.o Including within encrypted sessions.
Prevention—Human Factor
Responding to User Actions: Clicking on Links
• User Trainingo Detect Suspicious emails.o Close Browser if concerned.
• Acceptable Use Policyo Discourage promiscuous behavior.o "Scare tactic" heightens stakes.
• Ongoing Communicationo Ongoing remediation costs = foregone
benefits.o Reinforce desired behavior.
Mitigation—Technical Approaches
Responding to User Actions: Clicking on Links
• Application Selectiono Remove Adobe Reader: 55% of all attacks.o Remove IE6, 5% of all attacks.
• Update policieso Use Microsoft Group Policy
Update MS products automatically.o Communicate & inform userso Perform software audits
Not feasible in decentralized networks.
Mitigation—Human Factor
Responding to User Actions: Clicking on Links
• User cooperation
o Accept new updates
o Don't install unknown plugins
• Vendor support
o Push updates to all clients
o Centralized patch level monitoring
o Create vendor compliance standards
Antivirus Signatures
Responding to User Actions: Opening Attachments
o Typical approachBit-by-bit signatures (a.k.a. "hash")
o New approachBehavioral signature
o InfluenceScript Kiddies
o Policy and enforcementAdditional software may be requiredPerformance hitInstrumentation, Legacy systems
Policies and Enforcement
Responding to User Actions: Opening Attachments
• Antivirus/OS update policies and procedureso Responses to malware/vulnerabilities, a.k.a.
Patcheso Admins: greater freedom/power or computer
securityo If users choose when to update...o If admin chooses when to update...o "Managed" antivirus software
Shows who is doing what: Privacy issues• Distributed Support System
o Typical of universitieso Policies and enforcement up to non-IT personnel
OS Countermeasures
Responding to User Actions: Opening Attachments
• User privilege managemento Usually centralized
Environment and staff affect leniencyResearch environment requires more user privilegesLess IT staff requires more user privileges
Requirements, Reactions & RiskUsers have different tasks, downtime, productivity requirements
• Vendor/Instrumentation/Legacy computerso Limited support, no software patching (Vendor not liable)o Various versions of antivirus softwareo User POV
Updating is confusing, lengthy, slower computer and system re-boot
Execution and Service Management
Responding to User Actions: Opening Attachments
• OS's require password authorization before executiono Protects against "accidentally" installing unwanted
softwareo Users can enter password and move on
• DEP & ASLRo Windows XP SP2, Mac OS Xo Effective as individual solutiono Exploits written for IE8 and Firefox (Mac & Win)o Defense-in-Depth: Makes exploits slower
Layering defenses: more obstacles, more opportunities
Future Approaches
• Network level sandboxo Users adept to waiting for emails
• Deep-scanning email clientso Number of cores/cpu's growing & Privacy issues
• Research: Extent of malware coders sharing/upgrading malware
• Executable signatures• Non IT Policies
o High level policies (HIPPA, SOX)Cause more IT support funding and detailForce everyone to abide (legal consequences)
• Northwestern Universityo Proactive policies, training
Responding to User Actions: Opening Attachments