Defending Against
Users Executing
Malware Code via Email
Streeterville Group
M. Aghajanian, M. Blackburn, T. Heller
Introduction
Case of Confounded Confections, Inc.
• Ultra-secure network to protect their sweet
secrets:
1. Enterprise firewalls.
2. Only necessary services with required
authentication.
3. Tightly managed systems.
• Anomalies begin to appear.
• CIO wants to know…
Investigation
Why?!
Risk Analysis
Quick Review
•
•
•
•
•
•
•
•
Risk analysis (quantitative)
Policy
Design
Prevention
Response or countermeasures
Implementation
Control
Rinse and repeat...
Risk Analysis
Classifications
• State of hosts: susceptible, infected,
quarantined, recovered, transmitted, and healthy.
• Size of host population: small (binomial), large
(poisson).
• Diversity of hosts (mix of operating systems)
• Weight of susceptibility
• Weight of business value
Risk Analysis
Risk Analysis
General Cost of Malware
• Paradigm shift to more indirect costs than direct
costs overall.
• Largest expenses:
• Staff hours for support.
• Staff hours from downtime.
• Hardware, software, vendor support and IT
training.
• Legal, human resources, and training.
Prevention at the Edge and Perimeter
Design Solutions
• Layered schema for malware detection.
• Prevention by inspection at various points at
the edge and perimeter.
• ClamAV (open source hardware solution)
• Microsoft perspective (proprietary software
solution)
• Future approaches at the edge or perimeter
(next sections)
Prevention at the Edge and Perimeter
Layered Protection
Microsoft Approach
Responding to User Actions:
Clicking on Links
Exploitations
Drive-By Downloads
o
Exploit browser vulnerabilities.
 JavaScript/ECMAScript
 Content Parsing
o
Exploit vulnerabilities in browser add-ons.
 Flash
 Adobe Reader
 Java
Responding to User Actions:
Clicking on Links
Countermeasures
• DNS Blacklisting
o Used by spam filtering software.
o Repurposed to everyday DNS.
o Prevent access to sites known to host
malware.
o 11.25¢ per user/year.
• SSL Proxy with malcode detection
o Prevent all malcode delivery.
o Including within encrypted sessions.
Responding to User Actions:
Clicking on Links
Prevention—Human Factor
• User Training
o Detect Suspicious emails.
o Close Browser if concerned.
• Acceptable Use Policy
o Discourage promiscuous behavior.
o "Scare tactic" heightens stakes.
• Ongoing Communication
o Ongoing remediation costs = foregone
benefits.
o Reinforce desired behavior.
Responding to User Actions:
Clicking on Links
Mitigation—Technical Approaches
• Application Selection
o Remove Adobe Reader: 55% of all attacks.
o Remove IE6, 5% of all attacks.
• Update policies
o Use Microsoft Group Policy
 Update MS products automatically.
o Communicate & inform users
o Perform software audits
 Not feasible in decentralized networks.
Responding to User Actions:
Clicking on Links
Mitigation—Human Factor
• User cooperation
o
Accept new updates
o
Don't install unknown plugins
• Vendor support
o
Push updates to all clients
o
Centralized patch level monitoring
o
Create vendor compliance standards
Responding to User Actions:
Opening Attachments
Antivirus Signatures
Typical approach
Bit-by-bit signatures (a.k.a. "hash")
o New approach
Behavioral signature
o Influence
Script Kiddies
o Policy and enforcement
Additional software may be required
Performance hit
Instrumentation, Legacy systems
o
Responding to User Actions:
Opening Attachments
Policies and Enforcement
• Antivirus/OS update policies and procedures
o Responses to malware/vulnerabilities, a.k.a.
Patches
o Admins: greater freedom/power or computer
security
o If users choose when to update...
o If admin chooses when to update...
o "Managed" antivirus software
Shows who is doing what: Privacy issues
• Distributed Support System
o Typical of universities
o Policies and enforcement up to non-IT personnel
Responding to User Actions:
Opening Attachments
OS Countermeasures
• User privilege management
o Usually centralized
Environment and staff affect leniency
Research environment requires more user privileges
Less IT staff requires more user privileges
Requirements, Reactions & Risk
Users have different tasks, downtime, productivity
requirements
• Vendor/Instrumentation/Legacy computers
o Limited support, no software patching (Vendor not liable)
o Various versions of antivirus software
o User POV
Updating is confusing, lengthy, slower computer and system reboot
Responding to User Actions:
Opening Attachments
Execution and Service Management
• OS's require password authorization before execution
o Protects against "accidentally" installing unwanted
software
o Users can enter password and move on
• DEP & ASLR
o Windows XP SP2, Mac OS X
o Effective as individual solution
o Exploits written for IE8 and Firefox (Mac & Win)
o Defense-in-Depth: Makes exploits slower
Layering defenses: more obstacles, more
opportunities
Responding to User Actions:
Opening Attachments
Future Approaches
• Network level sandbox
o Users adept to waiting for emails
• Deep-scanning email clients
o Number of cores/cpu's growing & Privacy issues
• Research: Extent of malware coders
sharing/upgrading malware
• Executable signatures
• Non IT Policies
o High level policies (HIPPA, SOX)
Cause more IT support funding and detail
Force everyone to abide (legal consequences)
• Northwestern University
o Proactive policies, training