Email borne malware: if the majority of burglars came through your front door, wouldn’t you focus protection on that entry method?

Most attacks physical or virtual do come through obvious entry vectors. Take home break ins, 34% come through the front door and that is why people look at reinforced doors, door sensors, PIRs, home alarms and multiple locks. Why bother smashing the windows which could result in getting yourself cut, DNA left or making a noise when you can pick the lock or if you are really lucky find a door not locked?

The virtual world is no different, attacks are not as advanced as you imagine and with anything, people go for the easiest route in. Look at well known attacks dating back six years or so; RSA, Target Corporation, Sony Entertainment and the Ukrainian power grid, they all have something in common, most sources say the breach started off with a seemingly innocent email with a malicious attachment.

Yet companies often focus on governance & compliance or securing publicly facing websites (of course important). Recent targeted attacks or mass market attacks vary by the month or more frequently, with hundreds of thousands of unique malware samples seen per day and vendors cannot simply keep up. Take a mugger, burglar, white collar criminal or terrorist for instance there is no set eye colour, hair colour, height, weight, outfit or ethnicity. The same is with malware, it comes in so many forms and antivirus cannot simply look for a match.

In the last five years the following has been seen:
  • Zero day PDF exploit
  • Zero day WordPad or Word exploit
  • Known exploits within documents and websites
  • .js files attached
  • Excel and Word macro enabled
  • .js, .exe and more archived
  • .js, .exe and shortcuts embedded in documents
  • All of the above archived
  • And many more combinations

Some of the above are simply download methods not the actual payload. 1. take a .js embedded in a Word document for instance. You open a standard .docx file, in the file is a “invoice” link which is actually a .js file in disguise, you open the file and it downloads the actual .exe virus to your desktop. The .docx and .js are not actually what is going to ransom your data or spy on you. 2. A URL embedded in the email body is another loophole that the majority of email security gateways do not or only partly deal with.

Email security gateways deal with URL inspections in five ways: 1. no mechanism at all. 2. Each URL is compared against a off the shelf RBL (real time block list). 3. Each URL is compared against a large threat database, i.e. BrightCloud, Cyren, Symantec etc. 4. URL is checked against #2 & #3 plus is sandboxed and/or malware scanned on entry. 5. The best of course, #2, #3 & #4 and then the URL is re-written so each time the link is opened, even a few days after entry, it is sandboxed & scanned in the cloud for ultimate protection. Most email security gateways offer a RBL check at best and by using #5 you get maximum protection since URLs are screened before your web security gateway or endpoint security gets to see them.

Dealing with attachments properly is a different kettle of fish. Options include: 1. multiple antivirus engines. 2. Outbreak protection to try and gain valuable minutes when it comes to zero day viruses & spam. 3. File filtering including files archived and embedded in Office documents. 4. Sandboxing, some viruses can detect it is in a sandbox but then again high end email security gateways use a custom sandbox to help counter this problem. 5. CDR or file sanitization, it removes embedded files and macros, and does not use signatures, a very powerful approach.

With email being the biggest vector for breaches please please spend some time reviewing your existing email defences as you may find quick wins can be had by tweaking settings. Most email security gateways are not always configured by a security expert and they are installed with the defaults only. A lot of email security gateways may do an ok job at defending against standard viruses & spam but cannot deal with zero days or targeted attacks.