Hackers, attackers and cybercriminals are no slouches when it comes to staying on the cutting edge of the tools of their trade. The black hats that seek to exploit our networks, applications and users are highly adept at finding new ways to break into our systems.
The white hats that seek to defend us often lament that hackers only need to be good at the job once to be a success, whereas security pros need to be good every day. We often cite the “arms race” or the Red Queen Effect when talking about staying ahead of the creativity of the hackers. Standing still for any length of time will not serve you well in this game.
I recently gave a presentation to a select group of CIOs at the Computing IT Leaders’ Summit, in which I suggested that anyone who hasn’t taken a fresh look at their email security infrastructure in the past 18 months is likely to be behind the curve here. Given that rate of advancement of threats to our email security, relying on your last upgrade “a couple of years ago” means you’re highly likely to be out of date in terms of protection.
The best example of this, and probably the biggest threat to email security right now, is the rise of the use of malicious VBA macros to create weaponised attachments in email. Hackers and cybercriminals are great experimenters and know exactly what types of protections are used to defeat their malware. They even download and run freely available software trials of all the on-premises email security applications to work out how to circumvent them. It is from this “reverse engineering” that they’ve determined how to avoid classic signature detection techniques that would look for malicious code or traces of malware embedded in attachments. And have graduated to using the embedded macros in Office documents to do the dirty work for them.
The trap here is obvious; a weaponised attachment with a malicious macro contains no “viral payload” and as such becomes dangerous only when the malware is downloaded by macro as the end user runs the attachment. Luckily modern versions of Office applications disable macros by default, but this doesn’t stop administrators re-enabling the functionality as a default, nor does it help the legions of Office users who are running software that pre-dates the feature.
Using VBA macros within Office document attachments is a real demonstration of the ingenuity and dedication of cybercriminals. It shows us why we shouldn’t rely on technology that hasn’t been upgraded for a few years.
So what do we do? If classic signature-based detection is ineffective, hackers are avoiding legacy secure email gateway and desktop anti-virus protection and employees are at risk from infecting themselves with seemingly innocent looking Office files, what is the solution?
Network sandboxing isn’t a new technology, it’s one that’s been used in desktop antivirus for many years; Norman AS brought the concept to the enterprise desktop a couple of decades ago and it’s been around on the network ever since. Recently the sandbox has also been applied to the SMTP secure email gateway, albeit with a latency overhead. It’s here that we can start to unpack the problem of hidden macro code in attachments.
Without an email attachment sandbox, weaponised attachments can pass straight through a classic secure email gateway. After all, there’s no malicious code in them to trigger a signature detection. A lone URL within the macro, obfuscated within that code and unique to that attachment doesn’t in itself pose a risk. Until the macro is executed. This is where adding an SMTP gateway sandbox to your security stack helps to defend and protect against the macro threat.
Executing, exploding, detonating and other dramatic phrases are how we describe what the sandbox does. In short, it’s simply running the attachment in an environment that detects anomalies with its behaviour. For example, if a sandbox is executing an Excel spreadsheet that a user has been sent as an email attachment. And, when run the macro calls out to a remote web server to download a ZIP or executable file we can largely assume that’s not normal behaviour.
Now is the time to review the layers of protection you have in place against weaponised attachments. Adding a gateway sandbox is the latest advancement in security that you need to consider in order to remain protected against advanced threats.
Orlando Scott-Cowley is cyber security strategist at Mimecast

Leave a Reply