Gateway sandbox -the latest advancement in security that you need to consider in order to remain protected

Author: Nicholas Lennon, Country Manager Mimecast Australia

Hackers, attackers and cybercriminals are no slouches when it comes to staying on the cutting edge of the tools of their trade. The black hats that seek to exploit our networks, applications and users are inventive and excellent problem solvers when it comes to finding new ways to break into our systems.

The white hats that seek to defend us often lament that hackers only need to be good at the job once to be a success, whereas security pros need to be good every day. We often cite the ‘arms race’ or The Red Queen Effect when it comes to staying ahead of the creativity of the hackers. Standing still for any length of time will not serve you well in this race.

Indeed, anyone who hasn’t taken a fresh look at their email security infrastructure in the last eighteen months is likely to be behind the curve here. Given that rate of advancement of threats to our email security, relying on your last upgrade, ‘a couple of years ago’ means you’re highly likely to be out of date in terms of protection.
The best example of this, and probably the biggest threat to email security right now, is the rise of the use of VBA macros(which can potentially deploy malicious actions) to create weaponised attachments in email. Hackers and cybercriminals are great experimenters and know exactly what types of protections are used to defeat their malware.
They even download and run freely available software trials of all the on-premises email security applications to work out how to circumvent their protections. It is from this ‘reverse-engineering’ that they’ve determined how to avoid classic signature detection techniques that would look for malicious code or traces of malware embedded in attachments. And, have graduated to using the embedded macros in Office documents to do the dirty work for them.
The trap here is obvious; a weaponised attachment with a malicious macro contains no ‘viral payload’ but becomes dangerous when the malware is downloaded by macro as the end user runs the attachment. Luckily modern versions of Office applications disable macros by default, but doesn’t stop administrators re-enabling the functionality as a default, nor does it help the legions of office users who are running software that pre-dates the feature.
Using VBA macros within Office document attachments is a real demonstration of the ingenuity and dedication of cybercriminals. It shows us why we shouldn’t rely on technology that hasn’t been upgraded for a few years.
So what do we do? If classic signature-based detection is ineffective, hackers are avoiding legacy secure email gateway and desktop anti-virus protection and employees are at risk from infecting themselves with seemingly innocent looking office files, what is the solution?
Network sandboxing isn’t a new technology, it’s one that’s been used in desktop antivirus for many years; Norman AS brought the concept to the enterprise desktop a couple of decades ago and it’s been around on the network since. Recently the sandbox has also been applied to the SMTP secure email gateway, albeit with a latency overhead. It’s here that we can start to unpack the problem of hidden macro code in attachments.
Without an email attachment sandbox, weaponised attachments can pass straight through a classic secure email gateway. After all there’s no malicious code in them to trigger a signature detection. A URL alone within the macro, obfuscated within that code and unique to that attachment doesn’t in itself pose a risk. Until the macro is executed. This is where adding an SMTP gateway sandbox to your security stack helps to defend and protect against the macro threat.
Executing, exploding, detonating and other dramatic phrases are how we describe what the sandbox does. In short, it’s simply running the attachment in an environment that detects anomalies with its behaviour. For example, if a sandbox is executing an Excel spreadsheet that a user has been sent as an email attachment. And, when run the macro calls out to a remote web server to download a ZIP or executable file we can largely assume that’s not normal behaviour.
Now is the time to review the layers of protect you have in place against weaponised attachments. Adding a gateway sandbox is the latest advancement in security that you need to consider in order that you remain protected against advanced threats.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscyber criminalsanti-virusemail securityembedded malwareVBAsandboxMacrosSMPTmalware detectionattackers

More about ExcelNorman

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nicolas Lennon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts