No matter where you may be in the world, the email attachment is the most common means by which criminals deliver malicious code into your IT estate, allowing them to steal vital information, hold your organisation to ransom or wreak havoc within your enterprise.
The global trend is that ransomware in particular is on the increase at an alarming rate. A report earlier this year identified that the first half of 2016 saw 172 per cent more malware occurrences than the whole of 2015 and that 58 per cent of ransomware attacks were carried in email attachments.
This is malware that may hold an organisation to ransom or gather intelligence covertly within a system for months. Unbeknown to the company, typically it will siphon off intellectual property and highly sensitive customer details or just simply log employees’ key strokes to give access to accounts and data vaults. However, although the exponential growth in cyber criminality has been matched by increasing awareness, most security resources continue to focus on the wrong types of threats, with potentially disastrous consequences.
The continuing reliance on signature-based detection and the out-dated technology that goes with it, leaves organisations hugely vulnerable to the rapidly developing menace within the underlying structures, or building blocks of common types of files, such as Word, PowerPoint, Excel or PDFs which are the communication lifeblood of most organisations.
New analysis of many thousands of files is showing that this is where the biggest threat to the cyber integrity of businesses now comes from. Unfortunately, the majority of organisations are still searching in the wrong places, using technology that is designed to detect and remove previously identified threats or signatures, when the reality is that criminals have moved on.
These new forms of malware are in a constant state of evolution and beyond the scope of conventional signature-based or AV security, which requires a threat to be identified and have a signature generated before they can effectively protect.
Since signatures have to be established and circulated for anti-virus defences to be effective, this inevitably leads to a time-lag or window of vulnerability before protection against a particular piece of malware is assured. The result is that conventional anti-virus defences are often little more than 45 per cent effective and the use of supplementary sandboxing or heuristic solutions provide only marginal increases in security.
Unfortunately, the belief that macros (pieces of code that may have legitimate use within a document) are the chief menace to security is still widespread. Microsoft, for example, says 98 per cent of threats targeting Microsoft Office use macros.
While macros and embedded files are indeed a threat, it is crystal clear from the anatomisation of thousands of files by Glasswall, that criminals are in fact devoting their resources to altering the underlying file structures of documents.
In PDFs, the trend is now at tipping point for structural threats to outweigh those hidden in embedded files, AcroForms, Javascript or in some combination of these elements. In fact, Glasswall found that over a three month period, between 70 and 90 per cent of threats were found within the underlying structure of the PDFs.
At the heart of the problem is that fact that PDF and other document readers offer little protection, being promiscuous by nature. They process documents and do all they can to display the content and are not focussed on the security implications this may have and how the threats can take advantage of this. In August this year, a warning was issued around vulnerabilities in the Microsoft PDF library which were permitting remote code execution if the user opened a specially-crafted PDF.
Glasswall’s research also found that malware is more likely to come in the form of an embedded file in PowerPoint than in Word or Excel. It also uncovered that:
- Macros are much more likely in Word and Excel files and less prominent in PowerPoint
- Within a single week, organisations relying on the identification of macros can miss 45 per cent of other malware in Word documents
- Although trends fluctuate from week to week, across all document types, structural threats are fast-growing
The message from this continuing research is that the nature of the threat landscape is constantly shifting and that organisations cannot simply rely on tracking and stopping known malware or viruses if they are to maintain a relevant and current cyber defence posture.
Sophisticated and organised, criminals are now capable of manipulating vulnerabilities within the complex file structures so that as soon as they are opened, malicious code will automatically contact a remote server and download malware.
If organisations continue to search for known signatures, they will continue to miss the most significant threats they face. This is deeply misguided when file-regeneration technology can eliminate such dangers, using automation to disarm malicious files and produce a benign version referenced against the manufacturer’s original standard, down to byte level.
A clean, safe file is regenerated at sub-second speeds and passed on to users in real time to maintain business continuity. Even the most subtle alterations will fail to make it through.
This is a technology that is operationally proven, patented and available and it makes little sense for any business or organisation to persist with pointless signature-detection defences. After adopting file-regeneration, the organisation is back in control, deciding how to use documents and files according to its own standards, secure against constantly evolving threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.