Is your Risk Model aligned with your Business Model?

Why do we ask?  Dridex, which we've addressed previously here, is a UK focused banking trojan which has launched a new variant this morning.  As also noted previously, File Sandboxing, ala Websense' ThreatScope solution, is a very useful tool as the malware typically leverages Word and/or Excel macros... which we dare not block nor are the AV Vendors able to protect as proven by the current poor catch rate:

Per this report, you'll see that File Sandboxing works even when your AV solutions fail.  However, is there another way to address this issue by aligning your Risk Model with your Business Model?  In other words, you may not provide goods/services in Spain nor the Netherlands.  As such, is it wise to accept inbound email msgs from Spain (screen shot below) or allow the malware to phone home via TCP Port 80 to a server in the Netherlands (aforementioned File Sandbox report):

We at ESPO recommend leveraging DLP Solutions, ala Websense AP-Data, to not only detect secret sauce leaving your organization, but... to also leverage built-in Geo Location capabilities to block data destined to organizations in geographies that preclude them from becoming potential customers.  Connect with us if you'd like assistance in creating a similar program:

Really McAfee??? / Mar 13th

As noted many times previously, it is ESPO's recommendation that you call the sales rep of your "premium AV" company and demand a price reduction.  Today's Dridex Attack will enable us to dig a little deeper into McAfee to determine if their Mergers & Acquisition (M&A) strategy over the last decade was intended to improve their client's security posture or the executive's personal income statement.  The evidence:

1. Spam Bots in APAC have started a new malware campaign.  Per the 2 screen shots directly below, Websense is blocking the email msgs/attachments while McAfee's Reputation System, TrustedSource, thinks the sender is fine:

2. Per this link to our Websense File Sandbox Report, the M$ Word attachment to the aforementioned malware campaign is dropping executables, attempting to inject itself into explorer and modifying Registry Settings.  Seems malicous doesn't it?  Not according to McAfee or any other AV Company currently:

3. Per the final 2 screen shots directly below, the dropper attempts to pull bin.exe via HTTP from a site in the Czech Republic.  Websense not only had the site classified as malicious but the Real-Time Analytics of ACE would have detected/blocked the download while TrustedSource again thinks the site is just fine.

In summary, McAfee failed to stop the initial email connection, failed to detect the malicious macro in the Word attachment, and finally, failed to detect the phone home.  Final Verdict - McAfee Executives made serious money with the acquisition by Intel while your security posture has declined.  Time to call Websense???   :-)

Attachment Blocking / Mar 9th Attack

Is it time to rethink how we in IT Security address email security?  We certainly haven't made friends in the Business Units (BU) as we continue to "lock down" their networks.  And... they certainly find a way around our IT Controls as they strive for efficiencies anyways.  Then, we should ask ourselves, have we tangibly reduced our risk?  After all... we've been blocking attachments for ~15 years and yet, per previous blogs, many of the new polymorphic viruses leverage M$ Office attachments that we dare not block... yet the AV Vendors are unable to protect against.  Will the AntiSpam techniques work? Yes.  However, are they 100% effective??

We at ESPO propose adding the addition of File + URL Sandboxing to your existing AntiSpam + AV protections.  We then propose the removal of overly stringent Attachment Blocking Rules to hopefully change the perception the BUs have of us as the "Department of No".  Case Study from this morning to prove our point:

- 0600 hrs Central Daylight Time email messages came in with attachment titled Statement from Marketing & Technology Group.

- Per this link, the attachment drops some executables and attempts to detect it's location by connecting to DynDNS.

- Per the below screen shot, AV Engines were typically slow to react while File Sandboxing detonated the file, determined intent and blocked it in real-time:

In summary, we will blog about Blended Threats and URL Sandboxing in the future; however, it's worth considering how the Websense ThreatScope Technology has once again detected a new virus while simultaneously allowing our BUs to focus on revenue generating activities without overly stringent IT Controls. 

Dridex Variant / Mar 5th

A new Dridex Variant is propagating across the internet via email this morning. The M$ Word attachment, labeled "Penta Invoice", has a very low catch rate currently:

As such, it is highly likely your users will be compromised as you are unlikely to be blocking M$ Office files.  It is therefore recommended that you check your proxy & firewall logs for the phone home:

Note that a Websense AP-Web customer, leveraging the Websense ACE Technology via their next gen proxy platform, would have detected/blocked the payload delivered via HTTP in real-time... even if an inferior email security solution was in place.  The reference to Threat.Malicious.Web.RealTime in the above screen shot validates this.

Lastly, and as always, ESPO recommends you squeeze your AV Vendor and apply the budget savings towards the purchase of a File Sandboxing Solution.  The Websense report, previously called ThreatScope, is available here for your viewing pleasure.