Attachment Blocking / Mar 9th Attack

Is it time to rethink how we in IT Security address email security?  We certainly haven't made friends in the Business Units (BU) as we continue to "lock down" their networks.  And... they certainly find a way around our IT Controls as they strive for efficiencies anyways.  Then, we should ask ourselves, have we tangibly reduced our risk?  After all... we've been blocking attachments for ~15 years and yet, per previous blogs, many of the new polymorphic viruses leverage M$ Office attachments that we dare not block... yet the AV Vendors are unable to protect against.  Will the AntiSpam techniques work? Yes.  However, are they 100% effective??

We at ESPO propose adding the addition of File + URL Sandboxing to your existing AntiSpam + AV protections.  We then propose the removal of overly stringent Attachment Blocking Rules to hopefully change the perception the BUs have of us as the "Department of No".  Case Study from this morning to prove our point:

- 0600 hrs Central Daylight Time email messages came in with attachment titled Statement from Marketing & Technology Group.

- Per this link, the attachment drops some executables and attempts to detect it's location by connecting to DynDNS.

- Per the below screen shot, AV Engines were typically slow to react while File Sandboxing detonated the file, determined intent and blocked it in real-time:

In summary, we will blog about Blended Threats and URL Sandboxing in the future; however, it's worth considering how the Websense ThreatScope Technology has once again detected a new virus while simultaneously allowing our BUs to focus on revenue generating activities without overly stringent IT Controls.