Is your Risk Model aligned with your Business Model?

Why do we ask?  Dridex, which we've addressed previously here, is a UK focused banking trojan which has launched a new variant this morning.  As also noted previously, File Sandboxing, ala Websense' ThreatScope solution, is a very useful tool as the malware typically leverages Word and/or Excel macros... which we dare not block nor are the AV Vendors able to protect as proven by the current poor catch rate:

Per this report, you'll see that File Sandboxing works even when your AV solutions fail.  However, is there another way to address this issue by aligning your Risk Model with your Business Model?  In other words, you may not provide goods/services in Spain nor the Netherlands.  As such, is it wise to accept inbound email msgs from Spain (screen shot below) or allow the malware to phone home via TCP Port 80 to a server in the Netherlands (aforementioned File Sandbox report):

We at ESPO recommend leveraging DLP Solutions, ala Websense AP-Data, to not only detect secret sauce leaving your organization, but... to also leverage built-in Geo Location capabilities to block data destined to organizations in geographies that preclude them from becoming potential customers.  Connect with us if you'd like assistance in creating a similar program:

Really McAfee??? / Mar 13th

As noted many times previously, it is ESPO's recommendation that you call the sales rep of your "premium AV" company and demand a price reduction.  Today's Dridex Attack will enable us to dig a little deeper into McAfee to determine if their Mergers & Acquisition (M&A) strategy over the last decade was intended to improve their client's security posture or the executive's personal income statement.  The evidence:

1. Spam Bots in APAC have started a new malware campaign.  Per the 2 screen shots directly below, Websense is blocking the email msgs/attachments while McAfee's Reputation System, TrustedSource, thinks the sender is fine:

2. Per this link to our Websense File Sandbox Report, the M$ Word attachment to the aforementioned malware campaign is dropping executables, attempting to inject itself into explorer and modifying Registry Settings.  Seems malicous doesn't it?  Not according to McAfee or any other AV Company currently:

3. Per the final 2 screen shots directly below, the dropper attempts to pull bin.exe via HTTP from a site in the Czech Republic.  Websense not only had the site classified as malicious but the Real-Time Analytics of ACE would have detected/blocked the download while TrustedSource again thinks the site is just fine.

In summary, McAfee failed to stop the initial email connection, failed to detect the malicious macro in the Word attachment, and finally, failed to detect the phone home.  Final Verdict - McAfee Executives made serious money with the acquisition by Intel while your security posture has declined.  Time to call Websense???   :-)

Attachment Blocking / Mar 9th Attack

Is it time to rethink how we in IT Security address email security?  We certainly haven't made friends in the Business Units (BU) as we continue to "lock down" their networks.  And... they certainly find a way around our IT Controls as they strive for efficiencies anyways.  Then, we should ask ourselves, have we tangibly reduced our risk?  After all... we've been blocking attachments for ~15 years and yet, per previous blogs, many of the new polymorphic viruses leverage M$ Office attachments that we dare not block... yet the AV Vendors are unable to protect against.  Will the AntiSpam techniques work? Yes.  However, are they 100% effective??

We at ESPO propose adding the addition of File + URL Sandboxing to your existing AntiSpam + AV protections.  We then propose the removal of overly stringent Attachment Blocking Rules to hopefully change the perception the BUs have of us as the "Department of No".  Case Study from this morning to prove our point:

- 0600 hrs Central Daylight Time email messages came in with attachment titled Statement from Marketing & Technology Group.

- Per this link, the attachment drops some executables and attempts to detect it's location by connecting to DynDNS.

- Per the below screen shot, AV Engines were typically slow to react while File Sandboxing detonated the file, determined intent and blocked it in real-time:

In summary, we will blog about Blended Threats and URL Sandboxing in the future; however, it's worth considering how the Websense ThreatScope Technology has once again detected a new virus while simultaneously allowing our BUs to focus on revenue generating activities without overly stringent IT Controls. 

Dridex Variant / Mar 5th

A new Dridex Variant is propagating across the internet via email this morning. The M$ Word attachment, labeled "Penta Invoice", has a very low catch rate currently:

As such, it is highly likely your users will be compromised as you are unlikely to be blocking M$ Office files.  It is therefore recommended that you check your proxy & firewall logs for the phone home:

Note that a Websense AP-Web customer, leveraging the Websense ACE Technology via their next gen proxy platform, would have detected/blocked the payload delivered via HTTP in real-time... even if an inferior email security solution was in place.  The reference to Threat.Malicious.Web.RealTime in the above screen shot validates this.

Lastly, and as always, ESPO recommends you squeeze your AV Vendor and apply the budget savings towards the purchase of a File Sandboxing Solution.  The Websense report, previously called ThreatScope, is available here for your viewing pleasure.

Back to the Future / Aug 24th

Remember when we were patching for Y2K bugs and viruses were propagating via email attachments rather than the blended (web & email) threats we've seen over the past decade?  At that point we all scrambled to install Email Gateways/Firewalls with AV engines + Attachment blocking and went to our next project.  Surprise!  The problem is back.  However, this time the files are Word and/or Excel. Not so easy to block those files is it?  As such, ESPO strongly recommends File Sandboxing as the AV Vendors continue to seriously lag the variants. Today's attack is being sent with a subject line of "Board Order - PO15028".  A M$ Word attachment drops a couple executables, and, attempts to inject itself into explorer:

Initial research indicates that this malware is from the Dridex family of financial stealing infamy.  As such, ESPO recommends that you monitor your Finance Staff (outbound bot connections found here) to validate that your IT Assets have not been compromised... as the AV Vendors are again doing a pathetic job (5 of 57 detections):

BTW - regarding blended threats, ESPO strongly recommends URL Sandboxing in which Websense can wrap all unknown/uncategorized links which send your users to a landing page.  At that time you can launch a Real Time Scan leveraging the Websense ACE technology to determine if it's safe to proceed.  As such, Websense has figured out a near full proof way to address both styles of attacks.

Auto Insurance App Attack / Feb 18th

A new attack started at ~6amCST with a subject of "Auto insurance apps and documents" via spam bots in Spain & India (88.2.161.115 & 59.97.76.10).  The lure was a doc attachment that, as you'll see via this link,drops a number of files with malicious intent:

You will note that a number of outbound TCP connections are made (via TCP Ports 80, 443 and 8080) to IPs currently listed in the Websense URL database as bots.  As such, a Websense Web Security Gateway customer would be protected even if an inferior Email Security Solution is in place.

BTW - we would strongly advise limiting your outbound TCP:80, 443 and 8080 connections to the IP of your Proxies only.  A Policy Based Route (PBR) or WCCP on your firewall would elegantly address this.

Lastly, and as always, AntiVirus coverage is weak with only 3 of 57 AV Engines currently protecting.  We at ESPO would therefore advise calling your AV Sales Rep and asking them to justify the expense  :-)

My Photo Attack / Feb 16th

A new executable is making it's way around since ~2amCST.  As you'll see via this Websense ThreatScope link, the malware author performs many steps to ensure their code remains resilient.   The AV Vendors are doing a better job than normal; although, only 13 of 57 are detecting this current attack.  Of special note is the fact that neither Symantec nor McAfee Endpoint AV Solutions are actively protecting our endusers (NOTE - the McAfee detection referenced below is only available on one of their many non-integrated gateway solutions).

Question - how much are you paying for your "Premium" AV Solution, and... why?

Statement - would it not make more sense to reduce your spend on AV and, instead, invest in a next generation security platform?