Malware Prevention and US-CERT TA16-091A: The Basics Still Work!

Computer Virus MALWARE

In the past two days, US-CERT and Public Safety Canada have released advisories that highlight various forms of malware, paying particular attention to a specific form known as ransomware, and going on to give recommendations for how IT can protect itself.

If you spend any time touring the IT security scene at the various trade shows, you will have no doubt seen the many different organizations and products that are available; doing everything from basic antivirus to artificial intelligence and next-generation heuristics. Security is an ever-changing landscape built upon what can seem like a cat-and-mouse game with new attack techniques and defense proposals being put forward every day.

As we examine the various methods used by today’s attackers, it’s apparent that the basics are as important as they ever were. Zero-day exploits and other such vulnerabilities, while both effective and dangerous, still remain fairly rare in the grand scheme of things. This leaves the majority of attacks still coming from tried and tested methods. Malware, for example, typically comes in the form of executable files attached to emails or hidden inside documents, and the usual best practices can often prevent almost all of the threat.

The March, 31st bulletin from US-CERT talks about different types of malware and the proliferation of variants and mentions various ways to address the threat they represent. The use of application whitelisting, to help prevent malicious software and unapproved programs from running, and the restriction of user-rights through least privilege management are both highlighted as ways of preventing malware within IT.

While such layers of security are critical in the protection of IT assets, it is imperative that they are combined with adequate patching; both of the operating system and applications. The bulletin from US-CERT directly calls this out stating that keeping your system and software up to date is a solution to help prevent malware. Many zero-day exploits are often fixed by vendors before becoming generally available and, providing platforms and applications are patched quickly, most exploits can be protected against.

Ransomware, a type of malware that often encrypts data belonging to the victim and demands a cash payment for its recovery, is exceptionally common today but is also relatively straight forward in the way it is perpetrated. Often, a malicious executable is delivered via email, or downloaded from a rogue website which in turn goes on to perform its malicious actions. In these instances, effective whitelisting can protect users from becoming victims, preventing such executables from ever running.

One of the challenges organizations face when implementing these basics is that they are often seen as complex. A whitelisting solution, for example, often needs to be configured with thousands of known-good files just so the user can login and run their applications. As the operating system and the applications are patches, this issue is further compounded as the lists need updating to include the new content.

There are, however, different ways to achieve whitelisting without having to deal with the individual files. Allowing or denying execution based on file ownership, file vendor or origin are all ways of performing whitelisting on known-good content without having to specify each individual file. When organizations couple these methods with good privilege management, operating system and application patching, they have the fundamental building blocks for a strong and secure platform.

While it is critical for organizations to monitor the security space, in order to learn about new attack methodologies and to implement technologies to protect against them, it is vital that they do not overlook the basics. While a business may be protected against tomorrow’s zero-day exploits, it means nothing if the user can simply open a malicious email, or a document in an unmatched version of Microsoft Word, and circumvent it all.