We spend a lot of time touting the benefits of defense in depth. Deploying security controls throughout your environment, rather than relying on a single “catch-all” solution, continues to pay dividends. This message is underscored by a recent security incident that I want to mention.
A couple of weeks ago, another Locky variant made the rounds. Locky, as you may recall, is the ransomware that resurrects more frequently than Freddy Krueger. It’s not particularly sophisticated, but is effective, nonetheless. This variant spread through e-mail in the form of a message with the nondescript subject “Emailed Invoice” along with a malicious Word document attachment. Opening the attachment would install the ransomware, which would, in turn, encrypt the computer’s files, rendering them unusable.
E-mail security controls (think anti-spam, attachment antivirus, etc.) are normally the first line of defense against this type of attack. Unfortunately, in this case, many commercial e-mail filters did not recognize the malicious attachment, and the messages were allowed to go through. Even virustotal.com reported that few security solutions were initially able to recognize and block this attack. Fortunately, Cisco AMP for Endpoints was one that did, and it saved many folks from a significant headache.
So, in cases like this “zero-day” outbreak, how can we better protect ourselves? Here’s where defense in depth comes in. First, think about how malware spreads. With few exceptions, malware requires that a user actually be tricked into doing something—installing a malicious program disguised as something legitimate, changing macro settings within an Office application, etc.—in order to compromise a system. What if we were to not give our users the privileges required in order to do these things to begin with? I still see a lot of folks who let their users have local administrator privileges on their machines. True, a lot of legitimate legacy applications required this, but those cases are becoming increasingly rare. Limiting the scope of users’ privileges on their machines can stop many types of malware dead in its tracks.
I already mentioned Cisco AMP for Endpoints, but incorporating malware defenses at both the network layer and on the individual endpoints is a great strategy. In our Locky example, network-based anti-malware (e-mail filter) didn’t catch the attack, but endpoint-based anti-malware (AMP for Endpoints) did. Complementary controls in action.
But our preventative measures don’t necessarily have to be technical. They can be psychological, too. In 2017, would a legitimate business ever send its customers a message with “Emailed Invoice” as the subject, no information in the body, and a Word document attached? This combination alone should raise all kinds of red flags and be a dead giveaway that something bad is about to happen. Security awareness across your user base has to be a top priority. Even if you had no technical controls in place, a security-aware user would have defeated this attack before it ever had a chance to take hold, simply by recognizing the message for what it was and deleting it.
So in the end, the most effective strategy for combatting zero-day and advanced threats is one of defense-in-depth—deploying quality technical security controls throughout your environment, as well as making sure your users’ instincts work with (rather than against) these controls. Cyber criminals have become a formidable opponent, but not one that cannot be defeated with a well-developed technical security system and security-awareness program working in tandem.
Contact Symplexity today to learn how you can improve your organization’s defense strategy.