A
recent blog post found that the macro remains the
email attachment of choice for delivering malicious payloads. Of all the
mechanisms analyzed, 45% of attackers used these documents to delivery
malicious macros, including Geodo, Chanitor, AZORult and GandCrab.
According to researchers, the macro is a top choice
because it either is enabled on a machine or only requires a single mouse
click to be enabled. “This makes it almost trivial to launch the first stage of
an infection chain,” Cofense wrote.
It is often the case that the Microsoft Office macro
feature is enabled by default, leaving users completely unaware that there were
any problems with opening the document. Yet researchers noted that even with
appropriate protections in place, users only see a warning that can be
dismissed with one click.
“Abuse of this feature can be easily
mitigated by disabling macros enterprise-wide. However, macros do have
legitimate and valuable usage, upon which many businesses rely. To help reduce
the attack surface introduced
by this feature, businesses have some option,” Cofense wrote. While a blanket
policy of blocking documents at the gateway is the most effective solution,
these strict policies can hinder user productivity.
Defending against phishing attacks is
further complicated by social engineering tactics. Additional findings from a FireEye study, which
revealed that one in every one hundred emails represent
a phishing or malicious email. Of those attempted email attacks, 90% are
malware-less. The goal with malware-less attacks is to trick the user into
sharing information about the company by impersonating a trusted source.
“Phishing has been around since the
mid-to-late ’90s, and yet it’s still a significant problem as a direct effect
of how successful it remains, even decades later. People are, and always will
be, the weakest link,” said Thomas Pore, director of IT and services for Plixer.
“Social engineering will succeed, which
means your organization is vulnerable.
You must constantly monitor network traffic and digital communication to look
for behavior anomalies. Operating the SOC under the assumption that you’ve
already been infected puts you in a state of mind to stay diligent when network
traffic behavior anomalies rise up. A combination of regular staff training,
critical-asset tagging, patching and behavior anomaly detection is the
foundation of a strong and successful
security program.”
No comments:
Post a Comment