Mitigation strategies to prevent malware delivery and execution
Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTML Applications) and installers.
An appropriately configured implementation of application whitelisting helps to prevent the undesired execution of software regardless of whether the software was downloaded from a website, clicked on as an email attachment or introduced via CD/DVD/USB removable storage media.
Implementing application whitelisting on important servers such as Active Directory, email servers, and other servers handling user authentication can help prevent adversaries from running malware that obtains passphrase hashes or otherwise provides adversaries with additional privileges.
The following examples are not application whitelisting:
- simply preventing a user from installing new applications to their computer’s hard disk
- using a ‘next-generation’ firewall in an attempt to identify whether network traffic is generated by an approved application
- using ‘next-generation’ cyber security software, or any other vendor product, that decides whether an application should be allowed to execute based on factors other than the system administrator’s pre-configured whitelist of approved applications.
The ability of application whitelisting to provide a reasonable barrier for low to moderately sophisticated cyber security incidents depends on the vendor product chosen to implement application whitelisting, combined with its configuration settings, as well as the file permissions controlling which directories a user (and therefore malware) can write to and execute from.
Ensure that the application whitelisting mechanism prevents unapproved programs running regardless of their file extension.
A very basic implementation to mitigate some unsophisticated malware from running involves using the application whitelisting mechanism or filesystem permissions to blacklist user profile directories. Such directories include %AppData%, %LocalAppData%, their subdirectories, as well as %TEMP%. Additionally, to prevent malicious scripts from running when clicked on by users, the notepad program can be associated with script file extensions such as .hta, .js, .jse, .vbs, .vbe, .wsf and .ps1.
Organisations that don’t require the use of Windows Script Host are strongly advised to disable it , while other organisations should use application whitelisting to permit only approved scripts to run.
After performing testing to confirm that there is no significant business impact, deny typical low-privileged users the ability to run all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe which run JScript and VBScript including Windows Script Files), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and where possible Microsoft HTML Application Host (mshta.exe).
The ACSC urges organisations to exercise caution when using publisher certificate rules to whitelist operating system files and other applications. There is a security risk of inadvertently whitelisting applications that are digitally signed by the same publisher which can be used for legitimate purposes or malicious purposes such as network propagation and running malicious programs. To help mitigate this security risk, ensure that publisher certificate rules specify the ‘Product Name’ in addition to the ‘Publisher Name’.
Where possible, prevent users (and therefore malware running on the user’s behalf) from running system executables commonly used for malicious purposes as listed in mitigation strategy ‘Continuous incident detection and response’. Note the exception for regsvr32.exe and rundll32.exe – these are required for legitimate functionality but can be abused to circumvent application whitelisting, which can be mitigated by configuring rules in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
It is advisable to deploy application whitelisting in phases, instead of trying to deploy it to an entire organisation at once. For example, after fully testing and understanding the application whitelisting mechanism to avoid false positives, one approach is to deploy application whitelisting to the computers used by senior executives and their executive assistants. Such users are Most Likely Targets who usually run a limited number of software applications such as Microsoft Office, an email program and a web browser. An additional benefit is that, when these users are made aware that they clicked on a malicious email attachment or visited a malicious website and application whitelisting mitigated the compromise, they might provide additional support for the deployment of application whitelisting to more computers in the organisation.
Deploying application whitelisting is easier if the organisation has detailed visibility of what software is installed on computers. Such visibility can be obtained by using a Standard Operating Environment, maintaining an inventory of software installed and implementing a robust change management process. Initially testing application whitelisting in ‘audit’/’logging only’ mode helps organisations to develop an inventory of installed software, while taking care to avoid including existing malware in the inventory. Once an inventory has been established, application whitelisting can be properly configured in ‘enforce’ mode to prevent unapproved programs from running.
When installing new software, avoid creating hashes for added files that aren’t of an executable nature. Otherwise if every new file is whitelisted, the whitelist is likely to become too large and if distributed via Group Policy, might unacceptably slow down users logging into their computers. Additionally, note that installing new software can create subdirectories in whitelisted paths that provide users (and therefore malware) with write and execute permissions, enabling arbitrary unapproved or malicious programs to run. Organisations need to verify the effectiveness of their application whitelisting implementation periodically and especially after installing new software.
Installers, or installation packages, can install, modify or remove programs. Common installer frameworks include Windows Installer and InstallShield. Installers often contain installation information as well as files to be installed all within one package. Windows Installer package files have an MSI/MSP filename extension and are commonly used to perform installation or modification of programs in Microsoft Windows environments.
Endpoint protection or anti-malware software from some vendors includes application whitelisting functionality. The ACSC has witnessed an application whitelisting product conflict with anti-malware software from a different vendor that launched itself with a random filename in an attempt to hide from malware.
Windows Defender Application Control, introduced in Microsoft Windows 10 and Microsoft Windows Server 2016, is an application whitelisting capability that uses virtualisation to help protect itself from being disabled either by malicious administrators or by malware that runs with administrative privileges which has already circumvented application whitelisting (somewhat negating the malware’s need to disable application whitelisting).
Further guidance, including applicability for operating systems other than Microsoft Windows, is available at:
Information about Windows Defender Application Control is available at https://docs.microsoft.com/en-au/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.
Patch applications especially Adobe Flash, web browsers and web browser plug-ins/add-ons/extensions, Microsoft Office, Java and PDF viewers. Also patch server applications such as databases that store important (sensitive or high-availability) data as well as web server software that is Internet-accessible.
Patch or mitigate computers exposed to ‘extreme risk’ security vulnerabilities within 48 hours of the security vulnerability being identified. The ACSC has developed guidance to facilitate a risk management approach to applying patches based on the severity and potential business impact of the associated security vulnerabilities.
Use the latest version of applications since they typically incorporate additional security technologies such as sandboxing and other anti-exploitation capabilities. For some vendor applications, upgrading to the latest version is the only way to patch a security vulnerability. Don’t use application versions that are no longer vendor-supported with patches for security vulnerabilities.
‘Extreme risk’ security vulnerabilities in software used by the organisation can enable adversaries to execute malicious code, which can result in significant consequences for the organisation. The level of security risk might also be affected by whether exploit code for a security vulnerability is available commercially or publicly, for example in an open source tool like the Metasploit Framework or in a cybercrime exploit kit.
Approaches to patching
There are a variety of approaches to deploying patches to applications and operating systems running on user computers, based on the organisation’s risk tolerance, as well as how many applications the organisation uses where the applications are legacy, unsupported, developed in-house or poorly designed.
- Some organisations use a balanced approach involving waiting a few hours after a patch has been released to enable the vendor to recall the patch if it has been reported to break business functionality. The organisation then deploys the patch to a few computers belonging to a subset of system administrators or similar technically skilled users, optionally testing the ability to rollback the patch to remove it. If no broken functionality has been identified within a day, the organisation then deploys the patch to a small percentage of computers belonging to users from every business section, especially to users who are Most Likely Targets. If there are no complaints of broken functionality within a day, the patch is then deployed to all other user computers. This approach minimises the organisation’s exposure to the security vulnerability while also minimising the cost of testing patches, at the risk of having to rollback a patch if it breaks business functionality.
- Some organisations spend a significant amount of time testing patches for user computers prior to deployment. Although this approach facilitates change management and minimises the likelihood that a deployed patch will break business functionality, a lengthy patch testing process has associated financial costs and leaves the organisation vulnerable until the patch is deployed or a workaround is implemented.
A different approach involving more thorough testing is usually used for deploying patches to servers, as well as for deploying upgrades that introduce significant additional features and capabilities.
To obtain visibility of what software requires patching, maintain an inventory of software installed on every computer, especially laptops that might only occasionally connect to the organisation’s network, and include details about software versions and patching history.
Prioritise patching security vulnerabilities in software used to interact with content from the Internet, as well as software which runs with elevated privileges such as anti-malware software and third party video drivers.
Use an automated mechanism to confirm and record that deployed patches have been installed, applied successfully and remain in place.
Using the latest version
Don’t use software which is no longer vendor-supported with patches for security vulnerabilities. This is especially important for software that interacts with untrusted and potentially malicious data.
Don’t use Adobe Reader prior to version X, or unsupported Internet Explorer versions (currently version 10 and older) especially when accessing the Internet.
Further guidance is available at https://www.cyber.gov.au/publications/assessing-security-vulnerabilities-and-applying-patches.
Microsoft’s guidance for improving patch management practices is available at https://blogs.msdn.microsoft.com/govtech/2015/04/21/if-you-do-only-one-thing-to-reduce-your-cybersecurity-risk/.
Configure Microsoft Office macro settings
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
This mitigation strategy addresses adversaries using Microsoft Office macros in an attempt to run malicious code while evading basic email content filtering and application whitelisting.
When configuring the new security feature added to Microsoft Office to block macros from the Internet, also configure the Microsoft Windows Attachment Manager to prevent users from removing zone information to circumvent this security feature.
For organisations with a business requirement to run Microsoft Office macros, configure Microsoft Office on a per-user and per-application basis to only run macros vetted as trustworthy and preferably placed in ‘trusted location’ directories which typical low-privileged users can’t write to, or less preferably digitally signed by trusted publishers. Note that adversaries might attempt to purchase or steal a code signing certificate issued by a trusted certificate authority, and use it to sign a malicious macro – even if the certificate is associated with an untrusted publisher, the user might undesirably be provided with the decision and ability to run the macro.
Enforce the macro security configuration settings via Group Policy to prevent users from changing them to run a malicious or otherwise unapproved macro.
Detailed guidance on implementing this mitigation strategy is available at https://www.cyber.gov.au/publications/microsoft-office-macro-security.
Further information about the new security feature in Microsoft Office to block macros from the Internet is available at https://www.microsoft.com/security/blog/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/.
User application hardening
User application hardening. Configure web browsers to block Flash (ideally uninstall it if possible), advertisements and untrusted Java code on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
This mitigation strategy significantly helps to reduce the attack surface of user computers. It also helps to mitigate adversaries using malicious content in an attempt to evade application whitelisting by either exploiting an application’s legitimate functionality, or exploiting a security vulnerability for which a vendor patch is unavailable.
Focus on hardening the configuration of applications used to interact with content from the Internet. For web browsers, disallow Adobe Flash (ideally uninstall it), ActiveX, Java, Silverlight and QuickTime for Windows. Whitelist trustworthy websites that require such web browser functionality for a specific business purpose, such as a legacy Flash application used on the organisation’s intranet. Note that some web browsers have an embedded version of Flash.
Ideally uninstall Flash, since simply disabling Flash in the web browser doesn’t mitigate all exploitation vectors such as via Microsoft Office or PDF viewers. Furthermore, web browser ‘click-to-play’ functionality provides limited mitigation since it relies on users to make correct security decisions. Some users might choose incorrectly, for example enabling a malicious Flash advertisement located on a legitimate website.
Block Internet advertisements using web browser software (and web content filtering in the gateway), due to the prevalent threat of adversaries using malicious advertising (malvertising) to compromise the integrity of legitimate websites to compromise visitors to such websites. Some organisations might choose to support selected websites that rely on advertising for revenue by enabling just their ads and potentially risking compromise.
A variety of approaches can be used to mitigate running malicious Java code located on the Internet, including:
- uninstall Java if there is no business requirement to use it
- configure Java to disable ‘Java content in the browser’ 
- use a modern web browser which forbids running deprecated Java plugins 
- apply web browser specific configuration settings that disable Java in the web browser 
- use a separate web browser that can only run Java code located on the organisation’s internal systems
- use the Deployment Rule Set  feature to whitelist Java applets and Java Web Start applications
- use web content filtering to provide defence-in-depth mitigation, including providing an exception for whitelisted websites that require the use of Java for business purposes.
Configure Microsoft Office to disable activation of object linking and embedding (OLE) packages .
Configure the Microsoft Office File Validation and Protected View features to inspect and validate Microsoft Office files for potentially malicious abnormalities.
Detailed guidance on configuring the Microsoft Office File Validation and Protected View features is available at https://www.cyber.gov.au/publications/hardening-microsoft-office-2016.
Automated dynamic analysis of email and web content run in a sandbox
Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (e.g. network traffic, new or modified files, or other system configuration changes).
Dynamic analysis uses behaviour-based detection capabilities instead of relying on the use of signatures, enabling the organisation to detect malware that has yet to be identified by the cyber security community.
Analysis could be performed in an instrumented sandbox located either in the organisation’s gateway, on a user’s computer, or in an external cloud computing environment subject to concerns about data sensitivity, privacy, and security of the communications channel.
Preferably use a vendor product that:
- is able to decrypt and perform analysis of email and web content that was encrypted by SSL/TLS when in transit over the Internet
- analyses emails before delivering them to users, to avoid users being exposed to malicious content
- rapidly and effectively mitigates web content that has already been delivered to users and has subsequently been identified as malicious – mitigation might include blocking the user’s computer from having access to the Internet infrastructure that the malicious content communicates with, or otherwise quarantining the user’s computer
- enables the sandbox to be customised to match the operating systems, applications and configuration settings of computers used throughout the organisation.
Use an implementation that is regularly updated by the vendor to mitigate evolving evasion techniques that challenge the effectiveness of this mitigation strategy. Avoid using implementations that are easily circumvented by adversaries using evasion techniques such as:
- manipulating network traffic using approaches historically used to evade network-based intrusion detection/prevention systems
- performing malicious actions only if specific conditions are met, for example after a period of time or specified date has elapsed, after the user has interacted with the computer such as clicked a mouse button, or if the malware considers the computer to be a real user’s computer and not a virtual machine or honeypot.
Email content filtering
Email content filtering. Whitelist allowed attachment types (including in archives and nested archives ). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros.
Email content filtering helps to prevent the compromise of user computers via adversaries using malicious emails. Whitelisting business-related attachment types is significantly more effective than attempting to identify and blacklist a complete list of malicious file types and file extensions, including those increasingly leveraged by adversaries such as .lnk shortcut files, PowerShell and JScript files.
Disallow/quarantine content that can’t be inspected such as passphrase-protected archive files (e.g. zip or RAR). Inspect archive files in a controlled manner to avoid denial of service via resource exhaustion.
Reject incoming emails that have the organisation’s domain as the email sender but do not originate from email servers approved by the organisation.
One approach to sanitising whitelisted business-related attachment types is to use ‘Content Disarm and Reconstruction’ software, which replaces an email attachment with a new file containing the same content but without potentially malicious code.
Preferably archive PDF and Microsoft Office attachments, and scan them again for malware every month for several months.
Preferably quarantine attachments and disable hyperlinks in emails from webmail providers that provide free email addresses to anonymous Internet users, since adversaries often use such email addresses due to the lack of attribution.
Further guidance on malicious email mitigation strategies is available at https://www.cyber.gov.au/publications/malicious-email-mitigation-strategies.
Web content filtering
Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains.
An effective web content filter reduces the security risk of malware being accessed, as well as making it more difficult for adversaries to communicate with their malware. Defining a whitelist of allowed types of web content will assist in removing one of the most common malware delivery techniques.
Preferably block all executable content by default and use a process to enable selected users to access specific executable content if a business justification exists.
Preferably block access to websites that the web content filter considers to be ‘uncategorised’ or in a category that is not required for business purposes.
Ideally block Flash, ActiveX and Java, except for whitelisted websites that require such functionality for legitimate purposes. However, the administrative resources required to analyse legitimate business requirements in larger organisations could be significant.
Implement a solution that inspects HTTPS traffic for malicious content, especially HTTPS communications with unfamiliar websites, noting that encrypted network traffic has become pervasive.
If the web content filter has the capability to inspect Microsoft Office files, quarantine such files if they contain macros, especially if they are downloaded from the Internet rather than from the organisation’s intranet.
Block Internet advertisements using web content filtering in the gateway (and web browser software), due to the prevalent threat of adversaries using malicious advertising (malvertising) to compromise the integrity of legitimate websites to compromise visitors to such websites. Some organisations might choose to support selected websites that rely on advertising for revenue by enabling just their ads and potentially risking compromise.
Block outbound network connections to anonymity networks such as Tor, Tor2web and I2P, to help mitigate malware that uses such networks for command and control as well as for data exfiltration. Some organisations might choose to support inbound network connections from anonymity networks to the organisation’s public Internet-accessible websites, to cater to website visitors who wish to remain anonymous for privacy reasons.
Cyber security incidents often involve the use of ‘dynamic’ domains and other domains provided free to anonymous Internet users, due to the lack of attribution. Block access to such domains after confirming that the organisation does not access any legitimate websites using these domains.
Where possible, block attempts to access websites by their IP address instead of by their domain name, to force adversaries to obtain a domain name which can contribute to an audit trail that can assist with identifying related cyber security incidents.
The effectiveness of this mitigation strategy is reduced by adversaries using legitimate websites, which are required for business purposes, for malware delivery, command and control, and exfiltration. Such websites include web forums, social networking websites, cloud computing services, legitimate but temporarily compromised websites and a range of other web infrastructure.
Deny corporate computers direct Internet connectivity
Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.
A gateway firewall limits external adversaries from accessing corporate computers running vulnerable network services, and serves as a logging and choke point for incoming and outgoing network traffic.
Malware of lower sophistication might fail to exfiltrate data and operate correctly if it expects direct Internet connectivity and is unable to traverse the organisation’s Internet gateway, resulting in the Internet gateway detecting and blocking such unauthorised network communication.
The firewall should be configured to only allow approved networking ports and protocols required for business functionality, and should be capable of handling IPv6 traffic.
Implement a web proxy that decrypts and inspects encrypted HTTPS traffic for malicious content, especially HTTPS communications with unfamiliar websites.
Preferably configure computers with a non-routing network capture device as the default route to help detect malware attempting to directly communicate with the Internet, noting that some legitimate applications or operating system functionality might generate false positives.
Servers should have a very restricted ability, and ideally no ability, to browse websites and access emails from the Internet.
This mitigation strategy should not be interpreted that Internet users visiting the organisation’s public Internet-accessible websites need to be authenticated by a web proxy.
Operating system generic exploit mitigation
Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET) .
Security-Enhanced Linux (SELinux) and grsecurity are examples of exploit mitigation mechanisms for Linux operating systems.
These technologies provide system-wide measures to help mitigate techniques used to exploit security vulnerabilities, including for applications which EMET is specifically configured to protect, even in cases where the existence and details of security vulnerabilities are not publicly known.
Configure DEP hardware and software mechanisms to apply to all operating system programs and other software applications that support DEP.
Configure ASLR for all operating system programs and other software applications that support ASLR.
In addition to configuring system-wide EMET rules, configure EMET rules for applications that interact with potentially untrusted content, for example web browsers, Microsoft Office and PDF viewers.
Configure EMET rules to mitigate the legitimate Microsoft Windows operating system files regsvr32.exe and rundll32.exe being abused to circumvent application whitelisting.
Use a 64-bit version of Microsoft Windows instead of a 32-bit version, since the 64-bit version contains additional security technologies.
Microsoft note that their Microsoft Windows 10 operating system and Edge web browser natively implement many of EMET’s features and mitigations, making EMET less relevant for Microsoft Windows 10. EMET is most useful to help protect previous operating system versions, legacy applications and third party software:
Server application hardening
Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as other server applications that access important (sensitive or high-availability) data (e.g. customer, finance, human resources and other data storage systems).
Server application hardening helps the organisation to conduct its business with a reduced security risk of malicious data access, theft, exposure, corruption and loss.
OWASP guidance helps to mitigate web application security vulnerabilities such as SQL injection, and covers code review, data validation and sanitisation, user and session management, protection of data in transit and storage, error handling, user authentication, logging and auditing.
The ACSC has developed guidance for securing content management systems running on web servers, as part of the ACSC responding to cyber security incidents involving adversaries compromising Internet-accessible web servers and using ‘web shells’ which can facilitate remote access, administration and pivoting to the organisation’s internal systems.
Further guidance on protecting web applications is available at https://www.cyber.gov.au/publications/protecting-web-applications-and-users.
Further guidance on securing content management systems is available at https://www.cyber.gov.au/publications/securing-content-management-systems.
Operating system hardening
Operating system hardening (including for network devices) based on a Standard Operating Environment (SOE), disabling unneeded functionality (e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, Link-Local Multicast Name Resolution (LLMNR) and Web Proxy Auto-Discovery (WPAD)).
Benefits of computers and network devices having a consistent managed SOE configuration include:
- system administrators performing configuration management and knowing what software is running on computers thereby facilitating implementing application whitelisting and patching security vulnerabilities
- the ability to detect anomalous software running by monitoring for deviations from the standard baseline – implementing application whitelisting, even if configured in ‘audit’/’logging only’ mode, can provide this ability
- network administrators knowing what software is running on network devices thereby facilitating patching security vulnerabilities, as well as knowing what software is permitted to communicate on the network thereby facilitating baselining expected network activity
- the ability to quickly restore compromised computers and network devices to a known clean state.
Harden file and Windows Registry permissions, for example where possible, prevent users (and therefore malware running on the user’s behalf) from running system executables commonly used for malicious purposes as listed in mitigation strategies ‘Application Whitelisting’ and ‘Continuous incident detection and response’.
Configure the Windows Task Scheduler service to prevent user computers from creating scheduled tasks (especially on servers) to execute malicious programs.
Configure the DLL search path algorithm to help mitigate malicious DLL files being loaded via DLL search order hijacking techniques .
Disable Server Message Block (SMB) and NetBIOS services running on computers where possible, especially to help mitigate internal reconnaissance and network propagation.
Disabling LLMNR and associated name resolution services such as NetBIOS Name Service where possible, helps to mitigate adversaries on the organisation’s network from responding to name queries performed by the organisation’s other computers and collecting their authentication credentials.
Organisations should create a WPAD DNS record in their internal DNS server and/or in the ‘hosts’ file of user computers. Organisations that don’t use Proxy Auto-Configuration should disable this feature in web browsers.
Configuring file extensions to be displayed assists users to understand a file’s type, otherwise an email attachment called ‘file.txt.exe’ could appear as ‘file.txt’ making the user think it is a harmless text file.
The scarcity of unused and available publicly routable IPv4 address results in an increasing need for IPv6 to be used by computers that directly connect to the Internet. However, IPv6 might not be needed by computers on an organisation’s internal network which use IPv4 addresses in the reserved range.
Antivirus software using heuristics and reputation ratings
Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers.
Specifically, this includes checking the prevalence of a questionable file among the vendor’s user base, and ideally also checking whether a digitally signed file uses a reputable vendor certificate that hasn’t been revoked and wasn’t expired when the digital signature was added to the file.
Antivirus software helps to detect malware that includes computer viruses, worms, Trojans, spyware and adware.
Configure the heuristic behaviour analysis capability to achieve an acceptable balance between identifying malware, while avoiding negatively impacting users and the organisation’s incident response team due to false positives.
Scan files when they are accessed and on a scheduled basis.
Endpoint protection or anti-malware software from some vendors includes heuristics and reputation rating functionality.
Control removable storage media and connected devices
Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G/5G devices.
Using removable storage media and connected devices in a controlled and accountable manner reduces the security risk of malware execution and unauthorised data exposure.
USB flash storage devices infected with malware might be deliberately provided to targeted users as a gift, and have been inadvertently distributed by major vendors at several Australian cyber security conferences. Additionally, adversaries might scatter USB flash storage devices, CDs and DVDs containing malicious content in the car park of targeted users.
Follow a robust storage media transfer policy and process when using removable storage media to transfer data between computers, especially if they are located on different networks or in different security domains. Ideally, an alternative corporately approved method of data transfer should be established which avoids the need to use removable storage media.
Computers without a need to use removable storage media or connected devices can be configured to help prevent such connectivity by removing associated drivers from the operating system, using third party solutions to permit and disallow access to specific classes of devices, configuring computer BIOS/UEFI settings to disable access to associated hardware, and physically removing or disabling associated hardware used for external data storage or external device connectivity.
Block spoofed emails
Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain.
SPF, or alternative implementations such as Sender ID, reduce the likelihood of spoofed emails being delivered to the targeted user.
Configure ‘hard fail’ SPF TXT DNS records for the organisation’s domains and subdomains, and configure a wildcard SPF TXT DNS record to match non-existent subdomains.
Sender ID is an alternative version of SPF that checks the legitimacy of the sender’s email address that is displayed to the email recipient. Additional implementations include DomainKeys Identified Mail (DKIM).
Domain-based Message Authentication, Reporting and Conformance (DMARC) enables a domain owner to specify a policy stating what action the recipient’s email server should take if it receives an email that has failed an SPF check and/or a DKIM check. DMARC also contains a reporting feature which enables a domain owner to obtain some visibility of whether their domain is being spoofed in emails sent by adversaries.
Configure a DMARC DNS record for the organisation’s domain, specifying that emails from the organisation’s domain and subdomains should be rejected if they fail SPF checks (and/or DKIM checks if DKIM is configured for the organisation’s domain). In the absence of a DMARC DNS record, the ACSC responded to a cyber security incident involving a major free webmail provider that delivered a spoofed email to the recipient’s inbox even though the email failed SPF checks.
Organisations can conservatively deploy DMARC if they are concerned about legitimate emails sent from their domain being incorrectly rejected.
Reject incoming emails that have the organisation’s domain as the email sender but do not originate from email servers approved by the organisation.
Further guidance on spoofed email mitigation strategies is available at https://www.cyber.gov.au/publications/how-to-combat-fake-emails.
User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as corporately unapproved removable storage media, connected devices and external IT services such as cloud computing including webmail.
Educate users, especially Most Likely Targets, about Internet threats such as identifying spear phishing emails or unexpected duplicate emails, and reporting such emails to the organisation’s IT security team. Users should also report potential cyber security incidents, including suspicious phone calls such as unidentified callers attempting to solicit details about the organisation’s IT environment. Finally, users should avoid using weak passphrases, reusing passphrases, using unapproved removable storage media and connected devices, and exposing their email addresses for example via social networking.
User education should focus on influencing user behaviour.
User education can complement technical mitigation strategies. Users can notice and report unexpected behaviour such as a suspicious email, or a blank document or irrelevant document content being displayed when an email attachment is opened. This can assist in detecting spear phishing emails as an intrusion vector. However, to prevent and automatically detect an attempted compromise, implementing a technical mitigation strategy (such as application whitelisting configured to log and report violations) is preferable to relying on user education.
Putting users in the position of making a security-related decision and hoping that they are all educated to always choose correctly, is likely to result in some users choosing incorrectly resulting in a compromise.
The ACSC is aware of some spear phishing emails that use clever tradecraft and are believable such that no amount of user education would have helped to prevent or detect a compromise.
User education won’t prevent a user from visiting a legitimate website that has been temporarily compromised to serve malicious content as part of a ‘drive by download’, ‘watering hole’ or ‘strategic web compromise’, including where malvertising runs malicious software without requiring user interaction. Visiting such a website might compromise the user’s computer without any obvious indications of compromise for the user to detect.
Educate users to avoid:
- logging into fake websites by visiting hyperlinks in emails that arrived from the Internet    
- sharing passphrases with other users
- selecting weak passphrases
- reusing a previously used passphrase
- using the same passphrase in several different places
- storing their passphrases unencrypted in files
- using removable storage media and other IT equipment not corporately provided
- performing work using corporately unapproved external IT services such as cloud computing including webmail
- unnecessarily exposing their email address and personal details (e.g. via public social networking platforms)
- visiting websites unrelated to work.
Educate users as to why following cyber security policies helps them to protect and appropriately handle the sensitive data they have been entrusted to handle. Share with users the anecdotal details of previous cyber security incidents affecting the organisation and similar organisations, highlighting the impact that such incidents have to the organisation and to the user. Such education might reduce the level of user resistance to the implementation of mitigation strategies. For example, users might be less likely to resist the removal of their unnecessary administrative privileges if they understand why the mitigation strategy is required.
User education needs to be tailored to the job role of the user. Additional specialised education is useful for users with specific roles, for example:
- educate in-house software developers to write secure code
- educate in-house software testers about common security vulnerabilities to look for
- educate staff who have a technical role (such as system administrators, network administrators, database administrators, enterprise architects, IT project engineers and systems integrators) about cyber security and adversary techniques
- educate senior business representatives to understand the security risks of rushing to complete a project with inadequate security design and testing, as well as the security risks of favouring business functionality over security instead of integrating security with business functionality
- educate help desk staff to have a healthy level of suspicion, for example when handling a passphrase reset request from a user who can’t adequately verify their identity – the psychological desire to be helpful should not override documented business policies, processes or common sense.
The success of educating users needs to be measured using evidence such as whether user education contributed to:
- an increased proportion of spear phishing emails and other indicators of malicious activity that users detect and report to the organisation’s IT security team
- a reduction in the frequency and severity of successful compromises, including compromises resulting from spear phishing exercises and penetration tests, that involved users performing an action that facilitated the compromise.
Further guidance for users on detecting socially engineered emails is available at https://www.cyber.gov.au/publications/detecting-socially-engineered-messages.
Antivirus software with up-to-date signatures
Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers.
Antivirus software helps to detect malware that includes computer viruses, worms, Trojans, spyware and adware. However, signature-based antivirus software is a reactive approach that has difficulty protecting against targeted malware that is not yet known to the antivirus vendor.
Scan files when they are accessed and on a scheduled basis.
TLS encryption between email servers
TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted.
Enabling TLS encryption on both the originating and accepting email servers helps to prevent legitimate emails being intercepted in transit and subsequently being leveraged for social engineering.
Perform content scanning after email traffic is decrypted.