How to
Jonathan Crowe
Jun 2018

5 Simple Ways to Block Most Malware, Even if You Don't Have a SOC

blocking-malware

When it comes to blocking malware, you don't need an army of security experts (or software designed to be used by one) to block the vast majority of attacks. Here are some simple, practical tips that can make a big impact.

If you’re in charge of protecting a small or mid-size business from malware attacks, we have good news and bad news. First, the bad news: Malware infections are becoming more common and more costly than ever. 


Now, the good news: The vast majority of the cyber criminals behind these attacks aren't the slick tech geniuses that Hollywood makes them out to be. Most of them are just average criminals — greedy and lazy opportunists, plain and simple. They often don't have an abundance of tech expertise. Instead, they use readily-available and easy-to-use tools developed by others, which are basically the equivalent of hacking-paint-by-numbers kits. When they manage to successfully compromise victims it's typically thanks to targeting low hanging fruit that unsuspecting businesses have left out in the open.

Why is this good news for IT pros and small business owners? Because it means you don’t need an army of security experts — or needlessly complex security software designed to be used by one — to thwart these people. In fact, you can dramatically lower your risk of infection simply by placing a few select roadblocks on the paths criminals are used to taking. 

Free eBook: Essential Guide to Blocking Malware

This post is a preview of our newest guide. Get even more practical tips for blocking ransomware, exploits, and other threats: Download it here

5 ways to block the vast majority of malware attacks headed your way

Even though malware is constantly evolving, the most popular methods of delivering it have remained largely consistent. Remember, the vast majority of cyber criminals aren't interested in reinventing the wheel — they're interested in doing the easiest thing that works.

As a result, the real task for defenders isn't guessing their game plan. Nine times out of ten it involves using a malicious email attachment to get a dropper onto a system. The challenge is blocking the execution of that game plan. Here are six simple things you can do to make sure the most common attacks get derailed.


1) Use your firewall/email filtering to block the most commonly abused file types

It's probably no surprise email is still the favorite delivery channel for cyber criminals. After all, it provides them with direct access to the most vulnerable part of your network — end users. According to Verizon's 2018 Data Breach Investigations Report, 92.4% of malware was delivered via email.

That obviously makes securing email a top priority. One immediate step you can take toward that goal is limiting the types of file attachments you allow through. For starters, consider blocking the attachment types Google has deemed dangerous and blocks in GmailNext, consider this list of the most common types of malicious attachments used in malware campaigns in 2017:

top-email-payload-file-type-2018

Source: Symantec 2018 ISTR

Of course, you may not be able to realistically block all of these file types at the email level (Microsoft Office files, especially — more on those later). There are also plenty of additional file types that are commonly abused not on this list (.zip, .rar, and .7z files quickly come to mind). But blocking as much as you can here will help protect you from some of the most common attacks and further reduce the flow of malware downstream.


2) Lock down Microsoft Office

There are few legitimate applications attackers love more than Microsoft Office programs. Why? For one thing, Office files are almost universally accepted. They're also the types of files users expect to receive in their day-to-day work. While an email with a strange .exe attachment might illicit suspicion, Word docs and Excel files are often opened with no hesitation at all. 

Microsoft has also gone out of its way to bake features and functionality into Office programs that make them more useful — unfortunately to both users and attackers, alike. Taking some of that functionality off the table can throw a major wrench in attacks that rely on Office docs. Here are a few of the most commonly-abused capabilities you should consider restricting, if not disabling altogether:

  • Macros: Like the other features on this list, macros are primarily abused to retrieve 2nd-stage malware payloads. If it’s not feasible for your organization to disable them entirely, Microsoft also offers the option to block them in high-risk scenarios only, such as when they're included in documents downloaded from the Internet.

  • Object Linking and Embedding (OLE): Microsoft developed OLE to give Office users the ability to link to and add data from other applications inside their docs. Attackers haven't been shy about abusing that capability, often using it to trick users into inadvertently launching malicious embedded scripts. If your organization doesn't actively utilize OLE packages, you can disable them by modifying the following registry key and setting the value to 2:
    HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt
  • Dynamic Data Exchange (DDE): OLE’s predecessor, Dynamic Data Exchange is a similar feature that was removed from Word following a spike in attacks that abused it. Curiously, DDE functionality remains active in Excel and Outlook, and to disable it, admins need to make the following registry changes: 

    To disable DDE in Excel:
    [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\OFFICE\<VERSION>\EXCEL\SECURITY] WORKBOOKLINKWARNINGS(DWORD) = 2
    To disable DDE in Outlook (Office 2010 and later versions):
    [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\OFFICE\<VERSION>\WORD\OPTIONS\WORDMAIL] DONTUPDATELINKS(DWORD)=1
  • Equation Editor: After multiple remote code execution vulnerabilities affecting this legacy formula editor were disclosed in late 2017 and early 2018, Microsoft decided to remove it for good. As long as your machines are patched they'll be immune to Equation Editor abuse. 

3) Prevent VBScript and JavaScript abuse

Scripts provide attackers with several advantages. Not only do they provide rich functionality, the fact that they have many legitimate use cases and can be easily obfuscated often makes detecting and blocking them problematic. As a result, they’ve become a favorite tool for cyber criminals, especially for retrieving 2nd-stage malware payloads.

Malicious scripts can be smuggled onto machines via Office documents or simply via email. Because Microsoft doesn't show file extensions by default (meaning invoice.txt.js could appear as invoice.txt), it’s possible to easily hide .vbs and .js attachments in plain sight. In addition, it’s also possible to tuck them away in archive file formats like .zip, .rar, and .7z files.

In order to protect users from inadvertently executing malicious script files, Microsoft recommendeds making registry changes to ensure that a warning prompt is issued before any script file is allowed to run. When feasible, admins can also take things one step further by disabling Windows Script Host, which will prevent users from running VBScript or JScript scripts at all.

Bonus points: An additional trick you can use to reduce your risk of malicious .js files in particular is to configure Windows so that it always opens .js files with Notepad.


4) Put restrictions on PowerShell

It’s no fun having your own tools turned against you, but that’s exactly what happens with PowerShell, which comes installed by default on all Windows systems. While this powerful framework can simplify your life by automating a wide range of local and remote tasks, it can also create a pretty serious security liability. From downloading and executing malware payloads to helping attackers achieve persistence, privilege escalation, and lateral movement, PowerShell offers hackers a veritable buffet of malicious capability.

Attacks leveraging PowerShell increased 432% in 2017.

McAfee Labs Threat Report March 2018 | Tweet this stat

Because there are well-documented workarounds to many of PowerShell’s built-in restriction options, your best bet may be to use whitelisting via Microsoft's AppLocker to limit PowerShell to a select group of power IT users only.

 

5) Use endpoint protection that improves on antivirus

For years, antivirus (AV) has been the default box to check when it comes to endpoint security. But as attacks become more sophisticated and criminals take advantage of a growing number of workarounds, investment in antivirus solutions is generating diminishing returns. 

Less than a third of IT and security pros believe their antivirus can stop the threats they're seeing.

Ponemon 2017 State of Endpoint Security Risk | Tweet this stat

The majority of successful attacks on small and mid-size businesses happen despite AV being installed. Rather than continue suffering through the downsides of AV (constant scanning and updates, hits to performance, etc.) without experiencing the full benefits, a growing number of small and mid-size businesses are exploring new endpoint options like Barkly.

Barkly is unique from AV in that it doesn't rely solely on file scanning to detect malware. Instead, it combines machine-learning-powered file analysis with a unique approach to behavioral analysis, allowing it to block not only malware, but the underlying activities and exploit techniques criminals rely on to launch their attacks. 

As a result, Barkly blocks attacks regardless of where or how they start, and stops them in real-time before any damage is done. Better yet, Barkly is specifically designed to meet the operational and administrative needs of small and mid-sized companies who don't have large teams of security experts. It has all the firepower of an enterprise security solution without any of the unnecessary complexity. You can even manage it and intuitively respond to alerts right from your phone.

You can see how Barkly is helping one Director of Technology stay ahead of evolving threats and get more time back in his day in the video below:

 

 

Bonus tip: Secure RDP

Email attachments may be responsible for the lion's share of malware infections, but another increasingly popular inroad for gaining access to networks is by exploiting exposed or compromised Remote Desktop Protocol (RDP) connections.

RDP is a remote administration tool commonly used in support cases where IT needs to gain access and control over a machine in order to investigate problems and resolve issues. RDP use can be even more prevalent in smaller organizations, where outsourcing of IT is particularly common. 

When setup and secured properly, RDP can be a very effective tool. But when exposed to the wider Internet, it can also be a beacon for criminals keen on finding low-hanging fruit. Thanks to scanning tools like Shodan, Nmap, and masscan, it's trivial to identify systems with open ports exposing RDP. From there, criminals can use brute-forcing tools to attempt to crack passwords and gain access. 

Alternatively, criminals can bypass this step and purchase access to previously compromised RDP servers, directly, via thriving underground marketplaces like xDedic. Thanks to the easy access it provides, many ransomware families, including SamSam, the ransomware that crippled the city of Atlanta's IT infrastructure, are now primarily distributed via RDP. 

The good news is there are relatively simple steps you can take to keep RDP off-limits to criminals:

  1. Restrict access to RDP behind firewalls and by using a RDP Gateway and/or VPNs.
  2. Secure RDP accounts with unique and complex passwords. Better yet, use two-factor authentication, too.
  3. Limit the number of users with access to RDP to only those who really need it.
  4. Apply a lockout policy as an additional layer of protection against brute-force attacks.

No, this isn’t everything, but it's a solid start

The tips provided here obviously won't protect your organization from every attack, but they will help you thwart the majority of malware campaigns you're most likely to face. Remember, if there's anything we can learn from attackers it's that there is value in keeping things simple. While there are always going to be new edge cases to defend against, covering these basics will significantly reduce your risk, drastically lower the number of security alerts you have to manage, help your company avoid downtime and recovery costs, and, best of all, save you time for investing in other priorities. 

Looking for more practical security tips?

malware-prevention-internal-pages-no-soc

Download our new ebook, The Essential Guide to Blocking Malware Without a SOCIt's 35 pages full of actionable advice on how you can sabotage attack chains and block infections before they start. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.