How to protect the enterprise from holiday attacks

December 18, 2019 posted by

This is Susan Bradley for CSO Online. Well,
it’s the holiday season here at IDG, we realized that the attackers are indeed out to get us.
And often we as users in the office, we make it easier for attackers to do so. Let’s start
out with all of those messages we start sending around this time of year. And of course, we
click on them and we share them and we don’t think about possibly what might be coming
along with those messages. And for a long time, it would seem that out of office messages
might also be a threat vector to our offices. Those out of office measures, messages that
we send out, often have key information about how long the person will be out of the office
where they might be going. Information about their office, location, assistants, coworkers
and any other key information that they may and can be used by attackers. So you may want
to block out of office messages in your organization or you can use power shell to configure those
automatic replies. But many in the security industry are saying, wait, before we get are
too concerned about out of office messages. Look how much information we put in linked
in on a regular basis. Facebook, social media. The attackers aren’t looking at her out of
my office messages anymore. They’re just looking at our social media posts. These days organizations
are wanting to add user and identity behavior analytics or UEBA. It’s the technology that
allows us to look for multiple concurrent logins. Impossible logins based on geography
and unusual file access as well as password spray techniques. If you’re already a user
of Office 365 you’ll want to look at Microsoft cloud up security in that portfolio, you can
identify these UEBA activities that don’t make sense in your organizations. But if you’re
still on premises, don’t fear there’s some options for you too. There’s a project on
GitHub called LogonTracer. So like cloud app security, it actually looks at Logins, analyzes
Windows Active Directory event logs and associates a hostname or an IP address to log on. It
relates events and displays it in a graph. It can help you visualize how people are coming
into your organization. Cloud application security can be added to
an Office 365 subscriptions and can be set up with specific alerts to identify Impossible
Logins and allow you to set specific rules, for example, for example, geographic blocking
activity from infrequent countries, unusual file deletion activity from anonymous IP addresses
and so on. If you have at least an Azure P1 license now, you can review Logins into your
active directory and you can you review how often you have logging failures from unusual
locations. Now, for example this is just a sample of my failed Logins from various countries.
This is one of the reasons why I’ve put a geographic block on my users so that they
only come in from those countries where I know I have people in activities. I don’t
have people in Taipei or Baton, so I make sure that I block those from the edge. Cloud
app security is part of an E5 license, but it can be purchased for three dollars and
fifty cents. That’s U.S. dollars per user and added on to those users that you think
have more risky activity. For example, you may want to add it to all of your global administrators.
And then so those key individuals where you think they may have more riskier activity. But the holiday season is also use for our
attackers as a cover for additional attacks. For example, the Microsoft Security Intelligence
blog post and Twitter account pointed out the other day that EMOTET, which is a banking
ransomware attack tool, is used in targeted holiday attacks by using such enticing headlines
as holiday party or other holiday themes that are typically used in business settings, emotet
uses a variety of attack methodologies to gain access to your systems. The infection
may come either via malicious script, a macro enabled document files or malicious links.
Back in April, on CSO Online, we have an article about Emotet and how to guard against this
Trojan malware. You’ll want to also want to take the time
in 2019 as we close the year to review how you do business in your own office uses Macros.
Not a month that goes by that office doesn’t have some sort of remote access exploit coming
in and patched. So look at how your office files are used.
Look to see if you can stop using macros or block them. And specifically you want to look
at disabling office macros except in those specific applications where they’re required
as the National Cybersecurity Center pointed out. You want to disable office macros. As I said,
except in those specific applications where they’re required. You want to only enable
macros for staff that rely on them every day. You want to use an anti malware product that
integrates with the anti malware scan interface or AMSI on Windows 10. Or consider the use
of the default windows defender. And last but not least, use the latest version of office.
If you’re on Office 365, that’s ideally the monthly channel or on the latest version of
Office 2016 or 2019. Remember that in current versions of office, the user has to enable
macros and they don’t work by default. As you open up the file, there’s also yellow
warning banner on the top of the file when you open it up from the Internet. It makes
sure that the user has to enable editing before they open it. Educate your users of these
warnings and messages and make sure they understand when to enable and when not to enable office
files, especially if you’ve recently upgraded from office to 2010 to 2016 or 2019. You want
to take the time to educate your users on what those warning signs look like. Last but not least, if you still do rely on
macros, make sure you digitally sign your macros inside your office. You can either
use self signed or you can create a digital certificate for signing. Ideally, you would
want to have an external digital certificate that’s tied to a certificate authority. As
we close out the 2019 year at your offices, take the time to look at ways that you can
make it more secure. Look at how your firm uses office documents, review macros, review
your settings, look at the risks of these actions and review what you can do in your
office to make the new year more secure.

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *