Malicious downloads can cause havoc in IT. This type of software is engineered to cause maximum penetration to IT cybersecurity defenses and is a real, constantly developing threat. In light of the large malware payload delivered via the dark web last week, we thought it might be a valuable reminder to look at the cause and effects of these downloads, as well as discuss some options for both threat prevention and recovery.
WHAT IT IS
Generally, malware is described as any software designed to inflict harm on an IT system. The targets are as varied as the methods, but include networking architecture, PCs, servers, IoT devices (such as smart TVs and appliances) and mobile devices. More specifically, the most dangerous malware usually attempts to extract access information, financial information, or control of systems. This category (and article) admittedly ignores categories of attacks such as Denial of Service (also called a DoS, which attempts to bring services offline by overloading internet packet traffic). Attacks such as DoS are interruptive and can cause damage via lack of access, but do not rise to the level of threat that a bad actor with “keys to the castle” brings.
The attack referenced above relates directly to the topic of malicious downloads and falls firmly into the category of “most dangerous” types of malware. In summary, a collection of over 100,000 trojan horse files (in this case a Remote Access Trojan or RAT) was released to the public. The idea behind a trojan horse is that a file or utility is disguised as something it is not: in this case, most of these documents pose as business-related items including templates, forms, and finance items. Utilizing search engine optimization (SEO) techniques, the dark plan is to trick an unsuspecting user into using a search engine such as Google to find the file and open it, which will then do much more than provide a simple template. You can read more about this malware release here.
HOW IT HAPPENS
The most common technique for malicious downloads occurs via phishing. With work-from-home being much more commonplace than even 18 months ago, more documents are emailed than ever. (After all, it is no longer as simple as walking over to a co-worker’s desk to accomplish a task for many types of workers.) As such, getting a PDF or other communications file via email is far from abnormal on its face. In many phishing attempts, an even more targeted view will be taken. This is called spear phishing, and often identifies a sender as being within the organization, such as a boss’s name and email or a general name such as “email@example.com”. You can read about some of the headaches of phishing in this previous article.
The SEO technique is arguably even more devious. As noted, in this specific situation, criminals are attempting to use a search engine’s optimization against it: by scoring well on, for example, Google’s rating algorithm, a business-related search result for “Accounts Payable Receipt Template” may actually link directly to malware. Since the user was searching for and navigated to the link him/herself, the warning bells may not be ringing as loudly as if the download was solicited (such as the case with email phishing).
HOW TO PREVENT IT
This sounds scary. How can a business operate like this?
It certainly can be scary, but luckily there are a multitude of layers of defense that can greatly reduce risk of malicious downloads becoming a problem. (A quick note: it is virtually impossible to remove risk, although it is possible—and frankly not all that difficult—to make a breach exponentially more difficult. Still, anyone who touts complete risk removal is likely not sharing the full truth and his/her advice should be taken with a grain of salt. A few grains of salt. In fact, just keep the saltshaker nearby.)
Perhaps the most basic step is to ensure a business or organization’s employees are trained in what to look for. After all, it is very difficult to know what to look for if an employee has no frame of reference. Unfortunately, ignorance here can be very costly in terms of time and money.
There are several options that businesses and organizations can choose in preparing their workforce. Many firms will choose to have a mandatory training, whereas others may have some kind of practical exercise or in-house conferences on IT security.
We recommend using a service to provide both education and on-going training. Through our partners at KnowBe4 and Bullphish, the correct solution for your organization and budget can be found.
Hopefully, in 2021, an “of course we need to” solution, Anti-virus software is a key component in prevention (although no longer as large a solution as it formally was—primarily because most malware will be engineered to confuse or obfuscate anti-virus processes).
At Certified CIO, we deploy Webroot to all of our managed IT customers. Webroot serves as a traditional anti-virus, but as well includes a product called Evasion Shield. Evasion Shield improves the efficacy of Webroot by detecting and blocking scripts emanating from malicious downloads. Additionally, Huntress offers Managed Detection and Response, working internally and externally relative to an IT system to add additional layers of cyberdefense.
Both of these products are included in our CSPS support packages.
Multi-factor Authentication is an additional layer of defense, and an effective one. MFA requires an additional input from an authenticated user often via mobile app, biometrics, or physical token to ensure the person logging in is indeed the person who should be logging in.
Certified CIO integrates with Duo MFA for MFA due to its ability to “play well with others” with regards to various software needs and architectures across our customers’ systems. We encourage all end customers to incorporate MFA into their policies due to its exponential security gains.
Zero Trust Policies
Having zero trust policies as a mainstay of an IT approach is important. This harsh sounding term basically means that an application must be approved to allow execution. This strict set of controls is very helpful in corralling rogue software and malicious downloads before it has a chance to do its intended harm. This can be a delicate balance, as most often the new installations will be intended and benign…but unfortunately it only takes one bad apple to really spoil the day.
Certified CIO uses Threatlocker for this, a tool that features AI to learn normal behavior of end users prior to its activation. This means that the software is aware of what a user normally does and which apps are expected to be used. In the event that an unexpected app is installed, Threatlocker will stop the execution and create an alert that will be checked by a technician in real-time and approved, disapproved, or inquired upon. This admitted inconvenience is minor and rare, but again the payoff is that no programs will be executed without the system’s knowledge and IT staff approval. We are currently engaged in the learning process for this tool, with roll-out happening on a controlled basis. Again, this is provided at no additional cost to our CSPS customers.
HOW CAN MY BUSINESS OR ORGANIZATION GET THESE PROTECTIONS?
This is the easiest of all to answer: by joining the Certified CIO team and opening your doors to increased IT value, security, and productivity. Click the Contact Us button for more information!