How to protect the enterprise from holiday attacks

This is Susan Bradley for CSO Online. Well, it’s the holiday season here at IDG, we realized that the attackers are indeed out to get us. And often we as users in the office, we make it easier for attackers to do so. Let’s start out with all of those messages we start sending around this time of year. And of course, we click on them and we share them and we don’t think about possibly what might be coming along with those messages. And for a long time, it would seem that out of office messages might also be a threat vector to our offices. Those out of office measures, messages that we send out, often have key information about how long the person will be out of the office where they might be going. Information about their office, location, assistants, coworkers and any other key information that they may and can be used by attackers. So you may want to block out of office messages in your organization or you can use power shell to configure those automatic replies. But many in the security industry are saying, wait, before we get are too concerned about out of office messages. Look how much information we put in linked in on a regular basis. Facebook, social media. The attackers aren’t looking at her out of my office messages anymore. They’re just looking at our social media posts. These days organizations are wanting to add user and identity behavior analytics or UEBA. It’s the technology that allows us to look for multiple concurrent logins. Impossible logins based on geography and unusual file access as well as password spray techniques. If you’re already a user of Office 365 you’ll want to look at Microsoft cloud up security in that portfolio, you can identify these UEBA activities that don’t make sense in your organizations. But if you’re still on premises, don’t fear there’s some options for you too. There’s a project on GitHub called LogonTracer. So like cloud app security, it actually looks at Logins, analyzes Windows Active Directory event logs and associates a hostname or an IP address to log on. It relates events and displays it in a graph. It can help you visualize how people are coming into your organization.

Cloud application security can be added to an Office 365 subscriptions and can be set up with specific alerts to identify Impossible Logins and allow you to set specific rules, for example, for example, geographic blocking activity from infrequent countries, unusual file deletion activity from anonymous IP addresses and so on. If you have at least an Azure P1 license now, you can review Logins into your active directory and you can you review how often you have logging failures from unusual locations. Now, for example this is just a sample of my failed Logins from various countries. This is one of the reasons why I’ve put a geographic block on my users so that they only come in from those countries where I know I have people in activities. I don’t have people in Taipei or Baton, so I make sure that I block those from the edge. Cloud app security is part of an E5 license, but it can be purchased for three dollars and fifty cents. That’s U.S. dollars per user and added on to those users that you think have more risky activity. For example, you may want to add it to all of your global administrators. And then so those key individuals where you think they may have more riskier activity.

But the holiday season is also use for our attackers as a cover for additional attacks.

For example, the Microsoft Security Intelligence blog post and Twitter account pointed out the other day that EMOTET, which is a banking ransomware attack tool, is used in targeted holiday attacks by using such enticing headlines as holiday party or other holiday themes that are typically used in business settings, emotet uses a variety of attack methodologies to gain access to your systems. The infection may come either via malicious script, a macro enabled document files or malicious links. Back in April, on CSO Online, we have an article about Emotet and how to guard against this Trojan malware.

You’ll want to also want to take the time in 2019 as we close the year to review how you do business in your own office uses Macros. Not a month that goes by that office doesn’t have some sort of remote access exploit coming in and patched.

So look at how your office files are used. Look to see if you can stop using macros or block them. And specifically you want to look at disabling office macros except in those specific applications where they’re required as the National Cybersecurity Center pointed out.

You want to disable office macros. As I said, except in those specific applications where they’re required. You want to only enable macros for staff that rely on them every day. You want to use an anti malware product that integrates with the anti malware scan interface or AMSI on Windows 10. Or consider the use of the default windows defender. And last but not least, use the latest version of office. If you’re on Office 365, that’s ideally the monthly channel or on the latest version of Office 2016 or 2019. Remember that in current versions of office, the user has to enable macros and they don’t work by default. As you open up the file, there’s also yellow warning banner on the top of the file when you open it up from the Internet. It makes sure that the user has to enable editing before they open it. Educate your users of these warnings and messages and make sure they understand when to enable and when not to enable office files, especially if you’ve recently upgraded from office to 2010 to 2016 or 2019. You want to take the time to educate your users on what those warning signs look like.

Last but not least, if you still do rely on macros, make sure you digitally sign your macros inside your office. You can either use self signed or you can create a digital certificate for signing. Ideally, you would want to have an external digital certificate that’s tied to a certificate authority. As we close out the 2019 year at your offices, take the time to look at ways that you can make it more secure. Look at how your firm uses office documents, review macros, review your settings, look at the risks of these actions and review what you can do in your office to make the new year more secure.