Malicious Email Mitigation Strategy Guide



Similar documents
Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details

Protecting Your Organisation from Targeted Cyber Intrusion

Additional Security Considerations and Controls for Virtual Private Networks

THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS

Comprehensive Filtering. Whitepaper

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

Microsoft Office Macro Security

Security tips for the use of social media websites

CYBER SECURITY OPERATIONS CENTRE OCTOBER Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

SESA Securing with Cisco Security Appliance Parts 1 and 2

Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details

Multi-factor authentication

Specific recommendations

eprism Security Appliance 6.0 Release Notes What's New in 6.0

DomainKeys Identified Mail DKIM authenticates senders, message content

Technical Information

October 2015 Issue No: 1.1. CESG Architectural Pattern No. 17 Internet Gateways

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Fighting Advanced Threats

Filter User Guide

White paper. Why Encrypt? Securing without compromising communications

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

Manual Spamfilter Version: 1.1 Date:

Trend Micro Hosted Security Stop Spam. Save Time.

NoSpam Anti-Spam Service End User Guide

DKIM Enabled Two Factor Authenticated Secure Mail Client

Top 4 Strategies to Mitigate Targeted Cyber Intrusions

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

D3 TECHNOLOGIES SPAM FILTER

Mailwall Remote Features Tour Datasheet

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Intercept Anti-Spam Quick Start Guide

Information System Audit Guide

Cyber Essentials Scheme

ASAV Configuration Advanced Spam Filtering

INSTANT MESSAGING SECURITY

SPEAR PHISHING UNDERSTANDING THE THREAT

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Stop Spam. Save Time.

Migration Project Plan for Cisco Cloud Security

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

GFI Product Manual. Administration and Configuration Manual

eprism Security Suite

Targeted attacks: Tools and techniques

FTA Computer Security Workshop. Secure

FortiMail Filtering Course 221-v2.2 Course Overview

Management and Security Good Practice Guide. August 2009

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

Defending Against Cyber Attacks with SessionLevel Network Security

WEB ATTACKS AND COUNTERMEASURES

ModusMail Software Instructions.

Networking for Caribbean Development

External Supplier Control Requirements

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Managing internet security

Do you need to... Do you need to...

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Quick Heal Exchange Protection 4.0

Top 10 Features: Clearswift SECURE Gateway

Simplicity Value Documentation 3.5/5 5/5 4.5/5 Functionality Performance Overall 4/5 4.5/5 86%

Cloud Services. Anti-Spam. Admin Guide

Barracuda Security Service

Blackbaud Communication Services Overview of Delivery and FAQs

Cybersecurity Health Check At A Glance

How To Prevent Hacker Attacks With Network Behavior Analysis

Common Cyber Threats. Common cyber threats include:

Policy Based Encryption Gateway. Administration Guide

UNCLASSIFIED. General Enquiries. Incidents Incidents

Barracuda Security Service User Guide

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

XGENPLUS SECURITY FEATURES...

Anti-SPAM Solutions as a Component of Digital Communications Management

Apps4Rent Hosted Exchange Spam Management Interface Guide.

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

DKIM last chance for mail service? TFMC2 01/2006

Access Webmail, Collaboration Tools, and Sync Mobile Devices from Anywhere

Web. Anti- Spam. Disk. Mail DNS. Server. Backup

PROTECTING YOUR MAILBOXES. Features SECURITY OF INFORMATION TECHNOLOGIES

I N T E L L I G E N C E A S S E S S M E N T

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Visendo Suite a reliable solution for SMBs

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Cloud Services. Cloud Control Panel. Admin Guide

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

Achieving SOX Compliance with Masergy Security Professional Services

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Business ebanking Fraud Prevention Best Practices

Cloud Computing Security Considerations

Security. Help Documentation

English Translation of SecurityGateway for Exchange/SMTP Servers

ESET Mail Security 4. User Guide. for Microsoft Exchange Server. Microsoft Windows 2000 / 2003 / 2008

NATIONAL CYBER SECURITY AWARENESS MONTH

Covert Operations: Kill Chain Actions using Security Analytics

More Details About Your Spam Digest & Dashboard

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Practical guide for secure Christmas shopping. Navid

Let us take care of your protection so you can focus on your business.

Transcription:

CYBER SECURITY OPERATIONS CENTRE Malicious Email Mitigation Strategy Guide Introduction (UPDATED) SEPTEMBER 2012 1. Socially engineered emails containing malicious attachments and embedded links are commonly used in targeted cyber intrusions against Australian government networks. This document provides guidance on mitigating these malicious emails using DSD s Strategies to Mitigate Targeted Cyber Intrusions. 2. This document is intended for use by Information Technology Security Advisors and email system administrators. It should be read in conjunction with the advice on email security and content filtering contained in the Australian Government Information Security Manual (ISM). 3. The mitigations in this document are ranked within categories in order of the overall security effectiveness of the mitigation, from most to least effective. Further information on these mitigation strategies can be found at Attachment A. Email attachment filtering 4. Attachments are a significant security risk associated with emails. Effective email attachment filtering and restrictions reduce the likelihood of malicious content entering the network. The key security considerations associated with email attachment filtering are discussed below. Convert attachments to another file type 5. Converting a document to another format is a highly effective method of removing malicious content or rendering it ineffective. For example, Microsoft Office documents are converted to PDF and delivered to the user. A release facility should be available for selected blocked emails in case the original is required for editing purposes. Allowing attachments based on file typing (Whitelisting) 6. File typing inspects the content of the file to determine the file type rather than relying on the extension as an indicator. File extensions can be changed and therefore a mismatch between a file s type and its stated extension should be treated as suspicious and blocked. DSD recommends whitelisting file types with a legitimate business purpose. Whitelisting is more proactive and thorough than blacklisting as it ensures only specified files can be received, while all others are blocked. Page 1 of 6

Block password protected archives, unidentifiable or encrypted attachments 7. Content within a protected archive cannot be inspected since the email filter cannot decrypt the archive. Any protected archive or otherwise encrypted attachment should be blocked until such time as it can be deemed safe to allow through to the user. Unidentifiable content is less of a threat if effective file typing and whitelisting of email attachments is used. Sanitise attachments to remove active or potentially harmful content 8. Active content, such as macros and JavaScript, should be removed from within the document before being delivered to the user in the same way that active content should be removed from the email body. Active content removal can be completed by products such as Exchange Defend PDF which will detect a PDF document, scan the document for undesirable active content based on keywords, and rewrite those elements in the document rendering them inert. Complete and comprehensive sanitisation of an attachment is a difficult process. For this reason, the preferred solution is file conversion. Controlled inspection of archive files 9. Archived files can be used to bypass email filters, for example, if an adversary crafts a malicious PDF and places it in an archive file and sends the archive file to the target. The contents of an archive file should be subjected to the same level of inspection as un archived email attachments. Archived content should be inspected in a controlled manner to avoid archive file associated exploits, such as directory traversals and denial of service via archive directory recursion. Scan attachments using antivirus software 10. Attachments should be scanned using CLASSIFICATION up to date signatures, reputation ratings and other heuristic detection capabilities. To maximise coverage, use a product provided by a different vendor than the desktop antivirus product. Ensure that the anti virus software is up to date. Block attachments based on file typing (Blacklisting) 11. Blacklisting attachments based on file typing is far less proactive and thorough than whitelisting attachment types, and the overhead of maintaining a list of all known bad file types is far greater. Allow attachments based on extension (Whitelisting) 12. Allowing attachments based on file extension is less robust than file typing as the extension can be trivially changed to disguise the true nature of the file (for example, renaming readme.exe to readme.doc). Only file extensions with a legitimate business purpose should be whitelisted. Block attachments based on extension (Blacklisting) 13. Blacklisting attachments based on their extension is less proactive and thorough than whitelisting. Blocking based on file extension is less robust than file typing as the extension can be trivially changed to disguise the true nature of the file (for example renaming readme.exe to readme.doc). Page 2 of 6

Email body filtering 14. Email content filtering performed on the body of an email helps provide a defence in depth approach to email filtering. The possible attack surface presented by the body of an email is less than email attachments; however, it can be used for malicious communications. The key security considerations associated with filtering the body of an email are discussed below. Replace active (live) web addresses in an email s body with non active versions 15. An active web address allows the user to click directly on the hyperlink and be taken to a specified website. Active web addresses can appear to be safe but can actually direct the user to an unintended location. Hovering over the address will reveal the actual location, as shown here: 16. Active web addresses should be replaced with the actual location of the link, otherwise they should be replaced with text so that the user must copy and paste the link into their browser. Enforce protective markings on the email body or subject line 17. Protective markings should be enforced to ensure that the content being sent and received in an email is appropriately classified to traverse the network. Enforcement of protective markings on emails helps to minimise the number of data spills and the exfiltration of data from the network via email. Decode and inspect encoded content in an email s body 18. Encoded content can be used to hide malicious or command and control communications originating from the network or intended for the network. For example a command to an implant can be encoded and inserted into the email s body. A content filter should inspect the email body for encoded content after decoding the email body according to the MIME Content Transfer Encoding header. If encoded content is detected the email should be blocked. Remove active content from an email s body 19. Emails with active content such as VBScript or JavaScript pose a threat if the email client is capable of running the active content. Email bodies containing active content should be sanitised to minimise the risk, however, the risk posed by active content is minimal because only a small number of email clients have the option to execute active content. Page 3 of 6

Domain authentication 20. Being able to verify the authenticity and integrity of an email can stop an agency from receiving some forms of malicious emails. The key controls for authenticating the domain of an email are discussed below. Block email on SenderID/SPF hard fail 21. Checking the SenderID will verify the email as originating from the domain it claims to originate from. Checking the SenderID allows an agency to block the email if the checks fail. An SPF hard fail occurs when an email is received which has been verified as not originating from the domain it claims to originate from. SPF hard fails should be blocked and investigated. An SPF hard fail can indicate a phishing attempt, especially if the failed message is spoofed to appear to come from a legitimate domain. Block email on DKIM fail 22. DomainKeys Identified Mail (DKIM) is a method of verifying the sender s domain of an email using the signatures provided by the sending domain. When an email fails DKIM verification, the email should be blocked and investigated. This should also be logged and potentially reported to the organisation that the email was claiming to originate from. Block email on SenderID/SPF soft fail 23. Checking the SenderID will verify the email as originating from the domain it claims to originate from. Checking the SenderID allows an agency to block the email if the checks fail. An SPF soft fail occurs when an SPF enabled domain cannot guarantee that the email was sent from an authorised server of that domain. When an SPF soft fail is encountered, the email should be blocked with the option of being able to retrieve it if it is a legitimate email. Flag email on SenderID/SPF soft fail 24. As above, except instead of blocking the email, the email should be marked before being sent to the user to allow the user to make a decision as to whether they will accept (trust) the message or not. For example, the subject line of the email could be modified to highlight and identify to the user that the email did not pass the SPF checks. Incorporate spam blacklists 25. Known spam email senders and addresses can be blocked without the email being examined. Additional email filter functionality 26. The focus of this document is security controls to reduce the risk of compromise of the network or the information it holds. However, the following functionality will make an email content filter, or management of it, more effective. Page 4 of 6

a. Logging and auditing. Logging of actions and events from the email filter should be implemented, and these logs should be audited. Effective logging and auditing will help in the event of a current or past security incident. b. Minimal overhead for an administrator to release blocked content. This will allow an administrator to easily release content for a user when that content has been blocked. The administrator needs to be able to see why the email was blocked to determine if the email or content should be allowed through to the user. c. User self release of email (based on blocked reason). This will allow the user who has had an email blocked the ability to request to have the email released without needing to go through the administrator. This option should only be available for selected blocked emails based on the control triggered. All email self releases should be logged for auditing purposes. Further information 27. The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian Government Systems, and is available at: http://www.dsd.gov.au/infosec/ism/index.htm. 28. Strategies to Mitigate Targeted Cyber Intrusions and other DSD products are available on DSD s public website and OnSecure, and complement the advice in the ISM. These products can be found at: http://www.dsd.gov.au/publications/index.htm. 29. For further information on email protective markings, please refer to the Email Protective Marking Standard for the Australian Government produced by the Australian Government Information Management Office: http://www.finance.gov.au/e government/security andauthentication /authentication identity.html. 30. For further information on Sender Policy Framework, please refer to Mitigating Spoofed Emails Sender Policy Framework Explained which can be found at: http://www.dsd.gov.au/publications/csocprotect/spoof_email_sender_policy_framework.html Contact details Australian government customers with questions regarding this advice should contact the DSD Advice and Assistance Line on 1300 CYBER1 (1300 292 371) or dsd.assist@defence.gov.au. Australian businesses or other private sector organisations seeking further information should contact CERT Australia at info@cert.gov.au or by calling 1300 172 499. Page 5 of 6

Attachment A: Summary of email mitigation strategies Attachment Filtering Mitigation Strategy Overall Security Effectiveness User Resistance Upfront Cost (Staff, Equipment, Technical Complexity) Maintenance Cost (Mainly Staff) Designed to Prevent or Detect an Intrusion Helps Mitigate Intrusion Stage 1: Code Execution Helps Mitigate Intrusion Stage 2: Network Propagation Convert attachments to another file type Excellent Medium* Medium Medium* Prevent Yes No No Allow attachments based on file typing (Whitelisting) Excellent Medium Medium Low Prevent Possible No Yes^ Block password protected archives, unidentifiable or encrypted attachments Excellent Medium Medium Low Prevent Yes No Yes Sanitise attachments to remove active or potentially harmful content Excellent Medium* High Medium* Prevent Yes No No Controlled inspection of archived files Good Low Medium Low Both Yes No Yes Scan attachments using antivirus software Good Low Low Low Both Yes No No Block attachments based on file typing (Blacklisting) Average Low Low Medium Prevent Yes No Yes^ Allow attachments based on extension (Whitelisting) Minimal Medium Low Low Prevent Possible No Yes^ Block attachments based on extension (Blacklisting) Minimal Low Low Medium Prevent Yes No Yes^ Email Body Filtering Replace active (live) web addresses within an email s body with non active versions Good Low Medium Low Prevent Yes No No Enforce protective markings on the email body or subject line Minimal Low High Low Detect No No Yes Remove active content from an email s body (e.g. JavaScript, VBScript) Minimal Low Medium Low Prevent Yes No No Domain Authentication Block an email on SenderID/SPF hard fail Excellent Low Low Low Prevent Possible No No Block email on DKIM fail Excellent Low Low Low Prevent Possible No No Block email on SenderID/SPF soft fail Good Medium Low Low Prevent Possible No No Flag email on SenderID/SPF soft fail Average Low Low Low Prevent Possible No No Incorporate spam blacklists Average Low Low Low Both# Possible No No Mitigations are ranked in categories based on the overall security effectiveness. *Potentially lower if document release is easy. #If the mitigation is applied to both incoming and outgoing emails, then this is Both otherwise, just Prevent. ^Provided the attacker is attempting to exfiltrate a file type that is blocked. Helps Mitigate Intrusion Stage 3: Data Exfiltration Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information