I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication

Teemu Väisänen, Lorena Trinberg, Nikolaos Pissanidis

Research output: Book/ReportReport

Abstract

It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.

Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.

However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios.

In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.
The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.

The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.

The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.
Original languageEnglish
Place of PublicationTallinn, Estonia
PublisherNATO Cooperative Cyber Defence Centre of Excellence
Number of pages176
Publication statusPublished - 2016
MoE publication typeD4 Published development or research report or study

Fingerprint

Websites
Communication
Legacy systems
Web browsers
Electronic mail
World Wide Web
Telecommunication links
Recovery
Malware
Botnet

Keywords

  • security awareness
  • security policies
  • malicious attachments
  • malicious links
  • malware
  • malware analysis
  • sandboxing
  • isolation
  • detection
  • botnets

Cite this

Väisänen, T., Trinberg, L., & Pissanidis, N. (2016). I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence.
Väisänen, Teemu ; Trinberg, Lorena ; Pissanidis, Nikolaos. / I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia : NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.
@book{cd7f88dd8a6f4860b3401992fab88d09,
title = "I accidentally malware - what should I do... is this dangerous?: Overcoming inevitable risks of electronic communication",
abstract = "It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.",
keywords = "security awareness, security policies, malicious attachments, malicious links, malware, malware analysis, sandboxing, isolation, detection, botnets",
author = "Teemu V{\"a}is{\"a}nen and Lorena Trinberg and Nikolaos Pissanidis",
year = "2016",
language = "English",
publisher = "NATO Cooperative Cyber Defence Centre of Excellence",
address = "Estonia",

}

Väisänen, T, Trinberg, L & Pissanidis, N 2016, I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. / Väisänen, Teemu; Trinberg, Lorena; Pissanidis, Nikolaos.

Tallinn, Estonia : NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.

Research output: Book/ReportReport

TY - BOOK

T1 - I accidentally malware - what should I do... is this dangerous?

T2 - Overcoming inevitable risks of electronic communication

AU - Väisänen, Teemu

AU - Trinberg, Lorena

AU - Pissanidis, Nikolaos

PY - 2016

Y1 - 2016

N2 - It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.

AB - It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.

KW - security awareness

KW - security policies

KW - malicious attachments

KW - malicious links

KW - malware

KW - malware analysis

KW - sandboxing

KW - isolation

KW - detection

KW - botnets

M3 - Report

BT - I accidentally malware - what should I do... is this dangerous?

PB - NATO Cooperative Cyber Defence Centre of Excellence

CY - Tallinn, Estonia

ER -

Väisänen T, Trinberg L, Pissanidis N. I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.