I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication

Teemu Väisänen, Lorena Trinberg, Nikolaos Pissanidis

    Research output: Book/ReportReport

    Abstract

    It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.

    Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.

    However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios.

    In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.
    The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.

    The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.

    The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.
    Original languageEnglish
    Place of PublicationTallinn, Estonia
    PublisherNATO Cooperative Cyber Defence Centre of Excellence
    Number of pages176
    Publication statusPublished - 2016
    MoE publication typeD4 Published development or research report or study

    Fingerprint

    Websites
    Communication
    Legacy systems
    Web browsers
    Electronic mail
    World Wide Web
    Telecommunication links
    Recovery
    Malware
    Botnet

    Keywords

    • security awareness
    • security policies
    • malicious attachments
    • malicious links
    • malware
    • malware analysis
    • sandboxing
    • isolation
    • detection
    • botnets

    Cite this

    Väisänen, T., Trinberg, L., & Pissanidis, N. (2016). I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence.
    Väisänen, Teemu ; Trinberg, Lorena ; Pissanidis, Nikolaos. / I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia : NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.
    @book{cd7f88dd8a6f4860b3401992fab88d09,
    title = "I accidentally malware - what should I do... is this dangerous?: Overcoming inevitable risks of electronic communication",
    abstract = "It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.",
    keywords = "security awareness, security policies, malicious attachments, malicious links, malware, malware analysis, sandboxing, isolation, detection, botnets",
    author = "Teemu V{\"a}is{\"a}nen and Lorena Trinberg and Nikolaos Pissanidis",
    year = "2016",
    language = "English",
    publisher = "NATO Cooperative Cyber Defence Centre of Excellence",
    address = "Estonia",

    }

    Väisänen, T, Trinberg, L & Pissanidis, N 2016, I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

    I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. / Väisänen, Teemu; Trinberg, Lorena; Pissanidis, Nikolaos.

    Tallinn, Estonia : NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.

    Research output: Book/ReportReport

    TY - BOOK

    T1 - I accidentally malware - what should I do... is this dangerous?

    T2 - Overcoming inevitable risks of electronic communication

    AU - Väisänen, Teemu

    AU - Trinberg, Lorena

    AU - Pissanidis, Nikolaos

    PY - 2016

    Y1 - 2016

    N2 - It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.

    AB - It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios. In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.

    KW - security awareness

    KW - security policies

    KW - malicious attachments

    KW - malicious links

    KW - malware

    KW - malware analysis

    KW - sandboxing

    KW - isolation

    KW - detection

    KW - botnets

    M3 - Report

    BT - I accidentally malware - what should I do... is this dangerous?

    PB - NATO Cooperative Cyber Defence Centre of Excellence

    CY - Tallinn, Estonia

    ER -

    Väisänen T, Trinberg L, Pissanidis N. I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication. Tallinn, Estonia: NATO Cooperative Cyber Defence Centre of Excellence, 2016. 176 p.