I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication

Teemu Väisänen, Lorena Trinberg, Nikolaos Pissanidis

    Research output: Book/ReportReport

    Abstract

    It is a common security policy not to open links or files coming from unknown senders via email, instant messaging (IM), or social networking services (SNS). When these messages or websites contain known malware, they can be automatically deleted and never shown to the receiver. There are different policies and techniques to handle such messages; they can be blocked, deleted, stored to spam folders, the receiver is or is not notified, messages can be filtered and modified so that only the malicious files or links are removed, and so on. If the messages or links contain unknown malware, the approach to handle them must be different, because the security tools do not detect the security threat.

    Even though files or links received from unknown senders may appear to be benevolent, they still might be malicious. It is possible that links open websites that only serve malicious content for a brief period or for certain types of visitors. Many of these unknown senders are just normal human users and received messages harmless, but some may actually be hostile: for example, adversaries might use stolen accounts and/or employ botnets to send messages. In normal situations malicious messages should not be opened.

    However, there are people who have to, or want to, open such links and files. Ordinarily, they are opened using specific clients or web browsers to access web pages from the World Wide Web (WWW). For example, it is possible that: secretaries need to read and reply to applications originating from unknown contacts, conference program committee members have to review abstracts and publications, and malware researchers want to discover previously unknown malware or understand the behaviour of botnets. Therefore a security policy where trust is only given to known contacts cannot be employed. Instead good technical solutions must be developed to mitigate threats arising from the described scenarios.

    In this study, two types of environment are analysed. In the first, it is assumed that baseline security controls are present. This means that administrative privileges are controlled, devices and software (SW) are inventoried, configurations are correct, software in devices within the environment is up-to-date and patched, data recovery is handled properly, backups work, etc. Of course, even up-to-date systems normally still contain several unknown, but exploitable, vulnerabilities, configurations can be done incorrectly, and users can make mistakes, all of which result in infected systems. The second type of environment includes legacy systems, which usually contain a wider range of known exploitable vulnerabilities and thus cause additional risks and require more security controls.
    The aim of this study is to find mitigation techniques for a number of risks resulting from the usage of systems that will eventually become infected. The study was done by analysing usage scenarios, their actors, the assets to be secured, related threats, suitable mitigation mechanisms, threats lacking sufficient mitigation mechanisms, and describing novel mitigation mechanisms.

    The key results of this study are a set of threat descriptions related to various attack phases, existing mitigation mechanisms, proposed improvements for existing mitigation mechanisms, and novel mitigations. In addition, the most suitable mitigation techniques are assessed with regard to different attack/defence phases. A mitigation technique may be categorised according to: whether it can be used before the breach, whether it can protect against the actual compromise or during or after the breach, or whether it may be used in more than one attack phase.

    The results of this study can be implemented into existing systems (or processes) by integrating the described security controls, countermeasures and mitigation mechanisms in order to improve their level of security.
    Original languageEnglish
    Place of PublicationTallinn, Estonia
    PublisherNATO Cooperative Cyber Defence Centre of Excellence
    Number of pages176
    Publication statusPublished - 2016
    MoE publication typeD4 Published development or research report or study

    Keywords

    • security awareness
    • security policies
    • malicious attachments
    • malicious links
    • malware
    • malware analysis
    • sandboxing
    • isolation
    • detection
    • botnets

    Fingerprint Dive into the research topics of 'I accidentally malware - what should I do... is this dangerous? Overcoming inevitable risks of electronic communication'. Together they form a unique fingerprint.

  • Cite this