vaccineOrganisations in Europe and the US have been crippled by a ransomware attack known as ‘Petya’. There are claims of a ‘vaccine’ to stop it – but how credible are they?

Hot on the heels of WannaCry comes Petya – a nasty ransomware variant, based on the Goldeneye code.

It has already locked some of the world’s most prominent enterprises out of their data, including construction materials company Saint-Gobain, food giant Mondelez, legal firm DLA Piper, and advertising firm WPP.

But lo! There is a ‘vaccine’ that protects against it, apparently! Simply include the file C:\Windows\perfc.dat on the PC, and the ransomware is stopped in its tracks.

(Well, it’s stopped in its tracks on that machine – though it can still propagate to other machines on the network. So still not ideal.)

We took a look at what some security vendors are saying about Petya / Goldeneye – and whether the idea of a ‘vaccine’ is truly credible.

Bitdefender: ransomware vaccine is old news

The first thing that struck us is that security vendor Bitdefender has had a ransomware vaccine available for some time now, and it’s not just a quick fix using a read-only file.

Instead, it’s rather cleverer than that. It tricks ransomware into believing the machine is already infected, and so the attack goes looking elsewhere. In addition, it can be deployed to every machine on a network simply by ticking a box – meaning that one machine can’t pass the infection to another.

There’s little information at present, admittedly, as to whether this vaccine is effective specifically against the Petya /Goldeneye attack.

However, it has been stated publicly in the Bitdefender Resource Center that “Bitdefender blocks the currently known samples of the new GoldenEye variant. If you are running a Bitdefender security solution for consumer or business, your computers are not in danger.”

That’s pretty unequivocal. And what’s particularly interesting with this vendor is that the ransomware vaccine is standalone – businesses don’t need to have invested in Bitdefender’s suite of other security solutions to use it.

Trend Micro: decrypt it if you can’t stop it

Trend Micro has an established stable of solutions that provide layered protection against a whole range of threats, including ransomware, so they’d surely argue that a ransomware vaccine is unnecessary!

However, what they do also offer is decryptor tools that enable users to recover data even after their files have been encrypted by certain variants of ransomware.

Again, whether these solutions are effective against the most recent Petya / Goldeneye attack is not clear, although Trend Micro states here that it is “in the process of adding known variant and component detections” for Petya-related patterns “and all products that utilise them.”

So, more antidote than vaccine – but it’s worth noting that these decryption tools are free, so they could be a lifesaver (and pave the way to more proactive anti-ransomware strategies and product choices in the future).

Malwarebytes: no ransomware vaccine, but you're safe

Malwarebytes, for its part, has been less than confident about the ability of the C:\Windows\perfc.dat vaccine to stop the Petya infection – in fact, the company states that “our own tests have shown that in many cases, it doesn’t.”

Whilst Windows 10 systems, Malwarebytes says, “seem to have a fighting chance” by using this method, “Windows 7 gets infected every time.”

However, Malwarebytes also publicly says that customers using Malwarebytes Endpoint Security are protected against this specific ransomware variant – so, once again, a vaccine is – theoretically, at least – unnecessary.

Ransomware: vaccines, protection, remediation

For more of our thoughts on ransomware and what security vendors are doing to fight against it, check out our previous post here.

And remember – prevention is better than cure, so keep patching!

Phishing:Despite being one of the oldest internet scams, phishing continues to unleash mayhem in businesses. How can security partners protect customers against it?

The oldest scam on the internet – phishing – is going from strength to strength.

Indeed, the Anti-Phishing Working Group report published in February 2017 tells us that the number of unique phishing sites detected in the second quarter of last year was at an all-time high.

The dreaded bogus links in incoming emails can trigger everything from banking fraud, to ransomware (the Locky attack was set off this way), to theft of Office 365 logins, as this phishing video shows.

So what advice should security partners be offering to their end-users to help them mount an effective defence against this menace?

1. No more phish and spam sandwiches

Poor spam management is a recipe for heightened exposure to phishing risk, since spam email is often the ‘bread’ around the phishy ‘filling’.

It sounds disgusting – but end-users are still swallowing it. In 2016, for example, 71% of ransomware was delivered via spam, making spam the most common attack vector. In fact, it’s even spawned a new term – malspam!

Strong anti-spam detection is therefore a critical ingredient in stopping phishing attacks before they reach the user, and for this a number of critical features are necessary in the security solutions end-users choose, including:

  • Antispam filters, so that detection thresholds can be adjusted in response to users’ experience of how effectively spam is being caught.
  • Connection to a global email and web reputation database, so that domains and identities associated with known malicious servers can be identified, and their IP addresses blocked.
  • IP address behaviour analysis, so that potentially suspicious behaviours like dynamic or masked IP addresses can be detected.
  • Document exploit detection to look beyond the email and into the attached files that malspam often makes use of to trigger an exploit.

At its least harmful, spam is a distraction that leaves a bad taste in the business’s mouth. At worst, it carries a truly toxic payload.

2. Beware the newly-borns…

But at the risk of sounding like King Herod, one of the biggest threats in the phishing sphere comes from ‘newly-borns’ – malicious servers that simply haven’t been around long enough to make it onto any web or email reputation database, and so might not be detected.

So it’s critical that businesses’ anti-phishing security goes beyond this, and attempts to analyse the characteristics of the phishing email itself, such as:

  • Who sent it
  • Where it’s gone to
  • What it contains
  • When it was sent
  • How it reached a user’s inbox

As this excellent summary explains, by mapping these factors automatically to known social engineering scenarios (i.e. the many ways in which users can be tricked into doing something they shouldn’t!) tell-tale signs of phishing intent can be detected, and the relevant IP addresses blocked.

Needless to say, this process involves some pretty hefty probability calculations, and social engineering scenarios are changing all the time, so the system needs to be able to constantly learn from what it absorbs and update its assessments accordingly.

Machine-learning is the key here, and if implemented effectively it can ensure that businesses’ anti-phishing protection doesn’t behave as if it were born yesterday!

3. Educate, educate, educate!

Security vendors are in this business to make money by selling software – but even they have been vocal about the need for businesses to educate their workforce to spot the signs of phishing, and take evasive action.

Content like these Tips for mitigating phishing attacks, for example, is certainly helpful - but there is a realisation that hints, tips and instructions alone won’t change security culture within organisations.

Instead, businesses must fuel constant internal security conversations using simple, accessible content, and they are looking to resellers and MSPs to deliver this to them, working through cyber-security awareness content partners.

Phishing protection will never be 100% effective. But shouldn’t every business be wishing that whatever slips through the net (or should that be Net?) could be stopped by the ‘human firewall’?

Read the latest helpful updates on ransomware and cloud security from our industry partners and contacts.

We like to put our partner and media contacts to good use in helping you and your customers to understand the security landscape.

This month, we bring you three helpful new updates – two guides to ransomware (and how to defeat it) and the other an interesting short article from Cloudworks on the benefits of cloud security for small and medium businesses.

Business guide to ransomware

New from AppRiver, this guide is subtitled ‘Understand, Analyze and Protect’, and is a very readable resource covering what ransomware is, how it works, how it spreads, and the best practices and employee training that can help defend against it.

Ransomware: Malwarebytes bytes back!

Another take on ransomware and how to combat it comes from security experts Malwarebytes, who major on the importance of endpoint security (keeping PCs and devices protected) in this informative and short PDF.

Five reasons why cloud security is important for SMEs

Big servers, large infrastructure, lots of IT staff – these are all security components that SMEs just can’t afford! This is why they must look cloudward – and this article from Cloudworks describes the benefits of cloud security neatly.

We’ll be back with more helpful advice soon!

WannaCrypt0r ransomwareThe WannaCrypt0r ransomware floored the NHS and many other organisations besides. These guys reckon they could have stopped it.

WannaCrypt0r, the global cyber-attack that paralysed 45 NHS trusts, plus businesses in over 100 countries, has woken the world up.

It’s woken a few security vendors up too, as the flurry of emails in my inbox over the weekend shows.

And, predictably, they’re all keen to tell us that customers running their security software were protected from WannaCrypt0r’s terrifying exploits.

Here’s a summary of the claims each of these wannabe ‘WannaCrypt0r-killers’ have made. It will be interesting reading for those who are contemplating where to go next with their anti-ransomware strategy!

Bitdefender

The mail from security software vendor Bitdefender states its case boldly: “Customers running Bitdefender are not affected by this attack wave.”

How so? Bitdefender has a ‘ransomware vaccine’ that users can switch on to immunise machines, and this uses the ransomware’s own programming against it.

But at a deeper level, it boils down to the ability to detect memory violations – in other words, to understand when a machine’s memory is being tampered with, which indicates that a cyber-exploit is afoot long before it can actually execute and cause any damage.

It’s this kind of device behaviour, Bitdefender implies, that, with their GravityZone products, would have shut WannaCrypt0r down before it even really got started.

Trend Micro

It’s machine-learning that’s writ large in the Trend Micro response to the WannaCrypt0r incident.

“Customers are already protected against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security,” the firm claims.

It’s a highly layered approach, involving email and web gateway solutions, behaviour monitoring and reputation analysis, file and website blocking, across physical and virtual machines, with the overall goal being to “prevent ransomware from ever reaching end users.”

Of course, if WannaCrypt0r has shown us one thing, it’s that ransomware is perfectly capable of activating before it reaches the end user!

However, a beacon of hope in Trend Micro’s communication that I did not see elsewhere is that it has a tool that can decrypt files affected by certain crypto-ransomware variants, meaning victims would not have to pay the ransom in exchange for a decryption key.

(How many IT guys would have killed for that last Friday evening?)

Malwarebytes

Malwarebytes’ communication slaps its cards down on the table thus:

“Malwarebytes is protecting your organization against this specific ransomware variant. Our anti-ransomware technology uses a dedicated real-time detection and blocking engine that continuously monitors for ransomware behaviors, like those seen in WannaCrypt0r.”

Like Bitdefender and Trend Micro, this is hinting at some sort of intelligent analysis of machine and network behaviours that might predict a ransomware attack, before it actually starts to execute.

Malwarebytes’ four-layered security approach – operating system, memory, application behaviour and application hardening – contributes to this detection capability, as it monitors at multiple system levels for ransomware and other exploits, simultaneously.

But Malwarebytes goes further than this in its claims. It says in this blog about WannaCrypt0r that itwill stop any future unknown ransomware variants.”

(The italics are mine – but I’m sure you’ll agree they’re worth emphasising!)

What next for WannaCrypt0r?

There are few certainties in cyber-security but what experts are predicting is that wave two of the WannaCrypt0r attack will come soon – and wearing a different guise.

Will the security solutions above recognise it rapidly enough to combat it?

Let’s see whether the communications live up to their word.

Web SecurityWeb attacks will continue to increase in 2016, experts tell us. But web security is getting cleverer - and here’s what you need to know about it.

The European Union’s latest ENISA Threat Landscape report tells us that web attacks will continue to increase in the future. So, no surprises there, then!

But web security hasn’t stood still. In fact, there are many web security features now available that give security partners and their customers much deeper insight into web threats, as well as more effective tools to combat and manage them.

Here are just a few web security developments you might want to look out for in 2017.

URL analysis to beat zero-day threats

The backbone of web security has often typically relied on comparing a URL to a database of known malicious URLs, and blocking access if a match is found.

Clearly, there are severe limitations to this approach. Zero-day threats, for instance, won’t be on any URL blacklist, because they are simply too new, as we’ve explored in a previous post.

But web security solutions can now ‘sandbox’ a URL (quarantine it so that interactions with it cannot pass threats onto the network) and automatically analyse the behaviours of the destination site.

This way, even zero-day and unknown threats can be spotted and blocked, before they can cause any damage.

Centrally managed content filtering and reporting

Web content filtering is also a critical security requirement for most organisations, to ensure that employees don’t access inappropriate or reputationally risky material.

Historically, however, it’s been easier said than done. Endpoint security solutions have rarely proven themselves up to the task; they typically cannot monitor or report on web access unless there is a policy in place on that endpoint for that specific website. (Hardly an all-encompassing strategy, eh?)

Web security solutions can totally transform this situation, because security policies and their actions can be applied from a central dashboard to users and roles, independently of the endpoints they’re working from.

A senior manager who has good cause to investigate questionable content on a website, for example, might simply be monitored; a more junior user attempting the same thing might have access to that website blocked.

Decoupling web filtering from endpoints also means that reports can be created and run in real-time, simply by clicking on widgets in the centralised dashboard - and these cover all web use, not just pre-selected sites.

Web application control: the new ‘must have’

As we touched on in a previous post, it is now possible for web security solutions to control access not only to cloud applications like, for example, Facebook, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

As businesses rely more and more on cloud and social applications to carry out everyday processes, this kind of web security is set to become mission-critical.

Gains in performance, deployability, and more

But it’s not just the security features themselves that are worthy of note.

A host of innovations around performance, deployment, usability and productivity mean that web security solutions are now a more attractive proposition from the point of view of end-users (who are looking for service excellence) as well as security partners (who are looking for differentiators and ease of management) than ever before.

From the performance point of view, the latency (lag) often associated with cloud-delivered solutions, for example, is a thing of the past, thanks to locally stored caches that wake up instantly.

From the deployment point of view, flexibility is high on the agenda, with agentless options, and multiple authentication methods, including SAML, direct, and agent-based – pretty much whatever the end-user prefers, in fact.

And when it comes to usability, guest users on VLAN and mobile workers are protected without the additional complication of connecting to a VPN (or the danger of failing to do so), supporting risk-aware productivity.

Something tells me threat actors, users and security partners alike will be watching web security very carefully in 2017.

Email SecuritySpam, phishing, malware – these are just some of the hazards email can carry. We’ll see more of them in 2017, so what kind of security solutions can counter them?

Following on from our recent post about business continuity solutions, another topic worth following in 2017 is email security.

So just how important is it?

Well, according to email research from the Radicati Group, the number of business emails sent and received per day in 2017 will number 120.4 billion. By 2019, it will be nearer 129 billion.

And this unrelenting growth is one of the factors driving a huge increase in email-borne cyber-threats. In fact, in the first quarter of 2016 alone, according to this piece in Infosecurity Magazine, there was an 800% increase in email-borne threats over the previous year!

What, then, should you be looking out for to protect your business (or your customers’ businesses, if you’re a security reseller or service provider) against this onslaught?

Choosing email security

We’ve identified some specific features that we believe are critical to effective email security in 2017’s threat-laden world.

1. Ease of use for SMEs

The latest Government Security Breaches Survey found that SMEs are now being pinpointed by digital attackers, according to this piece in The Guardian.

But SMEs also include many businesses that have little or no in-house IT or security expertise  - so complex on-premise email security just won’t work for them.

Instead, look out for cloud-delivered, as-a-service solutions that major on ease of use (that means, amongst other things, no-maintenance deployment, with 24 x 7 updates, patches and hot-fixes delivered automatically by the vendor).

This kind of solution has the added benefit that it can filter email inline and scan it prior to it reaching the recipient, so threats are intercepted before they touch the business’s network.

Nothing to remediate, no spam to archive, nothing to clean up – good news for resource-starved small businesses.

2. Email clients – cloud’s a must!

Smaller businesses in particular are also turning to hosted email clients like Office 365 and Google Apps, with research showing that nearly two-thirds of small business owners already have an average of three cloud solutions in place.

Combine this with the knowledge that Office 365 has known issues with its ability to detect insecure document content, though, and it’s not enough to just go with a cloud-based email security solution. You also need to choose one that is good at dealing with cloud-based email client vulnerabilities.

Get the last bit wrong and you’re still behind the SME security curve.

3. Threat coverage and awareness

Spam, malware, spyware, phishing and inappropriate content are all known risks that must of course be protected against.

But the underlying question is how the solution’s knowledge of the threat landscape evolves, since it is this process that ultimately protects users against emerging threats like zero-day exploits.

Big data and machine learning algorithms are the key features to look for in this respect, but many vendors are now jumping on this bandwagon, so look at the hard numbers to sort the aspirational from the credible.

Take Trend Micro’s Hosted Email Security (HES) as just one example: over 50 billion website URLs, email sources, and files scanned, correlated, and filtered, with over 7 terabytes of new threat data processed - daily.

That leaves little doubt (and the latest features in Trend Micro HES make convincing reading, too).

4. GDPR compliance

GDPR is never far away from our discussions thesedays, and any cloud-delivered service is now under the microscope with regard to how it protects the privacy of the data that it holds.

Look for a solution backed by data centres that have reached the most stringent privacy certifications - in Europe, these are generally considered to be ISO 9001, ISO 27001, OHSAS18001 (LHR1) and SAS 70 Type II.

5. Ease of partner management

For security partners, there is an added dimension to a choice of security solution: the ease with which they can manage it!

Solutions that are difficult to provision and manage burn through administration resource and gnaw at margins – making them potentially unprofitable.

Look instead for a single security dashboard across all customers, that also works with industry-standard platforms like Autotask, ConnectWise and Kaseya.

This will enable you, for example, to automate monthly usage and reporting management, proactively analyse emerging security threats, and provision new solutions and services more rapidly – without signing into and logging out of multiple systems and tools.

Email security in 2017 – as-a-service solutions to a growing challenge

As long as businesses keep sending and receiving emails, the bad guys will keep using them to try and attack the soft underbelly of businesses.

But to do that, the emails have to get there in the first place – and if they’re getting caught by security in the cloud first, they won’t.

Definitely one to watch for 2017.

Upgrade Trend Micro Worry-FreeIf you don’t manage your Trend Micro Worry-Free Business Security upgrades properly, your customers could be at risk from ransomware! We explain what to do.

If you sell Trend Micro’s Worry-Free Business Security Standard or Advanced editions, you’ll know that both come with a convenient management console that enables you to easily watch over and control the security services you deliver.

But if you don’t act on the information and alerts you receive, and keep your solution up to date, it could mean that your end-user customers are at greater risk from threats like ransomware!

There are just three things you need to do to keep your customers protected:

1. Upgrade manually after renewals

Renewals of Trend Micro’s Worry-Free for Business Standard or Advanced editions do not automatically upgrade to the latest version, so you need to manually manage this process yourself.

Happily, it’s an easy thing to do. There’s a link to Trend Micro’s Download Center at the top of every console homepage. Click to upgrade your renewed Worry-Free Business Security edition to the latest version (see images below).

Alternatively, you can go to the Help tab, click on Support, and then click on the Download Center icon at the bottom of the page (see image below).

No uninstall or reinstall is required, the upgrade will automatically be picked up from the server by all the connected security agents, and your customers will stay protected.

What’s not to like?

Worry-Free Console
(Click to enlarge)
Worry-Free Console
(Click to enlarge)
Worry-Free Console
Upgrading Worry-Free Business Security after renewal is easy! (Click to enlarge)

2. Get notified by RSS as well

If you’re not on v.7 or upwards, you won’t get console notifications, so you need another way of receiving them.

And even if you are on v.7 or upwards, there’s certainly no harm in having a backup notification channel to be doubly sure the message hits home.

This is why the Download Center website supports RSS. You can set up upgrade notifications and reminders from that site straight into your RSS feed (see image below), and then go into the console to act on them.

Trend Micro software download RSS Feed
You can subscribe to the Download Center website’s RSS feeds to get upgrade and service pack notifications – whether the notification feature is also available in your version of the console or not. (Click to enlarge)

3. Act on those notifications!

As we’ve shown above, the console – even in pre-v.7 guise - contains the necessary links for you to download upgrades or service packs, and you can also find these links in the Download Center, whose icon is at the bottom of the console page (see image above).

So it’s a cinch to stay ahead of the game – but you do have to make sure you download the upgrades and packs promptly from the links.

That way, your customers will continue to be fully protected.

Keep Worry-Free worry-free!

Pay heed to your console, reminders and notifications and your Worry-Free Business Security solutions will totally live up to their name (more so, in fact, if you upgrade to the cloud-based Services edition that significantly simplifies life for both you and your end-users!)

But miss an upgrade or a service pack, and fast-moving, destructive threats like ransomware are, in all probability, already one step ahead of you and your customers alike.

And that will prove very worrisome indeed.

DeployManaging licensing processes can bite deep into security MSPs’ margins. But one vendor seems to make it a lot easier. We investigate…

If you’re a managed security service provider, you’ve got an awful lot on your plate when it comes to licensing.

Try to manage it all using different tools and you’ll rapidly flay the flesh from your profitability – and probably send your customer satisfaction levels plummeting, too.

Logically, the solution is to somehow combine all the licensing functions in one place, making them both accessible and easy to use. But is any security vendor actually offering this? And if so, does it really deliver on the promise?

For our money, the answers to these questions are “yes, Trend Micro” and “yes, here’s how”, respectively.

Licensing Management Portal (LMP) – cross-product pain relief

The first thing that is striking about Trend Micro’s Licensing Management Portal (LMP) is that, in contrast to some other so-called “single pane of glass” management tools, it isn’t just available for a core technology that so far only underpins one or two finished products.

Instead, it has already evolved to the point where it is common to pretty much the entire Trend Micro product portfolio

So it makes it possible for MSPs to centrally manage, from a single sign-on system, multiple instances of both “point” solutions like Cloud Application Security (a topic we discuss further in this post), and more comprehensive solutions like the Worry-Free Business Security range.

Let’s not gloss over the pain that this alleviates. It eliminates wait time associated with ordering licences, because LMP is available 24 x 7 x 365. It automates the tracking of renewals and expirations. And it eliminates the complexity and cash-flow risk associated with manual billing.

Remote Manager
LMP, Remote Manager, CLP – a powerful triumvirate of solutions that drastically reduce the costly burden of creating, provisioning, managing and billing MSP licences. More on CLP below. (Click to enlarge)

LMP + Remote Manager = automation

This capability stems in part from the fact that LMP also contains within it Trend Micro’s Remote Manager.

This radically streamlines many of the licensing management processes by plugging them into industry-standard RMM and PSA solutions like Autotask, ConnectWise, Kaseya and LabTech.

So, you no longer have to manually drive your billing process, for example. Instead, LMP can use ConnectWise to auto-issue invoices and create end-to-end billing the moment a new endpoint or device is deployed.

Likewise, there’s a lot less juggling of multiple processes in order to set customers up. LMP syncs with LabTech, so you can map customers from LMP to customers in your LabTech solution, and then, within the latter, just “point and shoot” to deploy, issue licences etc. No jumping around between applications!

LMP and LabTech sync
No jumping around between applications – LMP and LabTech sync, so that deploying and issuing licences to your customers is as simple as a mouse click. (Click to enlarge)

Service plans the way you and your customers want them

Whilst we’re on the point of service plans, it’s worth mentioning that LMP has rewritten the rulebook somewhat in this respect too, offering real flexibility.

You can activate licences into live services in any number of formats – monthly, yearly, quarterly, on receipt of PO – and you can schedule in additional features so that they don’t have to be managed manually.

For example, a new customer that has committed to your services for two years initially, but whose contract needs to revert to a monthly rolling arrangement after this initial period, can have a service plan created in LMP that will deliver this arrangement – automatically.

From where we’re sitting, it’s probably the only example of a service plan mechanism that combines customer-friendly flexibility and features with management tools that don’t place an unsustainable drain on your resources!

Powerful but flexible reporting

Of course, if you can’t easily see what’s billable, automated provisioning and service plans won’t stay viable for very long!

Here, too, LMP shines. Not only is the reporting itself automated, it provides up-to-date detail of everything that has been in any way consumed by the end-user, ensuring that consumption and billing are always in step with each other.

At the same time, the automation allows a window of manual adjustment to cope with cancellations, error correction, atypical deployment scenarios, and other exceptions.

In essence, LMP has enough automation to make the majority of billing scenarios far easier – and far more economical – to manage.

CLP: Convenience for the end-user

But what’s really innovative in LMP, in our view, is that it enables the end-user to manage some of their own licensing, giving them the convenience of direct control, whilst also (let’s be candid) fattening your margins by reducing your workload!

This is because LMP contains a Customer Licensing Portal (CLP), which enables customers to manage licence keys for selected parts of their security estate, based on role. That partial autonomy and flexibility works for them, which makes you look good.

But the fact that the CLP can also carry your own branding will do your business profile no harm at all, either!

“Nobody does it better”, goes the old song. And at the moment, our Trend Micro team seems to be singing it around the office quite a lot. Funny, that.

Zero day exploitsIn the wake of a Windows 10 zero day exploit that had Microsoft all a-flutter, we explore these insidious threats - and how to combat them.

In the last blog in this series, we looked into ransomware, what it is, and how you can stop it. In this blog, we put another cyber-threat under the microscope – the zero day exploit.

We’ve looked into what the zero day exploit is and how it ticks – and we’ve “zeroed” in (sorry!) on some things businesses and their security partners need to consider in order to confront the danger head-on.

Zero day exploits: what are they?

Perhaps no other threat is guaranteed to drive software vendors’ marketing departments into public fits of bluster and defensiveness quite like the zero day exploit (see Microsoft’s recent performance in this piece in Ars Technica, for example!)

This is because zero day exploits are all about urgency and panic. Typically, they attack newly released software through vulnerabilities even its designers often don’t yet know exist (although legacy software can also sometimes be a target).

They are so called, as Wikipedia explains, because the hapless software vendor has “zero days” to fix the problem, or communicate helpfully about it, before it goes public – since the hackers themselves have usually already publicised it for them!

Zero day exploits love targeting browsers and office applications like Word and others (because we all use them) and they also hijack the common SMTP email protocol to find their way into these vulnerable applications in the first place.

But what makes zero day exploits so dangerous is that they tend to evade typical security software defences.

Why? Because many of the latter rely on triggers like malware signatures and known URL blacklists – intelligence that accumulates over time. And by definition, a zero day exploit has none of this history behind it!

What damage can zero day exploits do?

Here’s just a short list of zero day threats and the havoc they can potentially wreak, curated from various sources covering the last year or two:

  • Suspected North Korean State threat actors were observed exploiting a vulnerability in a word processing application
  • A targeted attack unveiled vulnerabilities in Microsoft Office and Windows, hidden within a Microsoft Word document
  • Adobe and Windows zero day exploits were made use of by Russia’s APT28 gang in a highly-targeted hack
  • Vulnerabilities in Microsoft font drivers were found to allow remote code execution, potentially rendering businesses open to ransomware, data theft, etc.

And, at the time of writing, a memory corruption bug affecting several Windows operating systems was declared capable, in this advisory, of remotely causing a denial of service (DDoS) attack!

Zero day – how do you defeat an enemy you can’t see?

But what defence is possible if security software can’t even recognise a zero day exploit when it’s sitting on top of one?

One effective response to this is to choose security solutions that don’t go hunting for known malware signatures, but instead zoom in on the structural behaviour of the applications that are likely to be targeted by zero day exploits.

Unexpected behaviours in those applications can indicate that they are being asked to do something they shouldn’t – and in tests, this approach has led to security vendor Bitdefender being able to block all Flash player exploits, including zero day, encountered in the space of a year.

It follows that the more extensive the analysis of these applications and the data they generate, the more effective a security solution is likely to be in recognising the signs that a zero day exploit is at work.

Enter Trend Micro, which has woven together an extraordinary mesh of vulnerability intelligence sources that include behavioural, statistical, heuristic and protocol analyses, all drawing on a constantly updated and monitored worldwide threat intelligence network.

Backed up by artificial intelligence (AI) and machine-learning techniques that extend through multiple different security layers, analyses of the entire possible zero day attack surface can be interlinked.

In other words, a more holistic understanding of which of the business’s applications are being asked to do what, and whether this is likely to constitute risky behaviour, is formed.

It’s less about putting a name and face to the exploit itself, and more about spotting changes across the business’s often very complex IT environments that aren’t explicable in any healthy way!

Anti-zero day solutions – what the industry says

An enlightening read for those investigating this area is industry analyst Gartner’s recent Magic Quadrant for endpoint security (which you can download here, and in which Trend Micro, incidentally, is positioned highest and furthest amongst the contenders).

It hits on many of the points we’ve mentioned above – application and process analysis, behaviour monitoring, machine learning, browser and office software vulnerabilities, memory manipulation – to paint a pretty comprehensive picture of what the industry is doing to address the fundamental difficulty of stopping a threat that is, initially at least, invisible.

Meanwhile, keep your eyes peeled for our next topic in this blog series – viruses!

Bitdefender updated its  GravityZone cloud console with new features that you may not be taking full advantage of.  Here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Ransomware Vaccine

The big news is that Bitdefender has now incorporated Anti-Ransomware vaccine for all its cloud customers, that immunises end-users against both existing and emerging ransomware attacks – at no additional cost!  This module is activated through the policy section  Antimalware --> On Access settings

Bitdefender Policy
(Click to enlarge)

By activating this module, machines will be protected from all currently known forms of Ransomware. The Vaccine works independently, does not need any other modules to be installed, and is switched on simply by ticking the box in the customer’s policy.

Other New Features in GravityZone

  • Update Rings - this feature allows Administrators of the program to  choose when in the validation cycle an update is received.
  • Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.
  • Web Access Control Rules - The categories list has been updated with multiple new categories added.
  • Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

For more details on the above features and a look at the other features included please click here

Bitdefender Authorized Distributor