In IT departments, the reports of multiple attacks are provoking an array of different reactions ranging from cool-headedness and blind trust in security products used to panickily implementing immediate measures.
The best IT security teams see the new warnings as an opportunity. They check their existing security concepts and evaluate whether recommended measures are already implemented. If this isn’t the case, they improve them.
Antivirus? Not helping.
The current generation of Emotet is equipped with modern exploits and encryption and destruction trojans. The software is continually adapted for ever new waves of attacks so that traditional virus protection is not in a position to effectively detect it. Independently of Payload, the current version of Emotet, like much other malware, has been following known strategies for years to successfully capture a network.
In order to be able to discuss the most effective protection measures, I will first describe the progression of an infection in an extremely simplified form.
The victim receives an email containing a file or a link to a file on a web server or cloud, meaning that blocking attachments in the e-mail has no effect. Often, the e-mail contains a personal message with a plausible reason to open the file and ignore all security warnings. The files in question can be Microsoft Office documents, PDFs, script files, and many other formats. The e-mails more often than not come from known senders with current topics in the subject lines, making it very hard for users to recognise it as a trap.
The file opened by the user generally contains only one script that downloads the actual malware on the victim’s computer. As the trojan is constantly changing and shifting, it is often overlooked by traditional antivirus programs.
- Local effects
The attacker’s command and control server enters into communication with the victim's client via the malware, receiving instructions on how to proceed. The trojan can now e-mail itself to business partners, encrypt available approvals, and collect and send passwords and access data to the attacker.
- Internal Spreading
The malware uses the client and server vulnerabilities and spreads itself in the network like wildfire. Frequently, the entire data stock and even the backup systems are affected. On every system that it takes over, the trojan collects more data and wreaks more havoc.
When looking at a simplified attack, we can see how the various areas of an IT company are entered. Because of the agility of the current and future malware, perimeter protection measures (firewalls) safeguarding e-mails and endpoints (antivirus) are no longer sufficient. What is needed is a holistic approach to IT security measures, where both successful defenses against attacks and damage limitation and recovery are focussed on.
- Next Generation Firewall
- Next Generation Endpoint Protection
- Next Generation E-Mail Protection
- Network segmentation via Firewall
- Toughening of operating system and applications
- Client and server compliance and network quarantine
- Attack detection and automatic reaction
- Patch management
- Permission concepts
- File encryption and storage location independent permissions management
- Backup concepts
- Emergency and disaster recovery plans
The measures required reach far into the network and are not limited to purchasing and configuring IT security products. In addition to the technical aspects of IT security, the organisational and training measures for users and IT employees are crucial.
IT security is more than just an IT topic.
In practice, we come across constellations again and again that are reduced to perimeter IT security protection and endpoint protection and managed by the in-house IT departments. In internal networks partially administrated by other teams, generous exceptions are defined for anti-virus protection, operating systems protection mechanisms are switched off, and no network segmenting performed by firewalls. In general, internal devices are seen as trustworthy. These are exactly the environments in which Emotet or similarly structured malware can wreak the most damage as soon as the network is infiltrated.
To set up optimal protection, a multi-area approach to IT security is needed, where it is often necessary to mediate between the individual departments and interests. And it’s even more important to have a strong, vendor-neutral, and expert partner to have for evaluation, design, and implementation who can keep an overview and bring more security to your company.