By David Parkinson, Strategic Development Manager, UK and Ireland for Wick Hill
The term ‘Trusted Supplier’ says it all. It’s a supplier that we have used before, perhaps over a period of time, and one that we trust. However, when it comes to protecting our networks from malware, we can unfortunately never take that term for granted. Communications from trusted suppliers can contain malware that can harm our networks. Trusted suppliers could actually turn out to be bad for business.
It is already common to talk about the cyber risks within the supply chain and it is important to discuss them and review them on a regular basis. We work alongside our suppliers and often connect with each other’s IT networks. If our business partner has a cyber vulnerability, then our own risks increase and we need to guard against that. That risk increases with every vulnerability, at every point in the supply chain.
To take just one example, most organisations use a recruitment company at some point to fill either a key role or maybe regular short term positions. Organisations tend to have a fairly relaxed attitude to communications with their recruitment partners, as we generally receive what we expect to receive - CVs (solicited or otherwise), contracts, invoices, etc.
However, in a recent Forbes article, the careers and recruitment industry was highlighted as being susceptible to a particular cyber threat. This is an industry that has taken advantage of many of the good things the Internet can offer in terms of reach, scale and efficiency. That industry is now finding itself at the sharp end of targeted malware encapsulated in documents - a medium on which it has thrived for so long.
We have known for a long time that malware authors and disseminators look to embed their code within popular document types. This is simply because electronic documents are widely distributed, accepted and, unfortunately, trusted. Producing a word processed document was probably one of the first things many of us accomplished on a computer!
As the Forbes article points out, amongst all the good advice being given, there have been instances of career-focused sites being used as a vehicle to distribute malware-laden documents to recruiting organisations. Also, HR, or whoever is responsible for recruiting, usually doesn’t have cyber-attack at the front of mind when trying to fill an urgent vacancy. They may not be immediately wary of opening solicited, let alone unsolicited, CVs from an in-house careers portal on their own web or intranet site.
The recent Rombertik malware discovery provided another stark reminder of the danger of malware delivered apparently as a document. Rombertik is notable for its-anti-detection capabilities, and the actions it will take if it discovers that it is being actively looked for in memory - it destroys the Master Boot Record of the PC, or failing that, encrypts files using a random key. And the method employed to distribute Rombertik? It is an executable screensaver file, disguised as a PDF or other document by the thumbnail presented to the recipient.
Combatting the risks
The importance of staff training and behaviour-change programs, such as KnowBe4, cannot be underestimated in combating the problem of malware in documents. Fortunately, there are also technologies that can be employed to mitigate some of these specific threat vectors.
For example, Check Point's Threat Extraction technology works with Check Point’s Threat Emulation technology, which tests for unknown malware in advanced emulation environments. Threat Extraction removes suspected malware elements from documents received by web download or email, and then delivers a clean document onwards to the recipient. It will be interesting to see whether technologies such as this will find a home in specific verticals such as recruitment, which rely heavily on document sharing.
Rombertik's anti-detection code is extremely advanced, and we can only imagine that there will be similar examples to come. The emerging field of CPU-level detection looks to identify malicious activity as it is executed on the processor and is designed to counter these evasion techniques. Check Point's acquisition of Hyperwise will bring this CPU-level analysis and detection into the Threat Emulation technology, and aims to deliver advanced protection against this kind of threat.
We have highlighted just one type of business partner in this article - recruitment agencies. There are many more business partners we use and trust on a regular basis in our supply chains. In today’s world of increased malware risk, we need to be ever vigilant with all our trusted partners and use appropriate security software to help us identify and deal with malware carried in documents.