For the past three and a half years, Win32/Conficker has been the top threat found in enterprise environments. We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008. No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.
Figure 1 (left) and Figure 2 (right): Quarterly trends for the top 10 families detected on domain-joined computers in 2H12, by percentage of domain-joined computers reporting detections
Figure 3: Quarterly trends for top 10 families detected on domain-joined computers 1Q11 to 4Q12
Perhaps more importantly, in the second half of 2012, 7 out of the top 10 threats affecting enterprises were known to be delivered through malicious websites; these threats are denoted with an asterisk in Figure 1 and include JS/IframeRef, Blacole, JS/BlacoleRef, Win32/Zbot (also known as Zeus), Win32/Sirefef, Win32/Dorkbot, and Win32/Pdfjsc.
Exploit activity has been at high levels, as I recently wrote in an article called “Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date.” Data in the Microsoft Security Intelligence Report shows that attackers have been using exploits more and more over the past eighteen to twenty-four months. So it’s no surprise to see threats related to exploit activity in the top ten list of threats for the enterprise.
The Call to Action
The good news is that enterprises can protect themselves using a number of mitigations, including:
- Keep all software up to date: attackers are trying to use vulnerabilities in all sorts of software from different vendors, so organizations need to keep all of the software in their environment up to date, and run the latest versions of software whenever possible. This will make it harder for the types of threats we now see in the enterprise to be successful.
- Demand software that was developed with a security development lifecycle: until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities. A very effective way for software vendors to help you do this is by using security mitigations built into the platform, such as ASLR, DEP, SEHOP and others. These mitigations can make it much harder for attackers to successfully exploit vulnerabilities. Demand software from your vendors that use these mitigations. You can check if the software you have in your environment have these mitigations turned on, using a tools like Binscope or EMET. In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you. These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software.
- Restrict websites: limiting the web sites that enterprise information workers can surf to, will reduce the chances of being exposed to the types of attackers we now see in the enterprise. This likely won’t be popular in the office, but given that 70% of the top threats found in the enterprise are delivered via malicious websites, you might have the data you need to make the business case. Restricting web access from servers has been a best practice for a long time.
- Manage security of your websites: many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks. Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
- Leverage network security technologies: technologies like Network Access Protection (NAP) can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.