Malicious software can find its way onto systems in numerous ways. When evaluating the effectiveness of your ability to combat malware, consider how you would handle the following common infection vectors:
- Targeting client-side software vulnerabilities on end-user systems. Such attacks take the form of attempts to exploit weaknesses in software that can be invoked through the victim’s web browser, such as Adobe Reader, Adobe Flash and Java Runtime Environment (JRE). Such vulnerabilities are also be targeted through the victim’s email client, in which case the person might receive a malicious attachment in the form of a Adobe PDF or Microsoft Office document.
- Targeting server-side vulnerabilities in software accessible over the network. Such attacks might take the form of network connections to network-accessible services with the goal of exploiting an unpatched security bug or a configuration error in the program. The vulnerability might be present at the level of the operating system, for instance in its network stack. It might also exist in programs running on top of the OS, such as common web server software and in-house applications.
- Employing social engineering as part of malware distribution campaigns. Attackers often employ elements of social engineering to trick victims into clicking on malicious browser links or opening malicious email attachments. It is often easier to convince the victim to install software that will turn out to be malicious than successfully identifying and exploiting a vulnerability to infect the host.
- Propagating by using removable USB drives. Malware has been using removable media to spread across systems across systems, and has been particularly effective in crossing the physical air gap that exists between the Internet and some internal networks. Examples of malware that spread by infecting USB keys include Conficker and Stuxnet.
- Guessing passwords of user accounts accessible over the network. Attackers have been successful at remotely brute-forcing weak user account passwords through network services, such as SSH and SMB. These techniques may be used by a human attacker with the help of scripts, or by malware programmed to autonomously spread in this manner. Conficker, for instance, included this approach among its propagation tactics.
Consider which of these infection vectors are most likely to work in your organization, while accounting for the damage that can arise from those attack scenarios. Then adjust your defenses accordingly.
For my perspective on modern malware capabilities, take a look at my presentation Malware Threats and Defenses That Work, which includes slides and detailed speaker notes. Also, check out the 2-day Combating Malware in the Enterprise course I recently co-authored at SANS :-)