-1

Malicious files are commonly infiltrated on to the network via email attachments. Besides awareness and education to my staff to refrain from clicking on suspicious attachments, I would also like to improve the security posture via technology. Are there any preexisting mechanisms in email servers/exchanges that could help to verify indicators of compromise and block those emails containing a hit on that IOC? I guess this could be a email+anti-virus combo? What about zero days? I have heard of FireEye products that can perform analysis of zero days, but they might be expensive solutions. Thanks.

k1DBLITZ
  • 3,933
  • 14
  • 20
Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
  • "are always infiltrated to the network via email attachments" not always. But it depends. – Aloha Jul 10 '15 at 01:21
  • 1
    There are numerous AV solutions for email servers. As for 0-days, that depends on the AV solution, and that tends to increase the price. – schroeder Jul 10 '15 at 21:26

1 Answers1

2

Email is certainly the most common method of pushing malware to a network, but it is not the only one. Also, while malicious files can be delivered as attachments to emails, they can also be presented as links that end users click on, resulting in a drive-by download or perhaps a more traditional virus that the user then has to download and execute manually. Another way to push malware to end users is malvertising, which can be minimized (but not entirely prevented) by using an ad blocker and client-side anti-virus.

Within the realm of email, most server-side anti-spam solutions are designed to work in concert with anti-virus. You definitely want both. It is very common to additionally see malware sandbox systems (like FireEye and Cisco AMP) that can detect unknown malware (such as zero-days) by its behavior rather than by a signature.

You also need to protect your users' web access through e.g. a web security proxy or something like OpenDNS.

Now that you have a better idea of the landscape out there, you might have a better idea of what kind of question you're asking. I'm not sure what you actually want. Are you looking for a cheap solution for automated sandboxing?

Perhaps something like the Cuckoo Sandbox, which is Free/Open Source Software, would help, but it's not really set up as a blocking device; it's primary use is for analyzing suspect files for malicious behavior, not for producing robust (low error) results that can be acted upon automatically. Given the effort it would take to build Cuckoo into what it appears you are seeking, the total cost of ownership may actually be lower with a commercial solution.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44