The Corona Cyber Threat: Chat, Conferencing and Collaboration
By Yehuda Rock, 17/03/2020
As the world focuses on the physical threat that COVID-19 poses to our health, lives, and economies worldwide, here in the cyber security industry we need to also think about possible threats to our data and networks.
Security must always respond to changes in infrastructure and behavior, and the Corona virus and our response to it is changing our behavioral patterns. Specifically, far more of us than before are working from home for longer periods. And as this happens, remote teleconferencing is rapidly changing from just an occasional, secondary activity into an organizationally-endorsed mainstay of ongoing business relationships, including among close colleagues in the same local teams. Additionally, employees naturally begin to rely more on ad-hoc communication channels such as chat applications (for example, WhatsApp and WeChat).
If you’re responsible for your organization’s IT security, you probably rely heavily on email inspection and other perimeter gateway solutions for preventing potentially malicious files from entering your network. However, chat, conferencing and collaboration platforms create an open, unmonitorable channel to users’ computers, completely bypassing security inspection solutions.
This breach in the security fence could pose the next widespread cyber threat. We’ll explain this in more detail and discuss possible solutions.
Malware Vectors and Defense Strategies
Traditional network defense strategies place scanning and inspection solutions along the channels that these attacks would use. Email messages, websites and downloaded files are scanned by various gateway inspection engines for known malware signatures. More sophisticated solutions also perform dynamic (sandbox) analysis and attempt to identify even unknown malware.
These solutions rely on their ability to inspect the various data channels, such as email messages, to identify potentially dangerous content, such as files with active content. However, what if an entire channel is encrypted, so that it can’t be inspected at all?
The Conferencing Vulnerability
Peer-to-peer communication platforms such as Zoom, WebEx, Skype for Business, LogMeIn and GoToMeeting are powerful tools for conferencing and collaboration that have become basic and necessary for business productivity. They all include features for various types of sharing, including file sharing. Firewall and other perimeter devices are configured to allow their traffic, and for security reasons, the tools encrypt the communications between conversation endpoints. So, they are neither blocked nor inspected; the only line of defense is the user’s intelligence and judgement, who ideally should know better than to download files from unknown sources. As we all know, this ‘defense’ is far from flawless – that’s why organizations don’t rely on it for email attachments and web downloads.
Imagine a user being attracted via phishing to a webinar that is designed to seem relevant and even important for the user’s work. The user accesses the webinar via browser or desktop application, and the presenter asks the user to download a PowerPoint presentation that will be used for the webinar; or the presenter even just presents it, and the user may decide to download it from the browser or client application. When the unsuspecting user opens the downloaded file, malicious malware begins running on their computer.
Or, imagine a chatbot running in, for example, Skype. The user clicks on a photo of a bot-recommended restaurant, which downloads a malicious file. Or, a user working from home may activate WhatsApp on their work computer and download a file from there.
If this were an email attachment or web download, it could have been inspected and blocked by traditional security solutions. But in the peer-to-peer chat or conferencing case, the solutions can’t inspect any content, because it’s all automatically encrypted by the application. Security solutions can’t even know that any file was shared. This is a hidden, unmonitorable channel into your network that completely bypasses existing security solutions, presenting a serious security challenge.
It’s only a matter of time before attackers take advantage of chat and conferencing tools as vectors for ransomware and other types of malware. We foresee widespread exploitation of this open channel for all kinds of malicious files, for which existing detection-based solutions are unprepared.
A New Defense Paradigm: Isolation
This conferencing tool vulnerability highlights the weakness of any kind of gap-stopping, inspection-based security strategy. There’s always another data channel to secure and another kind of malware to defend against.
However, an alternative strategy exists: Isolation by containment. The only way to definitively protect valuable resources from unknown attacks via any channel is by isolating infectable areas from valuable resources. This is what BUFFERZONE does: it creates a virtual container on organizational endpoints, and all processes that could access external, untrusted sources such as the internet are kept in the container, along with any data they download or save. At the same time, only uncontained processes can access trusted organizational resources. The container is periodically wiped clean.
So, for example, if our webinar user did download any kind of known or unknown malware, it would be trapped in the container, with access only to contained resources, unable to do any real damage. And when the container was wiped – the malware would be gone.