The Next Cyber Threat: Conferencing and Collaboration
By BUFFERZONE Team, 11/07/2017
If you’re responsible for your organization’s IT security, you probably rely on email inspection and other perimeter gateway solutions for preventing potentially malicious files from entering your network. However, conferencing and collaboration platforms create an open, unmonitorable channel to users’ computers, completely bypassing security inspection solutions.
This breach in the security fence could pose the next widespread cyber threat. We’ll explain this in more detail, and discuss possible solutions.
Malware Vectors and Defense Strategies
Traditional network defense strategies place scanning and inspection solutions along the channels that these attacks would use. Email messages, websites and downloaded files are scanned by various gateway inspection engines for known malware signatures; more sophisticated solutions also perform dynamic (sandbox) analysis and attempt to identify even unknown malware.
These solutions rely on their ability to inspect the various data channels, such as email messages, to identify potentially dangerous content, such as files with active content. However, what if an entire channel is encrypted, so that it can’t be inspected at all?
The Conferencing Vulnerability
Peer-to-peer communication platforms such as WebEx, Skype for Business, LogMeIn and GoToMeeting are powerful tools for conferencing and collaboration that have become basic and necessary for business productivity. They all include features for various types of sharing, including file sharing. Firewall and other perimeter devices are configured to allow their traffic, and for security reasons, the tools encrypt the communications between conversation endpoints. So, they are neither blocked nor inspected; the only line of defense is the user’s intelligence, who ideally should better than to download files from unknown sources. As we all know, this ‘defense’ is far from flawless – that’s why organizations don’t rely on it for email attachments and web downloads.Imagine a user being attracted via phishing to a webinar that is designed to seem relevant and even important for the user’s work. The user accesses the webinar via browser or desktop application, and the presenter asks the user to download a PowerPoint presentation that will be used for the webinar; or even just presents it, and the user may decide to download it from the browser or client application. When the unsuspecting user opens the downloaded file, malicious malware begins running on their computer. Or, imagine a chatbot running in, for example, Skype. The user clicks on, for example, a photo of a bot-recommended restaurant, which downloads a malicious file.
If this were an email attachment or web download, it could have been inspected and blocked by traditional security solutions. But in the peer-to-peer conferencing case, the solutions can’t inspect any content, because it’s all automatically encrypted by the application. Security solutions can’t even know that any file was shared. This is a hidden, unmonitorable channel into your network that completely bypasses existing security solutions, presenting a serious security challenge.
“It’s only a matter of time before attackers take advantage of conferencing tools as vectors for ransomware and other types of malware”, says Tal Vegvizer, Director of R&D at BUFFERZONE Security. “I foresee widespread exploitation of this open channel for all kinds of malicious files, which existing security solutions are unprepared for”.
A New Defense Paradigm: Isolation
This conferencing tool vulnerability highlights the weakness of any kind of gap-stopping, inspection-based security strategy. There’s always another data channel to secure and another kind of malware to defend against.
However, an alternative strategy exists: Isolation by containment. The only way to definitively protect valuable resources from unknown attacks via any channel is by isolating infectable areas from valuable resources. This is what BUFFERZONE does: it creates a virtual container on organizational endpoints, and all processes that could access external, untrusted sources such as the internet are kept in the container, along with any data they download or save. At the same time, only uncontained processes can access trusted organizational resources. The container is periodically wiped clean.
So, for example, if our webinar user did download any kind of known or unknown malware, it would be trapped in the container, with access only to contained resources, unable to any real damage. And when the container was wiped – the malware would be gone.