I don’t know about you, but I’m fed up with how easily the bad guys are exploiting Office macro functionality in the early stage of their attack life cycle. When you think about it, it’s kind of insane that a supposedly innocent Word document can contain executable code. But that’s the world we live in and I frequently hear “we depend on macros” and can’t disable them. But that doesn’t need to be the end of the story. Here are some really important questions to ask and I’ll show you practical ways to answer them.
- How much do we really depend on Office macros?
- Which users actually use macros?
- How many documents on our network contain macros?
- How many different macros are there?
- Who writes them?
- What do our macros actually do? What functionality do they implement?
These questions are important because they provide important decision-making data for choosing which mitigations you can use and how widely you can deploy them on your network. Here’s some mitigation options:
- Disabling Office macros entirely by default
- Requiring Office macros to be signed before allowing execution
- Limiting signatures to trusted publishers
- Limiting Office macro execution to documents stored in trusted locations
- Limiting which Office applications can run macros
Remember, these mitigations aren’t an all or nothing proposition. If we can identify just a few departments (or even one very large department like call-center staff) and strengthen the Office macro policy, we are winning because we’ve denied attackers a favorite attack vector for a large chunk of our company.
Macro Informed Threat Hunting
If you deny attackers macros they won’t all stop attacking you; some will turn to other methods so vigilance is key and there’s no substitute for threat hunting and monitoring. Plus, if you understand how macros work and their limitations and how bad guys try to evade AV looking for malicious macros, you can do better threat hunting. We will look at all of this and show you how you can use threat hunting techniques to profile the normal behavior of each Office application in your particular environment. This is extremely valuable because once you have that baselined you can create rules to alert you when Office applications diverge from normality, which suggests malicious macros or some other content that has compromised the application.
Threat hunting is where our sponsor, Carbon Black, takes over and Tristan Morris, Security Strategist at Carbon Black will show you how they can use advanced threat hunting capabilities to proactively track down exploited macros.
Please join us for this real training for free session.