Why so good information security policies restrict access to executable files?

Most knowledge-workers are on the internet all day long, mixing business and personal use while downloading resources, sending email and clicking links. Meanwhile, you rely on your layered defenses to protect them (and the company) from the cesspool that is the internet. Despite promising advancements in malware detection and improved user awareness training toward identifying and avoiding bad files, malicious downloads continue to slip past all defenses, leading to enterprise data breach, loss, ransom, and even destruction. The key is to isolate downloads so threats can’t escape.

Contain the threat: protect yourself from sophisticated email attachment attacks.

Under attack: malicious downloads originate from many sources.

You have end user training, but it’s hard to stop human nature. Users click on shared documents quickly, averaging less than 4 minutes from the time it hits their inbox, according to Verizon.

Malicious downloads may be initiated by the user on their own, or the user may be directed to download malicious content deliberately or by way of phishing links delivered by email or chat clients. Malware distribution by file download is efficient, cost-effective, and always evolving. Malicious downloads are increasingly popular because they work so well, taking various forms, including:

Deliberate downloads: User initiates a file download (document or executable file) during normal web browsing that contains malware.
Fake executable updates: – User is tricked into downloading a malicious file (i.e. fake-AV or bogus Flash update) when visiting a website (pop-ups), installs malware onto the host, and is compromised.
Links to documents: User receives a document link in email or a chat program that prompts for file download of a document that contains malware.
URL redirects: Initial link redirects to an alternate URL that prompts a file download.
Bad DNS: If the DNS lookup record is compromised, the user may download a malicious file even if they did nothing wrong and followed what should have been a “safe” links or even a URL bookmark.
Bogus drivers: User searches for a driver to resolve a system problem (i.e. printing, audio, video), perhaps from an “unofficial” download site, and installs malware, instead of filing an IT trouble ticket.
Free utilities: User searches for a free utility program (i.e. PDF, audio/video file converter) and installs malware, rather than asking IT for assistance or seeking an approved program to accomplish the task.
Watering-hole attacks: An attacker infects a website that is commonly used by the target and replaces or redirects file downloads. Example: Weaponized Word or PDF conference schedule file for an industry tradeshow, where large volumes of industry users access resources from the site around the same time. Tradeshow websites are often run by volunteers or conference promoters with little cybersecurity skills.

If you’re using existing solutions, you are not protected from malicious downloads.

Malicious downloads are traditionally addressed by three defensive approaches—with varying degrees of effectiveness—each with serious drawbacks when applying broad-brush solutions at enterprise scale: site categorization, detection and remote browsing.

Flushing phishing: let them click but isolate the task.

But site categorization and detection processes are reactive and always trail the current threat evolution, the defensive perimeter has now shrunk down to the application level, where a last line of defense is needed to ensure the safety of downloaded file content.

Application isolation is the key to letting employees get back to work and for CISOs to stop worrying.

By its unique and innovative design, Bromium forgoes both detection and site categorization in favor of application isolation and eliminates remediation by containing file and application threats away from the host using virtualization-based security. Bromium protects organizations from downloaded threats with Bromium Secure Files. Native applications running on the host machine transparently inside micro-virtual machines—not remotely rendered documents—offer fast and familiar performance, usability, and support for rich content formats.

Using hardware-enforced isolation, each downloaded document or executable file runs in its own secure container. Malicious threats delivered via file downloads are completely isolated from the host—and from all other applications to prevent cross-contamination—so that the threat physically has no place to go. When the application or file is closed, the threat is terminated along with the micro-VM. The full malware kill chain is sent to the Bromium Controller and shared with all other Bromium devices on that customer’s network via the Bromium Sensor Network, further hardening the infrastructure and reducing the overall attack surface.

Bromium micro-VMs isolate malicious document and executable downloads from the host while letting them run safely.

Our secure, native application isolation delivers clear benefits over categorization- and detection-based solutions and remote browsing proxies as the last line of defense. Let us secure and validate your downloads so users can do their work, safely download any web content, and click with confidence!