Macro Security for Enterprise Defenders
In my experience, one of those most prevalent and common threats to today’s enterprise networks comes in the form of malicious email attachments (shocker!). Attackers leverage document types that are most likely accessible to software installed on the victim endpoint, making Microsoft Office a prime target. Yes, in 2016, malicious macros are still a major problem.
Almost all organizations rely on macros for business functions as they provide significant value in the form of automation. Some security-conscious organizations have even taken the rash approach of blocking macros altogether. Others struggle to find the delicate balance between allowing legitimate macros while reducing the likelihood of malicious code execution via Microsoft Office documents.
As Windows 10 and other modern operating systems migrate towards enforcing trusted digital signatures on executable code, why should enterprise admins continue to allow unsigned micro-code (copied and pasted from Stack Overflow by Jane Doe in accounting) to run rampant? Macro security is not an all or nothing choice; your enterprise can use macros while still reducing (or virtually eliminating) the risk of malicious code in VB projects.
Jessica Payne with the Microsoft Threat Research team makes a great point; even security teams are failing at securing the macro-enabled threat vector!
A lot of great security orgs have done phenomenal red teaming and threat modeling work on app vulns, and get hit via macros via email.— Jessica Payne (@jepayneMSFT) September 6, 2016
The chart below highlights email as the primary delivery mechanism for ransomware, where email attachments make up a sizable 28%. While not all of these may be macros, it is safe to assume many likely are.
Source: Osterman Research, August 2016
Fortunately, there is a fairly simple (yet grossly underused) solution to this particular problem that is well within reach of enterprises operating their own internal Enterprise Certificate Authority. This means the enterprise has deployed a Trusted Root Certification Authority certificate to all endpoints on the network so that enterprise resources are automatically trusted (think proxies, firewall interception pages, intranet portals, etc.)
Using this same enterprise trust system, system administrators and blue teams can work together to leverage Digital Code Signing and Macro Security settings in Microsoft Office to virtually eliminate the possibility of malicious macros from being executed on domain computers.
Here’s an implementation plan that I have deployed at a large organization with over 10,000 users:
- Get buy-in from leadership
- This is ‘Step 1’ for any enterprise-wide project that might cause friction. This particular project sell should be a cakewalk if the statistics and risks are conveyed properly.
- Ensure your organization has a fully functioning Enterprise Certificate Authority in place and installed on all workstations. A functioning CRL is highly suggested as well.
- Positively identify who controls the Root & Intermediate certificates and has the ability to grant signing certificates; you will need their help with this.
- Identify who will own the code review/signing process
- Typically a Cyber Security or IT Quality Assurance team
- Start training these folks right away to prepare for subsequent steps
- It is advisable to use code signing certificates that belong to a purpose-built process account. You can generate multiple code signing certs and distribute to members of this team, placing team member names in the common name for each cert. Otherwise, if each member generates a cert using their own AD account and ever has their AD account disabled, all code signed with their certificate will break (a bad situation for all).
- Begin talking with all business units to identify the scope of macro usage across your enterprise.
- Some units will know their internal POCs/authors for heavily-used macros, others may have no idea. Find these POCs; they will be instrumental in this implementation.
- Scope can also be expanded by searching network drives / Sharepoint, etc. for macro-enabled documents, but this is more time/labor intensive. Previous step is the best method for this.
- Once the scope has been reasonably estimated, set a deadline approximately 60-90 days out. This is the day your System Administrators will push the Group Policy to disable unsigned macros across the enterprise.
- Begin communicating with your entire organization about this initiative and the upcoming deadline.
- Be sure to highlight why this is happening as most users may not understand the danger posed by unchecked macros.
- Inform potential macro authors that all projects they have created will need to be submitted for review and signing prior to the deadline, or the code will stop running
- Educate all users that changes to signed projects will break the digital signature and therefore cease to function. Modified projects will need to be re-submitted for digital signature
- Provide a channel for macro submissions, ideally a ticketing system for tracking and metrics.
- Churn through the first wave of submissions from your users, reviewing, digitally signing and returning their macros. You will likely find that once this initial wave is complete, your review/signing team will get fewer and fewer submissions as time goes on.
- When the deadline is met, use Group Policy to require digital signatures for all macros.
- The details of the actual GPOs to employ are dependent on your version of Windows and Office. Be sure to properly research and test your appropriate GPO modifications.
- Send another notification your users about the finalization of this change. Many will somehow still manage to “forget” and complain when macros “break” for them.
In our implementation of this strategy, we initially reviewed and signed over 200 macros prior to our deadline for signature enforcement. Since the implementation, we receive fewer than 10 macro per week on average - a very light workload for our security team and a small price to pay for a significant increase in our security posture!
If you are considering deploying this effective measure in your own environment, check out this example of a checklist for macro reviewing and signing based on one I developed for my own team. It’s stripped down to the very basics, but a great start to point your code review team in the right direction.