How to Protect your endpoint from web-based attacks?

What is it about?

We need to focus on making delivering malicious payloads to your endpoints as difficult as possible (focusing on workstations).

Our priority is to block *all* ads regardless of their source (if the ad network is considered safe or not) – hopefully, you have followed my last posts, and ads are already blocked to a large degree on the web proxy level.

Now is the time to block them on the endpoint level in the browser.

Stopping exploits and malware by blocking ad networks and ads.

Exploits and malware, sometimes even highly advanced ones, are distributed via ad networks and hacked websites.

While you can't control the latter even if you have a whitelist policy on your web proxy, you can control which ads are seen in your network.

Malvertising

Malvertising means serving malware via ad networks.

Recent news reports have proof of malware being served even on Youtube via AdSense (Google).

If even Google can't control what its ad network is showing to your employees, isn't it time to do something about it yourself?

From my experience, at least 30% of all malware incidents in a company are generated from malicious ads, if you can decrease the malicious incidents at your company by 30% just via blocking ad networks, you should.

Not to mention an added benefit: better browsing experience, less tracking for your users, better privacy and last but not least – less bandwidth utilization, by as much as 5-10%!

Blocking adds using extensions

Browsers can't block ads on their own as they can’t distinguish advertising from non-advertising elements, and to block ads in your browser, you will need an extension (which should also be easy to distribute, follow your browser's manual).

Many are already using "ad-blocking" extensions on personal devices. It is time to adopt them across the company.

https://adblockplus.org is readily available for most browsers out there. So far, it has been the most widely adopted and the most effective measure against ads and malvertising. AdBlock, however, has a little ‘issue’. Some people say it has signed contracts with major advertising networks to ‘whitelist’ their ads for a certain payment.

They don’t advertise this fact on their project’s website, but for me personally, that a red flag.

Even though AdBlock is effective, I would use uBlock.

Advertising networks are getting smarter, just as malware writers got smarter with time, and the blacklist approach really starts to lag, but we should continue doing our best.

Even though AV detection rates are diminishing, we must use antiviruses at work.

The same applies to blocking ads – even though there might be new and unknown delivery hosts every day, we should and must use ad blocking techniques all the time to prevent at least the most widely used ad distribution networks and prevent malicious code distribution in this way.

Blocking ads using Hosts file

On Linux and Windows (as well as FreeBSD, macOS, and other operating systems), you can block ads by redirecting ad network domains to localhost.

You can read more about this extremely effective technique at

https://github.com/StevenBlack/hosts

Use different browser

Many of you have not heard of it, because it is produced by a Chinese company - the 360 Safe Browser. It has ad blocking built-in, besides having 3 browsing engines inside and full compatibility with Chrome extensions.

One added benefit is the usage of their intelligence network and blocking known phishing / malicious websites.

With 500+ million hosts as their client base the detection rate is not bad... BUT... do your own research.

Block redirects

Often malicious scripts redirect the user from a legitimate website (hacked or not) to malicious websites using 302 redirects.

This type of a redirect is crucial to the operation of the Web, but since it is not always critical to your users,

I would say go ahead and disable them.

I have not yet found an easy way to block redirects in the Chrome browser, but you can easily harden the Firefox browser.

It works well, I am happy with it and recommend it. If you must deploy a solution for this across the enterprise, just block 302 redirects on your web proxy appliance, as that would take care of the problem.

Talk to your proxy administrator

Your web proxy appliance (or your handy proxy admin) should be able to block ad networks without you having to modify yours or every computer on the network.

This has the added benefit of centralized management and easy troubleshooting, in case some domain needs to be unblocked.

Block ads at the gateway level

Learn how to block ads using DNSMasq & Pixelserv.

The setup takes less than 30 minutes and can be performed on any gateway provided they run an OS capable of running these packages.

Pixelserv is used to serve 1x1 gif pixels to prevent 404 errors from the blocked ads and to enhance the user experience – otherwise, you will see all kinds of nasty rendering bugs on your web pages. Note: this method does not block text ads and it is still recommended that you use some of the browser add-ons mentioned above.

Besides blocking malware there are other benefits to blocking ads - less traffic and faster, safer browsing experience.

After all, why would you want to load a 10 second clip of someone selling you stuff you don't want, thousands of times per day? :)