ASD Essential Eight – Restricting Office Macros
The Australian Signals Directorate (ASD) has published a useful list of prioritised cyber mitigation strategies since February 2017. Known as the ASD Essential Eight, there is little doubt in anyone’s mind that these controls reduce incidents, however, one important mitigation strategy didn’t make it onto the list – restricting office macros.
Why restricting Office Macros is so important
By configuring your Microsoft Office Macro settings to prevent uncontrolled macros from running, you will significantly reduce your organisation’s attack surface and improve your security posture. Let’s take a look at this mitigation strategy and see what organisations can do to enforce this at an organisational level.
What are Office Macros?
Microsoft Office documents can contain embedded functions written in a special programming language known as Visual Basic for Applications (VBA). VBA can turn simple documents into multifaceted applications offering complex interaction with the user and the processing power of a compiled application. These embedded applications are known as Macros and if you open a Macro in the Visual Basic Editor you’ll immediately see the similarity to Microsoft’s Visual Studio Integrated Development Environment (IDE), which is used by software developers to build even the most complex of Windows applications. For this reason, Macros extend Office users an incredible degree of control over the application interface, but with this level of power, they can also interact with the operating system, making them the perfect transport mechanism for malware.
Can’t you just switch it off?
Many people ask the question why you can’t just switch Macros off? The problem is that many Microsoft Office power users use Macros to automate repetitive tasks, thus making them more productive. Security teams therefore need to strike the right balance between enabling users to be more productive and efficient, while protecting the business from the inevitable malware that comes embedded in harmful Office documents.
Macro Security Issues
Macros that contain harmful code are known as Macro Viruses and they are not a new phenomenon. The oldest (and one of the most written about) Macro virus appeared in 1999 and was called Melissa. Melissa would automatically spread from one computer to another by e-mailing itself to the user’s contacts in their address book.
The problem is that when a malicious macro is executed (often by the action of no more than opening the document), it can start copying itself into other documents, potentially even corrupting valuable corporate data while spreading laterally to other users. These days, harmful Macro code is often used in blended attacks, where clever social engineering techniques are used to craft compelling emails, enticing the user to open the attachment, which contains the harmful VBA. By running the Macro, the user has set off a chain of events that are a precursor to something more insidious, such as dropping keyloggers, Trojans, rootkits or Ransomware onto the user’s device.
In their 2016 Threat Report, ASD reported, “an increasing number of attempts to compromise organisations using social engineering techniques and malicious Microsoft Office macros. The use of these malicious Microsoft Office macros can range from cybercrime to more sophisticated exploitation attempts.”
Why not download our ASD Essential Eight white paper to discover how to build a resilient defence against cyber attacks:
Macro Mitigation Strategies
Since the Macro Virus issue has been around for almost two decades, Microsoft has developed several useful security features within Office to help manage the risk. Administrators can configure what are called “trusted locations,” which are places where documents containing VBA are trusted by the operating system and can therefore run. Furthermore, documents themselves can be trusted, however, this can become an administrative burden so is largely discouraged in large enterprises. Trusted locations are better, since they also allow organisations to select a place where sophisticated Microsoft Office documents can execute their embedded code, while prohibiting it in, for example, email attachments or the user’s Downloads folder.
The best approach to mitigating the risks associated with harmful Macros is application signing. VBA developers can use digital certificates to sign their macros, thus confirming they were authored by someone they can trust and that the code itself has not been altered. Digital certificates can be self-generated by users or obtained from a Certificate Authority (either externally or from your internal Public Key Infrastructure).
Note: If you decide to use application signing to prevent malicious Macros from running, you should also disable support for trusted documents and trusted locations.
You’ll find that certain users will want to create and publish Macros, so consider building an internal process that allows them to be issued with a signing certificate, so they can build the signing process into their workflows. You can then add the developer’s certificate to the operating system’s list of Trusted Publishers.
System administrators can enforce Macro security settings using Group Policy, thus overriding the configuration options available to end users within Microsoft Office. Furthermore, once Macros are fully controlled within the organisation, security managers can use the application logs on user workstations to look for any indicators of compromise that might suggest rogue code is attempting to run – this can factor in the organisation’s incident response planning.
Improve Protective Monitoring to help mitigate cyber risk
VBA introduces a degree of flexibility and power to Office users that significantly extends the standard application capabilities. However, VBA can also be used by attackers to embed harmful code in Microsoft documents.
This is an old problem and something Microsoft tackled almost two decades ago, yet as a threat vector it has never gone away. We’ve now seen a resurgence in VBA encoded malware over the past few years, especially as a vector for Ransomware, so system administrators and security managers need to get to grips with Macro security and introduce mitigations to control the threat.
This control ties well into our recommendations on implementing the ASD Essential Eight migitation strategies and supports our call to action on improving protective monitoring to gain situational awareness across your business environment.
For more information on how protective monitoring can assist in mitigating security threats, check out our infographic:
 The Essential Eight category of User Application Hardening includes controlling of Microsoft Office Macro settings, but isn’t explicitly referenced in the Essential Eight since it’s too specific. However, looking at ASD’s full list of Strategies to Mitigate Cyber Security Incidents, control of Microsoft Office Macros is categorised as Essential.
See https://www.asd.gov.au/publications/Mitigation_Strategies_2017.pdf for more details.