Let's talk about malware delivery during the compromise endpoint phase portion of the malware killchain.

For new malware, as opposed to already entrenched malware, there needs to be a delivery mechanism. These are the typical methods used for malware delivery:

1) Web based exploitation
2) Malware download
3) Email attachments

Delivery can be done in multiple ways - a push mechanism, a pull mechanism and even some assembly required. One way or another the malware needs to be delivered or received in order for a new attack.

I keep referring to new deliveries because any existing active or dormant (yes they go to sleep, hibernate and look for certain tools being present) malware doesn't need to be delivered. This is very true of ransomware. Ransomware had to be delivered, if you got ransomware you have entrenched malware even if you paid for unlock keys. The threat is still within your organization and these days the business practice of malware seems to use a six month window before asking for additional payments and you need to think of it as that. 

Of course there may be multiple malware instances present, and it won't be unthinkable to imagine multiple demands from multiple players over increasing time periods.

So, any Email only based solution won't block all vectors. Any web based solution won't block all vectors. Endpoint only solutions can only protect endpoints where it's installed and not already dormant on another server or storage. Network based security gateways and firewalls only have a chance to block that which traverses their interfaces or zones and only that which they can see (meaning it needs to be decrypted). 

Delivery protection is an important area to invest carefully and extensively as this is really the first line of defense against malware. However, no single solution covers all devices (operating systems) in most networks or all the delivery mechanisms.

Security awareness training is critical here as well. 

Delivery protection requires next generation firewalls, decryption, proper policies and inspection, drive by download protections, strong next generation endpoint solutions, DDoS and DoS protection, WAF (Web Application Firewalls) if appropriate, state of the art EMail protection (with multiple layers), internal segmentation/inspection and ideally new web protection solutions and of course user awareness.

Next time we'll investigate the six common malicious actions that malware may attempt to invoke after it has been delivered.