/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us If you are a CIO or CISO struggling to comprehend the ever growing threat landscape the following insights from Websense gives a heads up on the nature and complex manifestations of advanced threats and data thefts.
Stage 1: Reconnaissance
The initial stage is focusing on reconnaissance. Targeted attackers access credentials and research online profiles, email IDs, org. chart information, hobbies and interests from social profiles to gain insight
on their victims. The aim is to gather intelligence to build lures that are very targeted and have a high propensity to succeed.
Stage 2: Lures
Web lures prey on human curiosity. Already common in Search Engine Optimisation (SEO) poisoning, leveraging natural disasters, and using celebrity events as lure, they have now moved into private social
circles between friends within social networking. Email lures are less social and event-based, as they lean towards an expected notification that you
are likely to allow through a spam filter. The top five email lure topics are: order notifications, ticket confirmations, delivery notices, test emails and tax return information.
Targeted attacks come in low volume to specific individuals (often for known upcoming events or expected meetings divined through social profiling), whereas broad attacks will use video, news, or
celebrity lures in social networking.
How comfortable are you with your current defenses' ability to analyse content within private social circles to identify lures and protect users? Is threat intelligence between web and email shared and
correlated? Does it recognise and reflect that 92% of email spam has a URL? Today, a good email defense starts with a great web defense.
Â
Stage 3: Redirects
Users are usually directed to a survey, rogue anti virus offer or a fake web page where an exploit kit is
waiting. Mature redirects are SQL injections and iFrame injections that take users blindly down a path to
web services, content, and often to offers that they do not desire. Malvertising (malware advertising) also
blindly redirects users within popular sites. Newer redirects include social networking wall postings, fake
plug-ins, fake certificates, and heavily obfuscated java script.
The goal for a blind or hidden redirect, or from a lure, is to herd users onto a desired path for analysis
by an exploit kit, to a survey, rogue AV offer, or fake web page. As redirects are often dynamic and fast
changing, defenses need to be able to assess web links in real-time.
Â
Stage 4: Exploit Kits
One of the more powerful and effective stages of an advanced threat is the exploit kit (e.g.: Blackhole).
In the past, the objective was to lure users, redirect them down a path, and then dump a malware file on
their systems. This led to quick detections by threat labs and gave the attack a very short life. However, in
a few minutes or an hour, many people could still be impacted. The exploit kit objective is more like that
of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is
found. If no open vulnerability is found, then redirect the user to a clean web page and remain hidden.
Understanding exploit kits is important to advanced threat analysis and developing real-time defenses.
Blackhole uses criminal encryption, which makes it difficult to detect with AV engines and generic
de-obfuscation tools. If your only defense at the web gateway is AV, then the odds of exploit kits
successfully penetrating your systems through vulnerable applications is high.
Stage 5: Dropper Files
This stage is what most people consider the focus of their forward-facing defenses: analyse every file
that comes into the network for malware. The problem today is that dropper files use dynamic packers so
known signatures and patterns are not available, hence very few AV engines detect dropper files at the
time of threat analysis.
What do you have beyond AV for advanced threats and data theft protection? One of the most popular
dropper files is Rogue AV, or the fake scan and offer to clean your system. Traditionally focused at
Windows systems, new versions are now being seen on Apple computers with names like Mac Defender
or Protector.
Stage 6: Call Home
This stage and the next suggest that no set of defenses are 100% effective and that containment is the
new defense for data theft protection. Cybercrime only needs one entry point into a network to start an
infiltration aimed at stealing data.
Calling home for malware downloads and tools, and for sending back information is standard fare for any
successful online attack. The problem is that most defenses are only forward-facing and do not analyse
outbound traffic from infected systems. The use of dynamic DNS is a common attack method to avoid
call-home detection to static addresses. However, it also lends to a new defense for call-home analysis.
Infected systems and bots calling back to command and control servers are blocked from using dynamic
DNS while users can opt to continue on to trusted sites. Geo-location awareness is another call-home
defense, however malware communications, hosting, and phishing are mainly within the United States,
domains that few policies will block. Destination awareness in the context of data loss prevention is
also emerging. Contextual analysis of the data, user, destination, and other variables is an advantage to
policies so that confidential information is not sent to personal web mail, social networking accounts, or
posted within private cloud storage apps. What defenses do you have that analyse outbound traffic for call-home advanced threat
communications?
Stage 7: Data Theft
This is what attackers are after. The ability to contain an attack and stop data theft raise many questions.
Can your defenses detect password files leaving your network or the use of criminal encryption on
outbound files? Data theft where confidential information is exported in low volumes per request (drips)
to avoid detection over a defined period of time should also be considered. Do your data-theft defences provide you with forensic reporting that shows what data was blocked from leaving your organisation?