From All Sides: How to Gird Customers Against Multi-Vector Cyber Attacks

Tyler Moffitt

By Tyler Moffitt, Senior Threat Research Analyst, Webroot

One of the most common and worrisome threats in the current landscape are multi-vector attacks that combine various threat technologies, deployed in numerous stages, across multiple points of entry (vectors) to infect computers and networks. This blended approach increases both the cyber criminal’s likelihood of success and the severity of damage.

The range of vectors includes email, web browsers, display ads, hyperlinks, files, apps and external devices. More than 85 percent of malware infections occur via web browsing, according to recent analysis from my research team. Basic internet use is a high-risk activity for every customer. You need to emphasize the importance of being able to stop malware at every entry point, because after successfully breaching a system or network, attackers then use their access to deliver malicious payloads, such as adware, spyware, ransomware, keyloggers, viruses, rootkits, and data miners. Let’s first look at how these attacks happen, then discuss a framework to help stop them.

Matter of Time

Cyber criminals have so many potential points of entry that successful infection is numbers game. Millions of phishing emails are sent every day trying to plunder login credentials by spoofing websites or fooling users into opening attachments. Usually, these attachments are disguised as harmless Office documents with embedded scripts that silently run in the background to download malicious payloads when opened. These payloads can also be distributed from exploited web pages that inject code directly into a web browser, turning it into a backdoor for malware. Shopping sites with a large circulation on ad networks are a prime target for this vector. A new exploit allows hackers to spread malicious payloads laterally, like a worm, through networks via Microsoft file-sharing applications. This method can even compromise machines with no external connections to the internet, if they are connected to a network that also contains an infected system.

The dangers posed by this mixed bag of vectors are compounded if your customer is directly targeted. Cyber criminals look for vulnerable applications and will tailor phishing emails to appear as though they are originate internally. These attacks are designed to exploit the blind spots of conventional signature-based security, allowing malware to infiltrate systems undetected. A single-vector solution can protect end users only once the malicious payload is already on the system and attempting execution. The infection itself will be blocked only if there is a local signature unique to that new threat variant — a big “if.”

Let’s consider the following attack scenario:

(continued on next page)

Phishing email designed for HR employees

Stage 1: HR employee receives an email with what appears to be a response to a job posting. Along with a formal introduction and interest in the job, the email contains a link to the fictional applicant’s “LinkedIn profile” and Word document named “resume.doc.”

Stage 2 & Attack Vector 1: The HR employee downloads the attachment and opens it.

Stage 3: The document opens a blank page and requests the user “enable content” to view the document.

Stage 4 & Attack Vector 2: User clicks to enable content, unknowingly downloading a malicious payload. A default resume is then displayed to quell any suspicion.

Stage 5 & Attack Vector 3: The malicious payload downloaded in the previous stage spreads to all other computers on the network and executes.

Stage 6 & Attack Vector 4: After reading the fake resume, the user, unaware of any compromise, clicks on the “LinkedIn profile” link. The user is presented with a fake LinkedIn phishing page where it asks the user to enter their credentials to log in.

Stage 7 & Attack Vector 5: User enters their email and password and then is redirected to the real LinkedIn homepage.

Stage 8: 10 minutes later the user’s computer and all computers it could make connections to are now infected and files encrypted. Users’ credentials also have been siphoned.

So how can you protect customers against this sort of targeted attack? Smart, consistently enforced policies and ongoing end user education – a core element of a managed security services program – are a must. From a technology standpoint:

In the above scenario, a single-vector solution would be able to protect the recipient of the email only once …

… malware is executing on the machine. At that point, the single-vector solution has only one chance to stop the malware — by identifying and blocking it using a signature or with an algorithm. If the solution misses the malware, it has failed in its only chance to keep the machine infection free. When threats use an attack type that the single-vector solution has never seen before, the solution will have a hard time defending against it.

What Customers Must Do

To effectively combat these multi-vector attacks, organizations need a multi-layered security strategy that positions protection at each entry point. This approach is ideal because it provides multiple chances at multiple attack stages to block or stop a criminal before infection can succeed.

Here are some questions that help determine what layers a solution works to secure:

Partners, your customers need protection across each stage of the attack cycle to successfully detect and prevent today’s sophisticated attacks. Are you ready to provide comprehensive managed security services? My top thing to remember: When it comes to endpoint security, don’t put all your eggs in one basket.

Tyler Moffitt is a senior threat research analyst with Webroot. He has been with Webroot since 2010 working as a key member of the Threat Research team, immersed deep within the world of malware and antimalware. Tyler is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.