Free Newsletters for the Channel
Register for Your Free Newsletter Now
October 11, 2017
By Tyler Moffitt, Senior Threat Research Analyst, Webroot
One of the most common and worrisome threats in the current landscape are multi-vector attacks that combine various threat technologies, deployed in numerous stages, across multiple points of entry (vectors) to infect computers and networks. This blended approach increases both the cyber criminal’s likelihood of success and the severity of damage.
The range of vectors includes email, web browsers, display ads, hyperlinks, files, apps and external devices. More than 85 percent of malware infections occur via web browsing, according to recent analysis from my research team. Basic internet use is a high-risk activity for every customer. You need to emphasize the importance of being able to stop malware at every entry point, because after successfully breaching a system or network, attackers then use their access to deliver malicious payloads, such as adware, spyware, ransomware, keyloggers, viruses, rootkits, and data miners. Let’s first look at how these attacks happen, then discuss a framework to help stop them.
Cyber criminals have so many potential points of entry that successful infection is numbers game. Millions of phishing emails are sent every day trying to plunder login credentials by spoofing websites or fooling users into opening attachments. Usually, these attachments are disguised as harmless Office documents with embedded scripts that silently run in the background to download malicious payloads when opened. These payloads can also be distributed from exploited web pages that inject code directly into a web browser, turning it into a backdoor for malware. Shopping sites with a large circulation on ad networks are a prime target for this vector. A new exploit allows hackers to spread malicious payloads laterally, like a worm, through networks via Microsoft file-sharing applications. This method can even compromise machines with no external connections to the internet, if they are connected to a network that also contains an infected system.
The dangers posed by this mixed bag of vectors are compounded if your customer is directly targeted. Cyber criminals look for vulnerable applications and will tailor phishing emails to appear as though they are originate internally. These attacks are designed to exploit the blind spots of conventional signature-based security, allowing malware to infiltrate systems undetected. A single-vector solution can protect end users only once the malicious payload is already on the system and attempting execution. The infection itself will be blocked only if there is a local signature unique to that new threat variant — a big “if.”
Let’s consider the following attack scenario:
(continued on next page)
Phishing email designed for HR employees
Stage 1: HR employee receives an email with what appears to be a response to a job posting. Along with a formal introduction and interest in the job, the email contains a link to the fictional applicant’s “LinkedIn profile” and Word document named “resume.doc.”
Stage 2 & Attack Vector 1: The HR employee downloads the attachment and opens it.
Stage 3: The document opens a blank page and requests the user “enable content” to view the document.
Stage 4 & Attack Vector 2: User clicks to enable content, unknowingly downloading a malicious payload. A default resume is then displayed to quell any suspicion.
Stage 5 & Attack Vector 3: The malicious payload downloaded in the previous stage spreads to all other computers on the network and executes.
Stage 6 & Attack Vector 4: After reading the fake resume, the user, unaware of any compromise, clicks on the “LinkedIn profile” link. The user is presented with a fake LinkedIn phishing page where it asks the user to enter their credentials to log in.
Stage 7 & Attack Vector 5: User enters their email and password and then is redirected to the real LinkedIn homepage.
Stage 8: 10 minutes later the user’s computer and all computers it could make connections to are now infected and files encrypted. Users’ credentials also have been siphoned.
So how can you protect customers against this sort of targeted attack? Smart, consistently enforced policies and ongoing end user education – a core element of a managed security services program – are a must. From a technology standpoint:
Attack Vector 1: While the downloaded document is harmless at this point, other attachments like scripts “resume.doc.js” can execute and compromise a system once opened. This is a traditional phishing attack and requires a solution with real-time, anti-phishing components.
Attack Vector 2: Once a user enables content (macro scripts) they are allowing the Office suite access to download and execute malicious payloads silently behind the scenes. A solution with behavior and real-time reputation analysis is needed to potentially block the execution. If the script is able to execute to retrieve payloads, you would also need URL/IP reputation solution to block those connections
Attack Vector 3: The malicious payload will use exploits to elevate user permissions and then spread laterally to all other computers it can connect to on the network using embedded Microsoft file-sharing applications. Then, those payloads will elevate those machines’ permissions, execute and continue to spread. You need a solution that will detect and block the malicious payloads, something with behavior and real-time reputation analysis.
Attack Vector 4: Phishing sites are not used only to gather credentials. Even if the user doesn’t enter any info, just by visiting the page, exploits can trigger and inject the web browser process to download malicious payloads. Consider a solution at the DNS layer to block malicious sites from the start.
Attack Vector 5: The credentials gathered include an email and a password. These constitute a viable platform for the criminal to commit a further crime by using those credentials in identity theft.
In the above scenario, a single-vector solution would be able to protect the recipient of the email only once …
… malware is executing on the machine. At that point, the single-vector solution has only one chance to stop the malware — by identifying and blocking it using a signature or with an algorithm. If the solution misses the malware, it has failed in its only chance to keep the machine infection free. When threats use an attack type that the single-vector solution has never seen before, the solution will have a hard time defending against it.
To effectively combat these multi-vector attacks, organizations need a multi-layered security strategy that positions protection at each entry point. This approach is ideal because it provides multiple chances at multiple attack stages to block or stop a criminal before infection can succeed.
Here are some questions that help determine what layers a solution works to secure:
Does it offer in-browser protections?
What about identity protection in the browser?
Does it use proprietary or open source threat intelligence?
Is the company a resource top service providers and experts in IT services use?
How many times a day does its threat intelligence platform get updated?
We all know machine learning takes a certain amount of training – how long has the company been using machine learning? How robust are its models?
Partners, your customers need protection across each stage of the attack cycle to successfully detect and prevent today’s sophisticated attacks. Are you ready to provide comprehensive managed security services? My top thing to remember: When it comes to endpoint security, don’t put all your eggs in one basket.
Tyler Moffitt is a senior threat research analyst with Webroot. He has been with Webroot since 2010 working as a key member of the Threat Research team, immersed deep within the world of malware and antimalware. Tyler is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.
Read more about:Agents
You May Also Like
Zero Trust World: ThreatLocker Unleashes New Tools to Stop ThreatsFeb 27, 2024
Mobile World Congress: VMware Talks SASE, 5G, SD-WANFeb 27, 2024
Zero Trust World: ThreatLocker Providing an Action Plan for Preventing AttacksFeb 26, 2024
The Gately Report: Trellix Partners Shielding SMBs from RansomwareFeb 26, 2024