Attacks/Breaches
12/2/2013
11:06 AM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Zero-Day Drive-By Attacks: Accelerating & Expanding

The zero-day attack business is no longer just about money, and patching is no longer the best defense.

A successful drive-by shooting requires planning, timing, effective weapons and a quick exit (or so I’m told by friends who play Grand Theft Auto). In the cybersphere, zero-day drive-by attacks succeed based on the same criteria, but unfortunately the fast escape is rarely required.

Exploit packs are the core commodity that facilitates drive-by attacks for global cyber criminals. Since 2005, when Mpack was first released, over 100 individually marketed exploit packs -- with names like Black Hole, Neutrino, and Sweet Orange -- have been sold to leverage the World Wide Web and to exploit victims’ computers. The exploit pack itself is literally a bundle of exploits for known vulnerable software neatly packaged with an administrative web interface. Exploit packs are purchased in the criminal underground and installed on web servers where the owners periodically check their instance’s drive-by efficacy.

Once an exploit pack is installed, an attacker must push victim web traffic to the exploit pack site. These days there are numerous methods to compromise web pages and redirect unsuspecting visitors. Top 10 Google search results (via thousands of newly generated and linked blogs), advertising and content delivery networks, popular blogs, and even large news sites are regularly compromised. One second a victim is reading the news and the next his/her system is seamlessly redirected and probed for software vulnerabilities.

That’s where it starts. The applications we all use and love (think Adobe Reader, Oracle’s Java, Microsoft Office, and all four of the major web browsers) must be constantly updated. When these applications aren’t patched, drive-by exploitation happens instantly and some hideous piece of malicious code (adware, malware, crimeware, ransomware) ends up on a victim’s computer. Drive-by attacks really are insidious because they require only that victims browse the web and criminals are only too happy to abuse the landscape where millions of potential victims roam.

Exploding demand
As a result, demand for new and improved exploit packs is constantly expanding. Exploit pack authors are forced to update their crimeware services with new exploits as soon as new software vulnerabilities are announced or risk losing hard earned criminal market share due to an obsolete product. So like any profitable software company, authors write an exploit once (or copy it from the helpful Internet), update the exploit pack, license it on a per server basis, and continue to watch the e-currency stack up.

Unfortunately the drive-by business is no longer just about money. It turns out that hard working 9-5 nation state actors are already receiving a pay check with a government insignia on it. These men and women are concerned with political intelligence gathering and intellectual property theft for the purpose of competitive advantage on a grand scale.

It didn’t take long for these nation state actors to realize that they could improve upon well established and successful criminal attack vectors. The original derivative work was spear-phishing. This turned mass market criminal phishing attacks - sent without regard to the recipient’s identity - into highly targeted emails sent to extensively researched individuals. Naturally these emails include attachments or links relevant to the target victim in order to entice them to act. This technique was (and continues to be) incredibly effective on all kinds of government and industry verticals.

After years of successful network compromises and data exfiltration with spear-phishing, these foreign government employees decided to add another strategy to the playbook: the watering-hole attack.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 3:40:05 PM
Re: Patching not enough
That's a great observation and point about how, to quote Gartner,  information security is becoming a big data problem that will require a major shift in mind set and skills sets of security professionals. 

 

 

 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 1:56:44 PM
Re: Patching not enough
Absolutely. If the solution is going to be homegrown, the required resources - primarily human and time - are going to be substantial. It's more likely (especially for small and medium size businesses) that a behavioral prevention product will be purchased from a vendor that is already spending considerable resources on acquiring the right data and hiring top data science talent.

It's certainly possible to create an in-house solution, but it's likely to be cost-prohibitive for all but the largest organizations. Many of the Big Data tools are open source and straight forward to setup, but the barriers to entry are high for acquiring the data and talent necessary to compete with security vendor efforts.

That being said, security professionals should become familiar with Big Data tools and methodologies because it's the future of agile security programs.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 12:33:23 PM
Re: Patching not enough
"...big data insight, talented data scientists, and evolving predicative signal identification.." that seems like a pretty steep learning curve for today's typical  information security professional, not to mention a totally different orientation. What do you think the corporate security team would look like in order to successfully develop and manage a behavioral solution? 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 12:00:24 PM
Re: Patching not enough
Thanks for the question Marilyn. Quite a few security vendors are currently competing to provide superior behavior scoring solutions. I'm obviously partial to what we're doing at Cisco with our cloud based approach, but the point is that subscribing to static threat intelligence lists - malicious IP addresses, domains, etc. - and creating derivative access lists (ACLs) is only going to protect users up to a point. From a risk management perspective that may be enough, but I think most INFOSEC departments realize that the emergence of zero day drive-by campaigns means new solutions are required.

A successful behavioral security solution is predicated on: big data insight, talented data scientists, and evolving predicative signal identification. This space is still new and I don't have proprietary metrics from different security providers specifically around zero day drive-by attacks, but I do know that businesses are interested in proven behavioral solutions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:38:04 AM
Patching not enough
Thanks for your detailed overview of the evolution of the zero-day attack, Levi. You make a great case for the need for new defenses that go beyond vulnerability identification and patch management. In terms of a "sensible" solution such as behavior scoring, where are you seeing that approach being adopted and how successful it is to date? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant