Endpoint

5/7/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending Against an Automated Attack Chain: Are You Ready?

Recent threats like AutoSploit bring malware-as-a-service to a whole new level. Here are four ways to be prepared.

Until recently, one of the biggest challenges for cybercriminals has been matching a target with an exploit. While newer attacks might be preloaded with multiple exploits, many still function like a traditional waterhole. More proactive attacks, like worms, also spread via multiple exploits, but they still tend to be "dumb worms" that can use only whatever they have been loaded with.

Over the past few months, however, new malware trends have arisen. Recent Internet of Things (IoT) botnets, such as Reaper and Hajime, have not only been designed to target multiple vulnerabilities simultaneously but they also have the capability to attack "a la carte" by intelligently selecting an attack method from a growing exploit base.

Reaper's flexible framework, for example, means that its code can be easily updated on the fly to run new and more malicious attacks as soon as they become available. The technique is clearly effective, as exploit volumes associated with Reaper after it appeared last October jumped from 50,000 to 2.7 million in just a few days.

Automatic Exploitation
And now, there is a new toolkit known as AutoSploit, which is an automated mass exploiter. This new tool automates the exploitation of remote hosts by collecting specific targets through online search engines such as Shodan or ZoomEye that are designed to locate specific connected devices. It includes additional options to further customize targets and host lists. Once a set of targets has been identified, it leverages the penetration testing tool Metasploit to target those devices.

This brings the idea of malware-as-a-service to a whole new level. Because it is open source, even individuals with limited technical skills can now run their own cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system.

Creating Swarm Network
From there, AutoSploit will empower people to build large swarm networks. This will enable traditionally dumb botnets to now function as swarms that can accelerate an attack as a cooperative, integrated system. Simple swarm intelligence will refine this process even further, as individual swarmbots will be able to share real-time information about which exploits are the most successful and shorten the time between targeting and compromise. This will also help cybercriminals better guarantee a return on their investment. These capabilities already exist in the wild.

The next step is to more effectively hide malware once it has successfully breached a network's defenses. The next generation of self-camouflaging assembler malware will be able to dynamically assemble bits of code from all over the Internet. This would allow local swarms to be built by code stitching itself together through a careful assembly process rather than using a single monolithic block of code that could easily be detected. Adding simple machine learning functionality would then permit a mutant attack to monitor and mimic traffic patterns to avoid detection by tools looking for aberrant behaviors.

The problem is compounded further by the ongoing expansion of the attack surface as organizations add things like software-defined networking, cloud infrastructure and services, mobile user, and IoT devices to their networks. Very few legacy security solutions are able to even detect these sorts of attacks, let alone prevent them.

What's Needed
Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network. Here is a brief set of strategies to consider in order to effectively combat this new generation of threats:

Patch your devices. Targeted, automated attacks like AutoSploit mean that your vulnerable systems and devices are more exposed than ever. If they are too old (or too new) to patch, replace them. If you can't replace them, then harden them, hide them, isolate them, or secure them behind advanced security tools such as intrusion-prevention systems and sandboxes.

Segment your network. Leveraging segmentation and microsegmentation ensures that once a device is compromised, the attack is limited to a small portion of your network. Passive segmentation, however, is just the start. What is also needed is agile macro segmentation for dynamic and adaptive defense against new, intelligent attacks.

Rethink your security strategy. Your security strategy needs to undergo digital transformation. Start by designing a flexible, adaptive security fabric that spans the network as a single, organic entity. Then tie that fabric to an integrated threat intelligence feed to ensure your network defenses constantly receive the latest threat profiles. This becomes the foundation for future hive defense strategies.

Leverage open integration standards. Combining best practices, centralized orchestration and advanced, purpose-built components provides the speed, scale, and intelligence required to secure today's networks. This architectural approach extends visibility and protection across the entire attack surface, from remote devices to deep in the data center and from IoT to the cloud. This lets you secure any digital resource in any deployment scenario and marshal resources from any location to respond to threats.

Legacy approaches to security no longer work. The only way to beat cybercriminals at their game is to be smarter, faster, and stronger. To do this, you must adopt a new mindset around security that embraces integration, automation, and adaptability. Organizations that fail to make this transition are likely to be left behind in the new digital economy.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.