Protecting Your Organization Against a New Class of Cyber Threats: HEAT

Take a preventative threat approach and apply security measures near end users, applications, and data to increase protection.

Mark Guntrip, Senior Director, Cybersecurity Strategy, Menlo Security

March 31, 2022

4 Min Read
Cyberattack concept
Source: Skorzewiak via Alamy Stock Photo

As entire workforces went remote overnight in 2020, organizations shifted operations to the cloud and employees increased the amount of work they conducted in the browser. While this shift to the cloud enabled productivity and collaboration despite the inability to see colleagues in-person, it left legacy security systems more ineffective against attacks than they were in previous on-premises workplace settings.

As existing security systems stayed in place, threat actors were busy working quietly behind the scenes to infiltrate organizations where work was being done: in the Web browser.

To exploit workers on the Web, today's threat actors often send malicious links via phishing or spear-phishing emails. Those random and targeted emails are a simple way for attackers to potentially gain access to a treasure trove of data through an individual's device. These tactics are efficient and will not be going away, although attackers are always working to stay a step ahead by changing their methods and looking for new attack vectors.

A new attack variation deploys a recently identified class of cyber threats observed by Menlo Security, dubbed highly evasive adaptive threats (HEAT), that use techniques to specifically evade detection by multiple layers in current security stacks. These threats deliver malware or compromise credentials, serving as beachheads for data theft, stealth monitoring, account takeovers, and initiating ransomware payloads. HEAT attacks are being leveraged by well-known threat groups, including Nobelium (the gang behind the SolarWinds attack) and are on the rise. In fact, the Menlo Labs research team observed a 224% increase in HEAT attacks in the second half of 2021 alone.

With end users spending an average of 75% of their workday in the browser and ransomware more prevalent than ever before, the volume and sophistication of these highly evasive attacks has skyrocketed. Most organizations aren't prepared to defend against them.

Understanding HEAT Attacks
To be considered a HEAT attack, the threat must leverage one or more of the following four evasive techniques that bypass traditional network security defenses:

  • Evades both static and dynamic content inspection: HEAT attacks evade signature and behavioral analysis engines to deliver malicious payloads to the victim using innovative techniques such as HTML smuggling.

  • Evades malicious link analysis: These threats evade malicious link analysis engines traditionally implemented in the email path where links can be analyzed before arriving at the user.

  • Evades offline categorization and threat detection: HEAT attacks bypass Web categorization by delivering malware from benign websites by compromising them or patiently creating new ones, which are referred to as "Good2Bad" websites. The team has observed an increase of more than 137% of Good2Bad websites from 2020 to 2021.

  • Evades HTTP traffic inspection: In a HEAT attack, malicious content such as browser exploits, cryptomining code, phishing kit code and images impersonating known brand's logos is generated by JavaScript in the browser by its rendering engine, making any detection technique useless.

While some aspects of HEAT attacks have been tormenting organizations for years, these attacks have become the greatest threat that enterprises face today with the proliferation of remote work and the corresponding rapid evolution of the threat market.

What's more, traditional security capabilities including secure Web gateways, sandboxing, URL reputation, and filtering are rendered worthless against these types of attacks because HEAT attacks lie hidden behind legitimate uses. Simply blocking them won't work. Instead, organizations must be able to prevent malicious uses of the techniques to adequately protect themselves.

Protecting Your Organization
Millions of businesses and individuals worldwide are relying on the browser to conduct the majority of work and personal tasks; that is where the biggest security risks will be moving forward — and most security stacks today do not protect against these Web-based threats. As such, not only do security strategies and capabilities need to be modernized for today's sophisticated threats, but mindsets must shift to secure organizations from tomorrow's hackers.

To secure networks, security and business leaders must shift from a detect and remediate mindset and instead take a preventative approach to security that is rooted in the zero-trust architecture and adopts the secure access service edge (SASE) framework to protect remote and hybrid workforces. [Editor's note: The author's company is one of many vendors that offer zero trust and SASE products.] Security measures work best when they're applied near the end user, application, and data.

By preventing threats before they get close to the network, applications, and devices they're targeting, an organization can determine that its resources are clean of infection and focus on other potentially impactful threats within its security operations teams.

As threats continue to evolve, hackers become increasingly prolific, and all organizations, of every size and in every vertical, face greater risk of falling victim than ever before. One thing is certain: Security leaders must stay nimble, modernize their security stacks to prevent attacks from happening, and have a concrete plan in place if they do experience a breach.

About the Author(s)

Mark Guntrip

Senior Director, Cybersecurity Strategy, Menlo Security

Mark Guntrip has over 20 years experience in security marketing, including strategy, product management, and product marketing across enterprise and commercial markets. Specific market areas include advanced threat protection, Web security, cloud-based security, firewalls, and managed security services. He has a proven track record of building success in new markets as well as promoting growth within more established areas. Prior to Menlo Security, Guntrip held various management roles at Proofpoint, Symantec, and Cisco.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights