Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/7/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending Against an Automated Attack Chain: Are You Ready?

Recent threats like AutoSploit bring malware-as-a-service to a whole new level. Here are four ways to be prepared.

Until recently, one of the biggest challenges for cybercriminals has been matching a target with an exploit. While newer attacks might be preloaded with multiple exploits, many still function like a traditional waterhole. More proactive attacks, like worms, also spread via multiple exploits, but they still tend to be "dumb worms" that can use only whatever they have been loaded with.

Over the past few months, however, new malware trends have arisen. Recent Internet of Things (IoT) botnets, such as Reaper and Hajime, have not only been designed to target multiple vulnerabilities simultaneously but they also have the capability to attack "a la carte" by intelligently selecting an attack method from a growing exploit base.

Reaper's flexible framework, for example, means that its code can be easily updated on the fly to run new and more malicious attacks as soon as they become available. The technique is clearly effective, as exploit volumes associated with Reaper after it appeared last October jumped from 50,000 to 2.7 million in just a few days.

Automatic Exploitation
And now, there is a new toolkit known as AutoSploit, which is an automated mass exploiter. This new tool automates the exploitation of remote hosts by collecting specific targets through online search engines such as Shodan or ZoomEye that are designed to locate specific connected devices. It includes additional options to further customize targets and host lists. Once a set of targets has been identified, it leverages the penetration testing tool Metasploit to target those devices.

This brings the idea of malware-as-a-service to a whole new level. Because it is open source, even individuals with limited technical skills can now run their own cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system.

Creating Swarm Network
From there, AutoSploit will empower people to build large swarm networks. This will enable traditionally dumb botnets to now function as swarms that can accelerate an attack as a cooperative, integrated system. Simple swarm intelligence will refine this process even further, as individual swarmbots will be able to share real-time information about which exploits are the most successful and shorten the time between targeting and compromise. This will also help cybercriminals better guarantee a return on their investment. These capabilities already exist in the wild.

The next step is to more effectively hide malware once it has successfully breached a network's defenses. The next generation of self-camouflaging assembler malware will be able to dynamically assemble bits of code from all over the Internet. This would allow local swarms to be built by code stitching itself together through a careful assembly process rather than using a single monolithic block of code that could easily be detected. Adding simple machine learning functionality would then permit a mutant attack to monitor and mimic traffic patterns to avoid detection by tools looking for aberrant behaviors.

The problem is compounded further by the ongoing expansion of the attack surface as organizations add things like software-defined networking, cloud infrastructure and services, mobile user, and IoT devices to their networks. Very few legacy security solutions are able to even detect these sorts of attacks, let alone prevent them.

What's Needed
Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network. Here is a brief set of strategies to consider in order to effectively combat this new generation of threats:

Patch your devices. Targeted, automated attacks like AutoSploit mean that your vulnerable systems and devices are more exposed than ever. If they are too old (or too new) to patch, replace them. If you can't replace them, then harden them, hide them, isolate them, or secure them behind advanced security tools such as intrusion-prevention systems and sandboxes.

Segment your network. Leveraging segmentation and microsegmentation ensures that once a device is compromised, the attack is limited to a small portion of your network. Passive segmentation, however, is just the start. What is also needed is agile macro segmentation for dynamic and adaptive defense against new, intelligent attacks.

Rethink your security strategy. Your security strategy needs to undergo digital transformation. Start by designing a flexible, adaptive security fabric that spans the network as a single, organic entity. Then tie that fabric to an integrated threat intelligence feed to ensure your network defenses constantly receive the latest threat profiles. This becomes the foundation for future hive defense strategies.

Leverage open integration standards. Combining best practices, centralized orchestration and advanced, purpose-built components provides the speed, scale, and intelligence required to secure today's networks. This architectural approach extends visibility and protection across the entire attack surface, from remote devices to deep in the data center and from IoT to the cloud. This lets you secure any digital resource in any deployment scenario and marshal resources from any location to respond to threats.

Legacy approaches to security no longer work. The only way to beat cybercriminals at their game is to be smarter, faster, and stronger. To do this, you must adopt a new mindset around security that embraces integration, automation, and adaptability. Organizations that fail to make this transition are likely to be left behind in the new digital economy.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.