Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/7/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending Against an Automated Attack Chain: Are You Ready?

Recent threats like AutoSploit bring malware-as-a-service to a whole new level. Here are four ways to be prepared.

Until recently, one of the biggest challenges for cybercriminals has been matching a target with an exploit. While newer attacks might be preloaded with multiple exploits, many still function like a traditional waterhole. More proactive attacks, like worms, also spread via multiple exploits, but they still tend to be "dumb worms" that can use only whatever they have been loaded with.

Over the past few months, however, new malware trends have arisen. Recent Internet of Things (IoT) botnets, such as Reaper and Hajime, have not only been designed to target multiple vulnerabilities simultaneously but they also have the capability to attack "a la carte" by intelligently selecting an attack method from a growing exploit base.

Reaper's flexible framework, for example, means that its code can be easily updated on the fly to run new and more malicious attacks as soon as they become available. The technique is clearly effective, as exploit volumes associated with Reaper after it appeared last October jumped from 50,000 to 2.7 million in just a few days.

Automatic Exploitation
And now, there is a new toolkit known as AutoSploit, which is an automated mass exploiter. This new tool automates the exploitation of remote hosts by collecting specific targets through online search engines such as Shodan or ZoomEye that are designed to locate specific connected devices. It includes additional options to further customize targets and host lists. Once a set of targets has been identified, it leverages the penetration testing tool Metasploit to target those devices.

This brings the idea of malware-as-a-service to a whole new level. Because it is open source, even individuals with limited technical skills can now run their own cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system.

Creating Swarm Network
From there, AutoSploit will empower people to build large swarm networks. This will enable traditionally dumb botnets to now function as swarms that can accelerate an attack as a cooperative, integrated system. Simple swarm intelligence will refine this process even further, as individual swarmbots will be able to share real-time information about which exploits are the most successful and shorten the time between targeting and compromise. This will also help cybercriminals better guarantee a return on their investment. These capabilities already exist in the wild.

The next step is to more effectively hide malware once it has successfully breached a network's defenses. The next generation of self-camouflaging assembler malware will be able to dynamically assemble bits of code from all over the Internet. This would allow local swarms to be built by code stitching itself together through a careful assembly process rather than using a single monolithic block of code that could easily be detected. Adding simple machine learning functionality would then permit a mutant attack to monitor and mimic traffic patterns to avoid detection by tools looking for aberrant behaviors.

The problem is compounded further by the ongoing expansion of the attack surface as organizations add things like software-defined networking, cloud infrastructure and services, mobile user, and IoT devices to their networks. Very few legacy security solutions are able to even detect these sorts of attacks, let alone prevent them.

What's Needed
Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network. Here is a brief set of strategies to consider in order to effectively combat this new generation of threats:

Patch your devices. Targeted, automated attacks like AutoSploit mean that your vulnerable systems and devices are more exposed than ever. If they are too old (or too new) to patch, replace them. If you can't replace them, then harden them, hide them, isolate them, or secure them behind advanced security tools such as intrusion-prevention systems and sandboxes.

Segment your network. Leveraging segmentation and microsegmentation ensures that once a device is compromised, the attack is limited to a small portion of your network. Passive segmentation, however, is just the start. What is also needed is agile macro segmentation for dynamic and adaptive defense against new, intelligent attacks.

Rethink your security strategy. Your security strategy needs to undergo digital transformation. Start by designing a flexible, adaptive security fabric that spans the network as a single, organic entity. Then tie that fabric to an integrated threat intelligence feed to ensure your network defenses constantly receive the latest threat profiles. This becomes the foundation for future hive defense strategies.

Leverage open integration standards. Combining best practices, centralized orchestration and advanced, purpose-built components provides the speed, scale, and intelligence required to secure today's networks. This architectural approach extends visibility and protection across the entire attack surface, from remote devices to deep in the data center and from IoT to the cloud. This lets you secure any digital resource in any deployment scenario and marshal resources from any location to respond to threats.

Legacy approaches to security no longer work. The only way to beat cybercriminals at their game is to be smarter, faster, and stronger. To do this, you must adopt a new mindset around security that embraces integration, automation, and adaptability. Organizations that fail to make this transition are likely to be left behind in the new digital economy.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13961
PUBLISHED: 2019-07-18
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
CVE-2019-13962
PUBLISHED: 2019-07-18
lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.
CVE-2019-10101
PUBLISHED: 2019-07-18
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
CVE-2019-10102
PUBLISHED: 2019-07-18
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersControlle...
CVE-2019-10102
PUBLISHED: 2019-07-18
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suric...