Endpoint

5/7/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending Against an Automated Attack Chain: Are You Ready?

Recent threats like AutoSploit bring malware-as-a-service to a whole new level. Here are four ways to be prepared.

Until recently, one of the biggest challenges for cybercriminals has been matching a target with an exploit. While newer attacks might be preloaded with multiple exploits, many still function like a traditional waterhole. More proactive attacks, like worms, also spread via multiple exploits, but they still tend to be "dumb worms" that can use only whatever they have been loaded with.

Over the past few months, however, new malware trends have arisen. Recent Internet of Things (IoT) botnets, such as Reaper and Hajime, have not only been designed to target multiple vulnerabilities simultaneously but they also have the capability to attack "a la carte" by intelligently selecting an attack method from a growing exploit base.

Reaper's flexible framework, for example, means that its code can be easily updated on the fly to run new and more malicious attacks as soon as they become available. The technique is clearly effective, as exploit volumes associated with Reaper after it appeared last October jumped from 50,000 to 2.7 million in just a few days.

Automatic Exploitation
And now, there is a new toolkit known as AutoSploit, which is an automated mass exploiter. This new tool automates the exploitation of remote hosts by collecting specific targets through online search engines such as Shodan or ZoomEye that are designed to locate specific connected devices. It includes additional options to further customize targets and host lists. Once a set of targets has been identified, it leverages the penetration testing tool Metasploit to target those devices.

This brings the idea of malware-as-a-service to a whole new level. Because it is open source, even individuals with limited technical skills can now run their own cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system.

Creating Swarm Network
From there, AutoSploit will empower people to build large swarm networks. This will enable traditionally dumb botnets to now function as swarms that can accelerate an attack as a cooperative, integrated system. Simple swarm intelligence will refine this process even further, as individual swarmbots will be able to share real-time information about which exploits are the most successful and shorten the time between targeting and compromise. This will also help cybercriminals better guarantee a return on their investment. These capabilities already exist in the wild.

The next step is to more effectively hide malware once it has successfully breached a network's defenses. The next generation of self-camouflaging assembler malware will be able to dynamically assemble bits of code from all over the Internet. This would allow local swarms to be built by code stitching itself together through a careful assembly process rather than using a single monolithic block of code that could easily be detected. Adding simple machine learning functionality would then permit a mutant attack to monitor and mimic traffic patterns to avoid detection by tools looking for aberrant behaviors.

The problem is compounded further by the ongoing expansion of the attack surface as organizations add things like software-defined networking, cloud infrastructure and services, mobile user, and IoT devices to their networks. Very few legacy security solutions are able to even detect these sorts of attacks, let alone prevent them.

What's Needed
Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network. Here is a brief set of strategies to consider in order to effectively combat this new generation of threats:

Patch your devices. Targeted, automated attacks like AutoSploit mean that your vulnerable systems and devices are more exposed than ever. If they are too old (or too new) to patch, replace them. If you can't replace them, then harden them, hide them, isolate them, or secure them behind advanced security tools such as intrusion-prevention systems and sandboxes.

Segment your network. Leveraging segmentation and microsegmentation ensures that once a device is compromised, the attack is limited to a small portion of your network. Passive segmentation, however, is just the start. What is also needed is agile macro segmentation for dynamic and adaptive defense against new, intelligent attacks.

Rethink your security strategy. Your security strategy needs to undergo digital transformation. Start by designing a flexible, adaptive security fabric that spans the network as a single, organic entity. Then tie that fabric to an integrated threat intelligence feed to ensure your network defenses constantly receive the latest threat profiles. This becomes the foundation for future hive defense strategies.

Leverage open integration standards. Combining best practices, centralized orchestration and advanced, purpose-built components provides the speed, scale, and intelligence required to secure today's networks. This architectural approach extends visibility and protection across the entire attack surface, from remote devices to deep in the data center and from IoT to the cloud. This lets you secure any digital resource in any deployment scenario and marshal resources from any location to respond to threats.

Legacy approaches to security no longer work. The only way to beat cybercriminals at their game is to be smarter, faster, and stronger. To do this, you must adopt a new mindset around security that embraces integration, automation, and adaptability. Organizations that fail to make this transition are likely to be left behind in the new digital economy.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Google to Delete 'Secure' Label from HTTPS Sites
Kelly Sheridan, Staff Editor, Dark Reading,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The one you have not seen, won't be remembered".
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-9317
PUBLISHED: 2018-05-23
Privilege escalation vulnerability found in some Dahua IP devices. Attacker in possession of low privilege account can gain access to credential information of high privilege account and further obtain device information or attack the device.
CVE-2018-1193
PUBLISHED: 2018-05-23
Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for user-provided X-Forwarded-Proto headers. A remote user can set the X-Forwarded-Proto header in a request to potentially bypass an application requirement to only respond over secure connections.
CVE-2018-1122
PUBLISHED: 2018-05-23
procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.
CVE-2018-1123
PUBLISHED: 2018-05-23
procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).
CVE-2018-1125
PUBLISHED: 2018-05-23
procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.