Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/22/2017
12:15 PM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Block Threats Faster: Pattern Recognition in Exploit Kits

When analysts investigate an indicator of compromise, our primary goal is to determine if it is malicious as quickly as possible. Identifying attack patterns helps you mitigate quicker.

Vetting threats is a necessary task for security analysts, but it’s also agonizingly tedious. You want to quickly determine if something is good or bad, block it, and move on. The problem is, sometimes you can’t see the forest through the trees. There is so much noise you need a means of quickly distilling what in that data actually matters. That’s where pattern recognition comes in. Identifying patterns in TTPs (tactics, tool, and procedures) can tip you off to correlations, which is the fastest path to mitigation because you can categorically identify and block significantly more directly related indicators in a shorter amount of time.

Let’s apply this pattern recognition concept to the evolution of exploit kits.

Pattern #1: Exploit Kits Don’t Die, They Evolve 

Exploit kits are cheap and easy to purchase on the Dark Web. The most successful EKs quickly gain popularity, thus generating the greatest activity in the threatscape. When the vulnerabilities targeted by EKs are finally identified and patched, a new vulnerability gets added to the EK, and the cycle starts again. This is a good example of why you’ll see an exploit kit like Magnitude rise and fall in popularity over time.

Pattern #2: When One Tool Falls, Another Takes It's Place

So not only are there patterns in the rise and fall in popularity of an exploit kit, but there are also migratory patterns in how and when bad guys move from one exploit kit to the next. Sometimes it is merely a matter of an exploit kit no longer being effective enough. On rare occasions, however, an exploit kit may fall off the map completely due to the developer(s) behind it being taken down, as what happened when the Angler EK vanished after the Lurk criminal gang was taken down back in 2016.

It took a little while until hackers found an acceptable replacement. They experimented with a few different exploit kits like Sundown and Nuclear until finally they found RIG. Using our graph visualization tool, we tracked the migration from Angler to RIG and saw how this exploit kit beat out others.

This video (1:23) shows different EKs gaining in popularity, then dwindling, then being replaced by something new. Click here  to see the original on YouTube.

It’s not just EKs that behave this way. Noting what malware tools are used to deliver different payloads can tip an analyst off to what else to look for when they see one but not the other. For example finding Pony and, based on data spanning multiple sectors, knowing to look for Chancitor or Hancitor TTPs can help you mass identify and block indicators of compromise (IOCs), since they are often used to download that payload.

In sum, pattern recognition allows analysts to stop playing whack-a-mole by making every single indicator worth three. Keep these three tips in mind on your next investigation.

1. Keep your eye on dormant EKs. Don't discount the research you’ve done about an EK that is not active right now. TruSTAR platform data indicates new EKs use similar IOCs from old EKs (e.g. payloads).

2.  Look within historical data.  Find a way to manage your historical incident data and closed tickets to make historical data/patterns easily accessible. Graph visualization tools are useful tools in this scenario.

3. Exchange threat intelligence.  Participating in threat intelligence exchange networks can provide a more holistic view of the threat landscape, helping you identify valid patterns within a larger ecosystem and be better prepared to block threats.

This research was provided by the TruSTAR Data Science Unit. Click here to download a CSV of trending EKs and their most common IOCs.

 

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.