Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/22/2017
12:15 PM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Block Threats Faster: Pattern Recognition in Exploit Kits

When analysts investigate an indicator of compromise, our primary goal is to determine if it is malicious as quickly as possible. Identifying attack patterns helps you mitigate quicker.

Vetting threats is a necessary task for security analysts, but it’s also agonizingly tedious. You want to quickly determine if something is good or bad, block it, and move on. The problem is, sometimes you can’t see the forest through the trees. There is so much noise you need a means of quickly distilling what in that data actually matters. That’s where pattern recognition comes in. Identifying patterns in TTPs (tactics, tool, and procedures) can tip you off to correlations, which is the fastest path to mitigation because you can categorically identify and block significantly more directly related indicators in a shorter amount of time.

Let’s apply this pattern recognition concept to the evolution of exploit kits.

Pattern #1: Exploit Kits Don’t Die, They Evolve 

Exploit kits are cheap and easy to purchase on the Dark Web. The most successful EKs quickly gain popularity, thus generating the greatest activity in the threatscape. When the vulnerabilities targeted by EKs are finally identified and patched, a new vulnerability gets added to the EK, and the cycle starts again. This is a good example of why you’ll see an exploit kit like Magnitude rise and fall in popularity over time.

Pattern #2: When One Tool Falls, Another Takes It's Place

So not only are there patterns in the rise and fall in popularity of an exploit kit, but there are also migratory patterns in how and when bad guys move from one exploit kit to the next. Sometimes it is merely a matter of an exploit kit no longer being effective enough. On rare occasions, however, an exploit kit may fall off the map completely due to the developer(s) behind it being taken down, as what happened when the Angler EK vanished after the Lurk criminal gang was taken down back in 2016.

It took a little while until hackers found an acceptable replacement. They experimented with a few different exploit kits like Sundown and Nuclear until finally they found RIG. Using our graph visualization tool, we tracked the migration from Angler to RIG and saw how this exploit kit beat out others.

This video (1:23) shows different EKs gaining in popularity, then dwindling, then being replaced by something new. Click here  to see the original on YouTube.

It’s not just EKs that behave this way. Noting what malware tools are used to deliver different payloads can tip an analyst off to what else to look for when they see one but not the other. For example finding Pony and, based on data spanning multiple sectors, knowing to look for Chancitor or Hancitor TTPs can help you mass identify and block indicators of compromise (IOCs), since they are often used to download that payload.

In sum, pattern recognition allows analysts to stop playing whack-a-mole by making every single indicator worth three. Keep these three tips in mind on your next investigation.

1. Keep your eye on dormant EKs. Don't discount the research you’ve done about an EK that is not active right now. TruSTAR platform data indicates new EKs use similar IOCs from old EKs (e.g. payloads).

2.  Look within historical data.  Find a way to manage your historical incident data and closed tickets to make historical data/patterns easily accessible. Graph visualization tools are useful tools in this scenario.

3. Exchange threat intelligence.  Participating in threat intelligence exchange networks can provide a more holistic view of the threat landscape, helping you identify valid patterns within a larger ecosystem and be better prepared to block threats.

This research was provided by the TruSTAR Data Science Unit. Click here to download a CSV of trending EKs and their most common IOCs.

 

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.