Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/22/2017
12:15 PM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Block Threats Faster: Pattern Recognition in Exploit Kits

When analysts investigate an indicator of compromise, our primary goal is to determine if it is malicious as quickly as possible. Identifying attack patterns helps you mitigate quicker.

Vetting threats is a necessary task for security analysts, but it’s also agonizingly tedious. You want to quickly determine if something is good or bad, block it, and move on. The problem is, sometimes you can’t see the forest through the trees. There is so much noise you need a means of quickly distilling what in that data actually matters. That’s where pattern recognition comes in. Identifying patterns in TTPs (tactics, tool, and procedures) can tip you off to correlations, which is the fastest path to mitigation because you can categorically identify and block significantly more directly related indicators in a shorter amount of time.

Let’s apply this pattern recognition concept to the evolution of exploit kits.

Pattern #1: Exploit Kits Don’t Die, They Evolve 

Exploit kits are cheap and easy to purchase on the Dark Web. The most successful EKs quickly gain popularity, thus generating the greatest activity in the threatscape. When the vulnerabilities targeted by EKs are finally identified and patched, a new vulnerability gets added to the EK, and the cycle starts again. This is a good example of why you’ll see an exploit kit like Magnitude rise and fall in popularity over time.

Pattern #2: When One Tool Falls, Another Takes It's Place

So not only are there patterns in the rise and fall in popularity of an exploit kit, but there are also migratory patterns in how and when bad guys move from one exploit kit to the next. Sometimes it is merely a matter of an exploit kit no longer being effective enough. On rare occasions, however, an exploit kit may fall off the map completely due to the developer(s) behind it being taken down, as what happened when the Angler EK vanished after the Lurk criminal gang was taken down back in 2016.

It took a little while until hackers found an acceptable replacement. They experimented with a few different exploit kits like Sundown and Nuclear until finally they found RIG. Using our graph visualization tool, we tracked the migration from Angler to RIG and saw how this exploit kit beat out others.

This video (1:23) shows different EKs gaining in popularity, then dwindling, then being replaced by something new. Click here  to see the original on YouTube.

It’s not just EKs that behave this way. Noting what malware tools are used to deliver different payloads can tip an analyst off to what else to look for when they see one but not the other. For example finding Pony and, based on data spanning multiple sectors, knowing to look for Chancitor or Hancitor TTPs can help you mass identify and block indicators of compromise (IOCs), since they are often used to download that payload.

In sum, pattern recognition allows analysts to stop playing whack-a-mole by making every single indicator worth three. Keep these three tips in mind on your next investigation.

1. Keep your eye on dormant EKs. Don't discount the research you’ve done about an EK that is not active right now. TruSTAR platform data indicates new EKs use similar IOCs from old EKs (e.g. payloads).

2.  Look within historical data.  Find a way to manage your historical incident data and closed tickets to make historical data/patterns easily accessible. Graph visualization tools are useful tools in this scenario.

3. Exchange threat intelligence.  Participating in threat intelligence exchange networks can provide a more holistic view of the threat landscape, helping you identify valid patterns within a larger ecosystem and be better prepared to block threats.

This research was provided by the TruSTAR Data Science Unit. Click here to download a CSV of trending EKs and their most common IOCs.

 

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.