informa
3 MIN READ
Quick Hits

How Attackers Choose Which Vulnerabilities To Exploit

A look at how the bad guys choose their attack methods -- and what you can do about it
[Excerpted from "How Attackers Choose Which Vulnerabilities To Exploit," a new report posted this week on Dark Reading's Vulnerability Management Tech Center.]

It's an old but true adage: To protect yourself against a criminal, you have to think like a criminal. This certainly applies to IT security professionals working to keep their organizations' systems and data safe: To protect against a cyber attacker, you have to think like a cyber attacker.

According to Verizon's 2012 Data Breach Investigations Report, 81% of data breaches utilized some form of hacking, and 94% of the attacks were not classified as difficult. Even those attacks that were more complex often used simple techniques to gain an initial foothold.

The reason so many attacks are reasonably straightforward is that most attackers use exploit toolkits downloaded from the Internet. They make it easy for anyone to generate and distribute malware that has a high degree of success. They mainly focus on targeting end user applications with well-known vulnerabilities.

Many exploit toolkits have easy point-and-click user interfaces, and although they may incorporate fairly recent vulnerabilities and ingenious payloads, the user doesn't need to understand their complexities to launch an attack.

Blackhole 2.0 is one of the most popular toolkits, even though it targets fewer software security holes than rival kits. Yes, hacking is a business, and hacking toolkits are in competition. Although some are free, there's also a commercial market for tools with the latest and greatest features. An instance of Blackhole on the author's server can be rented by the day or month, and annual licenses can be purchased. Malware infection-as-a-service and botnets can all be rented or leased by the hour, by the day or longer.

Such tools aren't going to include exploits that no longer work, and all the evidence suggests that old vulnerabilities continue to be successfully used by attackers, with profits far exceeding a toolkit's initial purchase or rental cost.

The Verizon RISK Team concluded that most victims were not preselected but were chosen because the attacker found an easily exploitable weakness. The opportunist attacker can find potential victims by simply scanning the Internet for sites running code that's known to be vulnerable, such as a particular version of an e-commerce software package.

Tools such as Nmap can be used, or searches on Google (Google hacking) can find security holes in the configuration and code of networks and websites accessible via the Internet. This research can be anonymized by running it through services such as I2P, which will prevent the attacker's IP address from appearing in the target's logs.

Certain types of businesses have developed a reputation as being easy targets. Franchises are one such type of business. It makes sense, because a franchise lets attackers get the absolute most bang for their buck: When attackers find a vulnerability they can exploit against a particular franchisee, the exploit often works at hundreds of other franchisees as well. Small and midsize businesses are often preferred over larger enterprises because they are profitable targets yet frequently have far fewer security resources protecting their assets.

The Elderwood gang -- the attackers behind the Aurora attacks that targeted Google, Adobe and other big U.S. companies -- are primarily interested in gathering and stealing intellectual property and trade secrets, infrastructure details and information useful for future attacks. However, the appearance of "watering hole" attacks -- in which attackers manipulate a website to serve up malware to site visitors -- means that even basic brochureware sites can be potential targets.

A terrorist group, meanwhile, is more likely to seek higher-impact targets, such as critical infrastructure -- anything destructive or disruptive enough to intimidate or coerce a government or its people. These groups see computers as weapons or targets.

To get details on how attackers identify and select the specific vulnerabilities they will exploit -- and some tips on how to discourage them -- download the free report on vulnerability research and management.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Haris Pylarinos, Founder and CEO, Hack The Box
Robert Lemos, Contributing Writer, Dark Reading