Related Links

Related Stories

Top 5 Stories


Websense report discusses the life-cycle of an advanced attack

20 April 2012

The Websense 2012 Threat Report identifies the three primary developments driving current ‘epidemic levels of data theft’: effective social media lures, evasive and difficult-to-detect malware, and sophisticated exfiltration of data.

The report starts by highlighting both the sophistication and effectiveness of the modern cybercriminal; and the current ineffectiveness of our security defenses. It describes the modern advanced threat as comprising six separate stages: an initial lure, a redirect to a hidden and malicious server, an exploit kit to find a vulnerability, the delivery of a malware dropper file via that vulnerability, a call home for more malware, and finally the actual exfiltration or data theft. Each of these stages is analyzed in detail in the report.

‘Lures’ are the social engineering attacks that start the process by exploiting the weakest link: the user. They range from the web lures that “prey on human curiosity and have moved into private social circles between friends within social networking,” through mass mailing spam-based lures to targeted spear phishing. 

‘Redirects’ include SQL injections and iFrame injections, malvertising, and fake plug-ins. The purpose is to move the target to the next phase, examination by an exploit kit such as Blackhole hosted on a malicious server. This is key to the success or failure of the attack. “Blackhole uses criminal encryption, which makes it difficult to detect with AV engines and generic de-obfuscation tools,” says the report. “If your only defense at the web gateway is AV, then the odds of exploit kits successfully penetrating your systems through vulnerable applications is high.”

The fourth stage is where most companies currently concentrate their security defenses – the actual infection caused by dropping malware onto the system via a vulnerability discovered by the exploit kit. The theory is that if we analyze every file coming into the network, we can stop all known malware. Unfortunately, says the report, “The problem today is that dropper files use dynamic packers so known signatures and patterns are not available.”

Once the initial malware has been introduced to the victim’s computer, the rest becomes easier. The fifth stage is a ‘call-home’ in order to get and install more sophisticated and versatile malware, followed by the final stage, the actual theft and exfiltration of data. “The problem,” says Websense, “is that most defenses are only forward-facing and do not analyze outbound traffic from infected systems.”

“Traditional defenses just aren't working any more,” said Charles Renert, vice president of research and development for Websense. “Organizations need real-time defenses with multiple detection points that deeply analyze both the inbound content of each website and email as well as the outbound transmission of sensitive data.”

The report then goes on to discuss statistics and strategies for web security, data loss security, email security and mobile security. “In summary,” it concludes, “social networking continues to dominate communications as mobility and cloud computing extend security perimeters into devices, networks, and apps that we no longer control. What is left in our control is our data. And the shift to risk management and defenses to protect confidential data is urgent and imperative.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×