The report starts by highlighting both the sophistication and effectiveness of the modern cybercriminal; and the current ineffectiveness of our security defenses. It describes the modern advanced threat as comprising six separate stages: an initial lure, a redirect to a hidden and malicious server, an exploit kit to find a vulnerability, the delivery of a malware dropper file via that vulnerability, a call home for more malware, and finally the actual exfiltration or data theft. Each of these stages is analyzed in detail in the report.
‘Lures’ are the social engineering attacks that start the process by exploiting the weakest link: the user. They range from the web lures that “prey on human curiosity and have moved into private social circles between friends within social networking,” through mass mailing spam-based lures to targeted spear phishing.
‘Redirects’ include SQL injections and iFrame injections, malvertising, and fake plug-ins. The purpose is to move the target to the next phase, examination by an exploit kit such as Blackhole hosted on a malicious server. This is key to the success or failure of the attack. “Blackhole uses criminal encryption, which makes it difficult to detect with AV engines and generic de-obfuscation tools,” says the report. “If your only defense at the web gateway is AV, then the odds of exploit kits successfully penetrating your systems through vulnerable applications is high.”
The fourth stage is where most companies currently concentrate their security defenses – the actual infection caused by dropping malware onto the system via a vulnerability discovered by the exploit kit. The theory is that if we analyze every file coming into the network, we can stop all known malware. Unfortunately, says the report, “The problem today is that dropper files use dynamic packers so known signatures and patterns are not available.”
Once the initial malware has been introduced to the victim’s computer, the rest becomes easier. The fifth stage is a ‘call-home’ in order to get and install more sophisticated and versatile malware, followed by the final stage, the actual theft and exfiltration of data. “The problem,” says Websense, “is that most defenses are only forward-facing and do not analyze outbound traffic from infected systems.”
“Traditional defenses just aren't working any more,” said Charles Renert, vice president of research and development for Websense. “Organizations need real-time defenses with multiple detection points that deeply analyze both the inbound content of each website and email as well as the outbound transmission of sensitive data.”
The report then goes on to discuss statistics and strategies for web security, data loss security, email security and mobile security. “In summary,” it concludes, “social networking continues to dominate communications as mobility and cloud computing extend security perimeters into devices, networks, and apps that we no longer control. What is left in our control is our data. And the shift to risk management and defenses to protect confidential data is urgent and imperative.”