The business case for cybersecurity today is hard to ignore – the statistics speak for themselves.
Take ransomware. The fastest-growing form of cyber-threat, the volume of these attacks is increasing to truly alarming levels. According to the US Justice Department, there have been approximately 4000 attacks per day in the United States since 2016. Meanwhile, Cybersecurity Ventures estimates that ransomware impacted a business every 11 seconds in 2021.
Tie in the fact that the average ransom demand associated with such attacks is $200,000, and ransomware is not just a widespread threat – it is equally one that has the potential to decimate many businesses completely.
Between state-backed perpetrators carrying out highly intelligent, aggressive attacks on large corporations and a booming ransomware-as-a-service (RaaS) market that provides the toolkits for small-time criminals to launch sophisticated attacks, companies are being bombarded from all angles. The threat landscape has not ballooned in this way coincidentally. Rather, it has increasingly grown off the back of an abundance of opportunities for hackers.
Rewinding the clock to March 2020, firms of all shapes and sizes were forced to shut their physical premises and adopt digital operating models. In 2022, these models remain in the form of hybrid and remote setups, with the average employee today spending more than 75% of their working day in a web browser as a result.
This shift has expanded the attack surfaces of businesses, exposing reams of new vulnerabilities in data, applications and the cloud. Yet despite this, security has largely failed to adapt to better cater to these newly adopted environments.
From antivirus software to URL filtering techniques, many of the solutions we have in place to protect our networks haven’t changed for almost a decade, providing attackers with more than enough time to understand our defense mechanisms and find ways to get around them.
The Four Characteristics of Highly Evasive Adaptive Threats
It’s this landscape that has allowed highly evasive adaptive threats to flourish.
Also known as HEAT, these threats are a new class of attack methods observed by Menlo Labs that act as beachheads for data theft, stealth monitoring, account takeovers and the deployment of ransomware payloads.
In essence, HEAT attacks work by leveraging web browsers as the attack vector, employing various techniques to evade detection by multiple layers in current security stacks. They bypass traditional web security measures and leverage web browser features to deliver malware or compromise credentials.
Users of such methods include Nobelium, the Russian state-sanctioned group behind the SolarWinds supply chain attack; the Gootloader campaign leveraging SEO poisoning to generate high-level page rankings for compromised websites, often to deliver REvil ransomware; and the Astaroth trojan, which makes use of HTML smuggling to sneak malicious payloads past network-based detection solutions.
"Users of such methods include Nobelium, the Russian state-sanctioned group behind the SolarWinds supply chain attack"
Of course, each of these attack methods is different. So, what classifies them as HEAT?
To be categorized as a highly evasive adaptive threat, an attack must leverage at least one of four evasive techniques which successfully bypass legacy network security defenses:
1) Content Inspection Evasion
HTML smuggling and JavaScript deception are often deployed in browser environments to bypass static and dynamic content inspection engines and deliver malicious payloads to target endpoints.
Here, malicious files are created within the browser, ensuring there is no request for a remote file that would typically be inspected. This allows attackers to bypass firewalls and traditional network security structures. Indeed, secure web gateway (SWG) policies are rendered useless as file types assumed to be blocked are still capable of reaching the endpoint – even without user interaction.
2) Malicious Link Analysis Evasion
Malicious links are typically shared via social media, SMS, document sharing and other cunning ways in an attempt to trick users into interacting with them so that attacks can gain a foothold in a network and deliver malware to the endpoint.
More recently, attackers have been combining these phishing methods with HTML smuggling in order to blind sandbox engines built to analyze files and content being downloaded from the risks. Simply put, it ensures that these sandboxes can’t see the dynamic generation of a file within the browser after its past network security controls.
3) Offline Categorization and Threat Detection Evasion
Traditional detection methods can also be bypassed by leveraging ‘Good2Bad’ websites – sites that can be temporarily manipulated and mobilized to serve malicious payloads for brief periods before being reverted to a benign state.
The use of Good2Bad sites is a growing challenge. Indeed, in the two years spanning 2019 to 2021, Menlo Labs saw their use increase by as much as 958% – a trend that isn’t likely to slow down given the recently discovered zero-day attack in Log4j.
4) HTTP Traffic Inspection Evasion
Fourthly, HEAT attacks will often work to evade HTTP traffic inspection engines that have been instilled to detect various forms of malicious content created using JavaScript in the browser by its rendering engine.
JavaScript is a ubiquitous client-side scripting language used by nearly all websites – something that threat actors are using to their advantage. Indeed, obfuscated JavaScript is used, increasing the challenge for security researchers and detection engines.
Ultimately, to stop HEAT attacks and limit the devastating effects of ransomware, security teams need to update their defenses. Today, we need to go beyond the sandbox and actually prevent these threats before they reach our networks.
In our next article, we’ll look at how Zero Trust, SASE and isolation technology can help companies to protect themselves from the threat of HEAT. Stay tuned…