Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Protect Your Company against Exploit Kits with Moving Target Defense

Posted by Michael Gorelik on July 12, 2016
Find me on:

There are kits for everything these days: beer brewing, engine tuning, and, yes, hacking. Hacking's “exploit kits” (EKs)—toolkits with packaged exploit codes—let almost anyone become a digital intruder, from the guy down the hall to the nation-state operator oceans away. I'm going to share some key areas you need to be aware of when preparing for an EK-driven attack.

Endpoint Kits Explained 

The days are long gone when hackers were simply seeking thrills or recognition. The primary motive for today’s hackers is financial gain, with ransomware being their current preferred method of attack. This form of malware takes over and locks a user’s system, then demands a ransom to release it for the user to access again. In other types of attacks, hackers steal data such as online bank or credit card credentials, then sell it on the black market. These make up a smaller percentage of attacks, because they require more effort than ransomware.

The most feared attacks are thankfully the least common, although their prevalence is increasing. So-called advanced persistent threats are highly targeted, state-sponsored or corporate espionage attacks directed at high-value data, often intellectual property or military secrets. Such attacks typically use specialized types of EKs that are beyond the scope of this article.

Among the many EKs available on the open market, the Angler Exploit Kit and Nuclear Exploit Kit are probably the most popular. Both leverage application vulnerabilities to infect end-user devices by injecting redirection scripts or iframes into compromised websites. The kits propagate quickly, spreading around the world in minutes.

ads are not "annoying but harmless" 

EKs have managed to infect even trustworthy sites such as YouTube and Reuters with “malvertising.” When users visit the site, the malicious ad (which looks like a standard ad) automatically runs code that causes the browser to access the server on which the EK is stored. This then fires up the exploit to compromise the end user’s machine. The EK runs through a list of potential vulnerabilities to leverage on the end user’s machine, such as in the browser or its plug-ins. Flash has been an open door for hackers for quite some time, although Adobe has taken steps to improve its protection, and our research shows that JavaScript exploits in Internet Explorer are now the preferred initial target for EKs.

While the sites that serve up malvertising may themselves be reputable, the ads they display originate from many other sites. The third-party systems that serve up display ads have become a popular target for hackers, since they offer nearly global distribution in a “one-stop shop.”  However, if hackers find it too difficult to break into an ad-serving site, they may turn to unprotected WordPress and Joomla sites to display their malicious ads—especially ones recently registered and not yet updated with the latest security patches.

Patching delayed at best

The first rule of security is to keep your systems up to date with every patch that software vendors release. The corollary is that this is nearly impossible. Patching requires careful planning, execution, and validation. Sometimes new patches conflict with other applications already running.

All of the attention and time that patching requires means delays that leave systems vulnerable. And even in a perfect world where everything is patched on time, zero-day attacks can penetrate through as-yet unknown vulnerabilities that the hackers uncover.

Rule-based security is easy to bypass

If patching is not the answer, then perhaps traditional rule-based or signature-based security solutions such as antivirus offer protection. To explain why this cannot help, it’s important to understand that when an EK infiltrates a site, the malicious files it serves are often dynamic. Each time they attack, the content, including function names or variables, is changed, since variants are generated on the fly. To complicate matters further, EKs often do their dirty work without ever downloading an actual file to a user’s device, instead directly attacking the computer’s memory or other resources. And without a file, traditional antivirus and other tools have nothing to scan, and are therefore powerless.

This constant changing of payload, filenames, and attack techniques makes securing via rule- and signature-based security solutions a major challenge. How can a signature update possibly stay ahead of an automated kit that randomly generates new names, file structures, and sizes? One way is to simply define the signature broadly, to cover all of the inevitable changes that the EK will throw its way. However, such broad definitions will generate massive numbers of false positives, overwhelming analysts with alert storms.

Forget what you already know

These new types of constantly changing attacks are also known as “moving target attacks.” How do you combat something that can take so many forms and wreak such havoc? Forget previously conceived notions of security. Forget about patching, forget about rule-based security tools, and move to something that can protect endpoints regardless of the type of exploit thrown at them, and regardless of whether the endpoint has the latest patches or not.

The best way to protect against moving target attacks is to use new security solutions based on moving target defense. Moving target defense is a prevention technique that works in the background of the endpoints, scrambling application memories in order to move or disguise the resources a hacker seeks. By cloaking the true nature of the applications found on a device, this type of defense randomly changes the memory structure, but not the underlying structure, of the systems and applications. When malicious software gains access to an endpoint machine protected by moving target defense, it is unable to find the vulnerable resource it needs in order to cause damage. By its nature, moving target defense is attack-agnostic, therefore making it effective against the multiple variations of known and unknown attacks.

Turn the tables on cyberattackers

By creating a continuously shifting target surface, moving target defense turns the tables on hackers, making them do the hard work of finding the target. Since attackers are generally looking for an easy score, when they cannot locate the expected entry point, they most often will simply move on to a different end-user device. And this is what your aim should be. Just as you want your home to be more difficult to break into than the others on your street, your networks and endpoints should make the work of digital thieves so challenging that they abandon their attempts.

When everyone is a target

Hackers don’t discriminate by size; both large enterprises and small businesses are on their task list. A large company may present a more attractive target because of the vast data in its corporate treasure chests (and funds in its bank accounts), but large companies also have the resources to protect against and remediate the effects of an attack, which can cost millions of dollars per incident.

Smaller companies, however, often have a lower security profile, which makes them easier to penetrate. And in the case of an actual breach—for example, if confidential client information is stolen or company data is held for ransom—a small company may never recover and could simply go out of business. In addition, smaller companies can be seen as steppingstones to larger companies that are the actual target: Hackers may find it easier to break into a large, well-protected company via a smaller partner or service provider, causing the small company to become a casualty along the hacker’s path.

How to protect your company

Start to investigate ways to protect your company’s endpoints with prevention solutions based on moving target defense. For today’s fast-moving, rapidly changing, exploit kits-driven attacks, this may well make the difference between successfully blocking attacks and becoming the next statistic.

This article previously appeared on TechBeacon. Michael Gorelik is VP of R&D at Morphisec. 

New Call-to-action