Exploit kits upping the ante for security defense

Exploit kits upping the ante for security defense
Exploit kits upping the ante for security defense

If there's one thing businesspeople and cyberthieves have in common, it's their love of finding ways to get bigger results with less effort. And for thieves, exploit kits are little efficiency machines. 

So maybe it shouldn't surprise anyone that hackers are now making exploit kits smarter than ever before. The recent 2016 Dell Security Annual Threat Report called out exploit kits as one of the most urgent security challenges of last year, not only because there are now more of them, but because they're becoming harder for security systems to identify and eradicate. 

Hackers know what security software typically scans for, and they're using that knowledge to create workarounds. Remember Spartan? It used malvertising to load a series of files-within-files onto victims' systems before generating its exploitative code in memory, not on disk, in order to stay invisible to firewalls. 

"Exploit kits are evolving, but they're primarily aimed at known software vulnerabilities."

The Nuclear exploit kit was also regularly changing the URL structure of their malicious landing pages, so even after firewalls had flagged one landing page, it could be served again with an unrecognized URL. Other kits began directly calling JavaScript's functions to identify the victim's browser and plugins, effectively avoiding security systems that only watched the JavaScript PluginDetect library.

But it's not all bad news. Exploit kits are evolving, but they're primarily aimed at known software vulnerabilities. So keeping your software and systems patched and updated can go a long way, as can the use of a layered security approach that includes tough intrusion prevention, perimeter anti-virus, enforced host-based anti-virus, isolated network zones, multifactor authentication and, for the most paranoid, browser plugins like NoScript. 

Exploit kits gave us a real glimpse into hackers' heads in 2015, and what we saw was that set-it-and-forget-it security programs are completely worthless. If defense-in-depth is not the name of the game for your company, there's a chance you could find yourself on the wrong side of an exploit kit this year. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS