Data Security, Vulnerability Management

Don’t despair: You can stop common exploit techniques

When people hear that 550,000 new malware samples are discovered each day, stopping them all seems insurmountable – but don’t despair. There is a limited number of techniques cybercriminals can use to exploit vulnerabilities, which typically involve memory manipulation.

While criminals will often combine multiple exploit techniques to overwhelm and evade traditional defenses, today’s next-gen cyber protection solutions are designed to stop the exploitation techniques commonly relied on by attackers.

Let’s look at three common exploits as examples.

1. Return-oriented programming protection

To bypass the data execution prevention (DEP) memory protection feature in Windows, cybercriminals often use return-oriented programming (ROP) chains. These are called via return instructions, which enables the criminal to then call a WinAPI function. However, if a WinAPI function is not called with a call instruction, the return address (memory address locations) on the stack will be wrong.

Advanced cyber protection solutions terminate ROP attacks when a call instruction isn’t found.

2. Code injection protection

Attackers have several code injection techniques they prefer.

  • Process hollowing takes a trusted application, such as explorer.exe or svchost.exe, and loads it onto the system in a suspended state to act as a container for hostile code. Since the malicious code’s execution is masked under a legitimate process, it evades detection by less advanced security solutions.
  • Early Bird code injection takes advantage of the application threading process that happens when a program executes on a computer. The attack loads malicious code in an early stage of the thread initialization, before many security solutions set their hooks, allowing the malware to act undetected.
  • Asynchronous procedure call (APC) is a Windows function that can redirect a thread from its normal execution path to execute something else. By injecting into that call, attackers can use it to run their malicious code.

An advanced, next-gen cybersecurity solution can detect injections in a process in a suspended mode, hollowing out the original memory while blocking the affected process.

3. Defense evasion protection

Since many security solutions only monitor sensitive functions before allowing the kernel to service the request, attackers will often call an unmonitored function at an offset (intentionally addressing an important kernel service instead) to evade detection. Next-gen cyber protection prevents attackers from addressing sensitive kernel functions via unprotected API functions.

Multilayered protection includes exploit prevention

Exploit Prevention may represent a set of techniques and heuristics that are seldom used, but they’re critical to any multilayered security plan. Whether it is a recently discovered exploit or an existing, unpatched vulnerability, just one attack can cause a business-ending breach.

But, again, there’s no reason to panic. Advanced, next-gen cyber protection solutions include Exploit Prevention so you can avoid such sophisticated attacks. To learn more about modern cyber protection strategies and solutions, the Cyber Protection 101 E-book is a useful introduction.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.