Threat Management, Incident Response, TDR

Blend of old and new techniques help attackers dodge detection, report says

A clever mix of new and old techniques were combined to create “highly evasive attacks” in 2014, according to the Websense 2015 Threat Report.

The report, which zeroes in on eight behavioral and technique-based trends regarding cybercrime, found that cybercrime has become easier as threat actors can rent exploit kits, take advantage of malware-as-a-service (MaaS) and even use subcontractors to create and execute attacks aimed at stealing data. In fact, 99.3 percent of malicious files in 2014 used an existing command-and-control URL used by other malware. And the bulk of malware authors—98.2 percent—used C&Cs that were traced to five other malware types.

The propensity to employ the control hubs of previously used malware “is definitely a change from previous years,” Bob Hansmann, director of product security at Websense, told in Wednesday email correspondence. One reason for that, he said, is that “the nature of attacks change various aspects of the attack frequently such as the social engineering technique, the vulnerability used, or even the malware itself.”

But threat actors “cannot change everything, every time,” he explained. “This data suggests that the URLs used for CnC communications were not changed as frequently as in the past.”

The amount of reuse demonstrates “how many attacks changed more quickly in hopes of finding the right ‘combination' to breach the victims' defenses before they were detected and cut off,” Hansmann said.

The latest crop of threat actors are using tried and true techniques, like macros, Websense said, in unwanted emails and combining them with new evasion techniques, effectively recycling old threats and adding new tactics that allow execution through web channels and email. Those blended techniques make it more difficult for companies to defend against, the firm said.

The study found that email still holds the top spot in attack vectors, noting that 81 percent of the email Websense scanned was found to be malicious. That's a 25 percent increase over the figure reported in 2015. The company also reported an uptick in macro-embedded email attachments, identifying more than three million, in the last 30 days of last year.  

The study further revealed that, while suspicious emails showed a 25 percent increase year over year, use of dropper files decreased 77 percent. Call home activity rose, too—by a whopping 93 percent – but exploit kit use took a dive, dropping 98 percent. Malicious redirects stayed roughly the same.

Overall, Websense saw a 5.1 percent drop in security threats, from 3.96 billion in 2014. That drop, coupled with successful high profile breaches in organizations that have made tremendous investments in security, point to a high level of effectiveness and show that attackers have reduced their threat profiles by restructuring attack methodology—and ultimately making their activities harder to detect.

Hansmann expressed surprise at the tripled growth in the number of exploit kits operating in 2014, calling the figure, which showed an uptick in the number of threat actors,“ much greater than expected.”

Also of surprise, he said, is “that cybercriminals are shifting their tactics from continually pursuing more advanced threats to focusing on ‘just advanced enough' attack planning.”

The research also showed that insider threats would continue to challenge organizations and that network infrastructure is “brittle” and riddled with hidden vulnerabilities such as those found in Bash and OpenSSL. The Internet of Things (IoT) will just serve to magnify the number of opportunities that threat actors have to attack and the company said organizations' ability to outmaneuver them will be compromised by the anticipated shortage of two million skilled IT pros by 2017.

Websense also warned against being quick to attribute an attack to one hacker or another since they have become skilled at covering their tracks by spoofing information and getting around logging and tracking.

While Hansmann noted that identifying and prosecuting criminals “is vital” to putting the skids on the criminal industry, he said “the accurate attribution of an attack requires more than the data contained within the victims network.”

Although, like in any crime scene, “there is vital evidence and we strongly encourage victims to quickly involve, and cooperate, with law enforcement,” he noted that “successful identification will require undercover work, informants, and other investigation methods beyond the capabilities of victim organizations.” 

He contended that instead “victims will best benefit from assisting law enforcement, and investigating the attack from the perspective of ‘what can we learn from this to ensure it doesn't happen again?'”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.