Malvertising Threats Underscore the Need for an Approach to Security that Addresses the Full Attack Continuum.
Internet advertising spend outpaces all other forms of media according to the most recent reports from Nielsen. Together, global display advertising across the web, mobile Internet and apps grew by 32.4% in 2013 — by far the largest increase of any media. Annoying as it can be for users, Internet advertising is important because it allows people to freely consume the vast majority of the web. If that model were to change or if people were to stop trusting Internet advertising altogether, the repercussions for the Internet could be monumental. But just as advertisers see huge opportunities to reach their targets with Internet ads, hackers see similar opportunities.
“Malvertising,” online advertising used to spread malware, is becoming more prevalent. Supported by the cybercriminal economy that has formed around the attack chain, it has become increasingly easy for adversaries to gain access to the tools they need to launch these highly targeted campaigns. For example, a malvertiser who wants to target a specific population at a certain time—such as soccer fans watching a World Cup match—can turn to a legitimate ad exchange to meet their objective. Just like legitimate advertisers, they contact companies that are gatekeepers for the ad exchanges. They will pay up front for the advertising, perhaps US$2,000 or more per ad run, and instruct the companies to tell the ad exchanges to serve the ads as quickly as possible, leaving little or no time for the ad content to be inspected.
Malvertising victims are infected with malware in the course of their normal Internet browsing, without even clicking on the advertisement, and therefore have no idea where or how they were infected. These drive-by attacks on visitors to high-profile, legitimate websites are virtually impossible for the user to detect. Website visitors are seamlessly redirected to websites that host exploit kits that the adversary has either rented or purchased. These kits push a ‘dropper’ onto users’ systems and infect vulnerable systems. Not only are their infiltration methods stealthy, but tracing the source is next to impossible because the ad that delivered the malware has long since disappeared.
So how can security professionals help to prevent these attacks from being successful? Secure web gateways are becoming an increasingly important component of any cybersecurity strategy. However, conventional secure web gateways operate at a point in time – one shot to detect and stop traffic.
Advanced attacks don’t occur at a single point in time, so while visibility and blocking at the point of entry is important, it isn’t enough. These attacks are ongoing and require continuous scrutiny. When evaluating secure web gateways, security professionals should identify solutions that include a series of checks across the full attack continuum – before, during, and after an attack – for more effective protection.
Before an attack - Defenders need comprehensive awareness and visibility to implement policies and controls to defend their environment. URL filtering and web reputation filtering are the first checks in the process. With URL filtering, system administrators can set policies to block known malicious sites but can also block categories of URLs based on content, for example allowing news but blocking all ads. For those concerned with the impact on user experience by blocking all ads other layers of security can be added. Similar to giving a web site a credit score, reputation filtering provides another layer of protection. It leverages a vast amount of data, including the length of time the domain has been malware-free, to assign a reputation to a URL. When a user requests a web page, the reputation is requested and based on pre-set policies a decision is made on how it should be handled. Working together, URL filtering and reputation filtering help block malvertising attacks at the point of entry. But attacks are incredibly stealthy and can still get through.
During an attack - Defenders must be able to continuously detect and block malware. If the web content the user requested has passed URL filtering and reputation filtering, real-time malware scanning now takes over. Before the content is delivered to the user the file is scanned against various parameters, including the latest threat intelligence, and blocked if found to be malware. If the disposition is still unknown or untrusted it is run in a sandbox, a tightly controlled environment, and watched for suspect or malicious behavior. If the sandbox verdict is malicious, the administrator is notified to take action and defenses are updated to protect against future similar ads. Sandbox technology can mitigate risk, but it doesn’t remove it entirely; attacks are being designed to evade sandbox detection.
After an attack - Because some advanced threats still penetrate networks, defenders need protection that includes retrospective security. Retrospective security continues to track files and analyze their behavior against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate. The various layers of defenses are then updated with the latest intelligence so that a similar malvertising attack will be blocked in the future.
Malvertising affects all Internet users and is a disruptor for the Internet economy. It underscores the sophistication of the modern cybercriminal economy in terms of the division of labor, cooperation, and specialization across the attack chain. It also underscores the need for an approach to security that addresses the full attack continuum. With ongoing visibility and control, and intelligent and continuous updates, security professionals can take action to stop the inevitable outbreak.