“Slow and Low” isn’t just a popular song by the Beastie Boys. It’s also the tempo that adversaries are now choosing to launch attacks and evade detection.
The modern threat landscape is fueled by attackers no longer motivated by notoriety but, more typically, economic or political gain. With significant financial incentives for successful attacks, secrecy is now the end game. Attackers are more proficient at discretely leveraging gaps in security to hide and conceal malicious activity and we’re learning of new approaches never seen before.
Here are five ‘slow and low’ techniques that online criminals are using to gain entry to networks and accomplish their mission that security professionals need to understand in order to more effectively defend their organizations.
1. Exploit kits: In the business world, companies strive to be known as an industry leader. But when it comes to exploit kits, the top spot isn’t as coveted. Producers of high-profile exploit kits like Blackhole have been targeted by authorities and shut down. As a result, attackers are realizing that bigger and bolder is not always better – be it the size of malicious C&C infrastructures or ways into networks. Instead, the more successful exploit kits are the fourth or fifth most common – a sustainable business model because it doesn’t attract much attention.
2. Snowshoe spam: So named because much like a snowshoe that has a large but faint footprint that is harder to see, with this technique the attacker spreads a lot of messages across a large area to avoid detection by traditional defenses. Snowshoe spammers send unsolicited bulk email using a large number of IP addresses and at a low message volume per IP address in an attempt to bypass IP-based anti-spam reputation technologies. They rapidly change body text, links, the IP addresses used to send from, and never repeat the same combination.
3. More sophisticated spear phishing: Adversaries continue to refine messages, often using social engineering tactics, so that even experienced end users have a hard time spotting fake messages. The latest round of spear-phishing messages appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers. These emails may include a trusted name and a logo and a call to action that is familiar to recipients, such as a notice about a recent order, or a delivery tracking number. This well-planned and careful construction gives users a false sense of security, enticing them to click on malicious links contained in the email.
5. Malvertising from browser add-ons: Malware creators have devised a refined business model using web browser add-ons as a medium for distributing malware and unwanted applications. Users pay a small fee to download and install applications such as PDF tools or video players from sources that they believe are legitimate. In reality the applications are bundled with malicious software. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign. Attackers make money from many individual users in small increments by persistently infecting their browsers and hiding in plain sight on their machines.
Security professionals and online criminals are in an ongoing race to see which side can outwit the other. Adversaries are becoming more sophisticated not only in their approaches to launching attacks, but also in evading detection in ways we haven’t seen before. But defenders aren’t standing still. By continuing to innovate and learn based on what we’re seeing in the wild, defenders can identify and thwart the latest round of attacks.