Security Experts:

Slow and Low - The Tempo for Today's Latest Round of Attacks

“Slow and Low” isn’t just a popular song by the Beastie Boys. It’s also the tempo that adversaries are now choosing to launch attacks and evade detection.

The modern threat landscape is fueled by attackers no longer motivated by notoriety but, more typically, economic or political gain. With significant financial incentives for successful attacks, secrecy is now the end game. Attackers are more proficient at discretely leveraging gaps in security to hide and conceal malicious activity and we’re learning of new approaches never seen before.

Here are five ‘slow and low’ techniques that online criminals are using to gain entry to networks and accomplish their mission that security professionals need to understand in order to more effectively defend their organizations.

1. Exploit kits: In the business world, companies strive to be known as an industry leader. But when it comes to exploit kits, the top spot isn’t as coveted. Producers of high-profile exploit kits like Blackhole have been targeted by authorities and shut down. As a result, attackers are realizing that bigger and bolder is not always better – be it the size of malicious C&C infrastructures or ways into networks. Instead, the more successful exploit kits are the fourth or fifth most common – a sustainable business model because it doesn’t attract much attention.

Cyber Attack Trends: Low and Slow2. Snowshoe spam: So named because much like a snowshoe that has a large but faint footprint that is harder to see, with this technique the attacker spreads a lot of messages across a large area to avoid detection by traditional defenses. Snowshoe spammers send unsolicited bulk email using a large number of IP addresses and at a low message volume per IP address in an attempt to bypass IP-based anti-spam reputation technologies. They rapidly change body text, links, the IP addresses used to send from, and never repeat the same combination.

3. More sophisticated spear phishing: Adversaries continue to refine messages, often using social engineering tactics, so that even experienced end users have a hard time spotting fake messages. The latest round of spear-phishing messages appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers. These emails may include a trusted name and a logo and a call to action that is familiar to recipients, such as a notice about a recent order, or a delivery tracking number. This well-planned and careful construction gives users a false sense of security, enticing them to click on malicious links contained in the email.

4. Sharing exploits between two different files: Flash malware can now interact with JavaScript to hide malicious activity by sharing an exploit between two different files and formats: one Flash, one JavaScript. This conceals malicious activity, making it much harder to identify and block the exploit, and to analyze it with reverse engineering tools. This approach also helps adversaries to be more efficient and effective in their attacks. For example, if the first stage of an attack is entirely in JavaScript, then the second stage, the payload transmission, would not occur until after the JavaScript executes successfully. This way, only users who can run the malicious file receive the payload.

5. Malvertising from browser add-ons: Malware creators have devised a refined business model using web browser add-ons as a medium for distributing malware and unwanted applications. Users pay a small fee to download and install applications such as PDF tools or video players from sources that they believe are legitimate. In reality the applications are bundled with malicious software. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign. Attackers make money from many individual users in small increments by persistently infecting their browsers and hiding in plain sight on their machines.

Security professionals and online criminals are in an ongoing race to see which side can outwit the other. Adversaries are becoming more sophisticated not only in their approaches to launching attacks, but also in evading detection in ways we haven’t seen before. But defenders aren’t standing still. By continuing to innovate and learn based on what we’re seeing in the wild, defenders can identify and thwart the latest round of attacks.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.