Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Slow and Low – The Tempo for Today’s Latest Round of Attacks

“Slow and Low” isn’t just a popular song by the Beastie Boys. It’s also the tempo that adversaries are now choosing to launch attacks and evade detection.

“Slow and Low” isn’t just a popular song by the Beastie Boys. It’s also the tempo that adversaries are now choosing to launch attacks and evade detection.

The modern threat landscape is fueled by attackers no longer motivated by notoriety but, more typically, economic or political gain. With significant financial incentives for successful attacks, secrecy is now the end game. Attackers are more proficient at discretely leveraging gaps in security to hide and conceal malicious activity and we’re learning of new approaches never seen before.

Here are five ‘slow and low’ techniques that online criminals are using to gain entry to networks and accomplish their mission that security professionals need to understand in order to more effectively defend their organizations.

1. Exploit kits: In the business world, companies strive to be known as an industry leader. But when it comes to exploit kits, the top spot isn’t as coveted. Producers of high-profile exploit kits like Blackhole have been targeted by authorities and shut down. As a result, attackers are realizing that bigger and bolder is not always better – be it the size of malicious C&C infrastructures or ways into networks. Instead, the more successful exploit kits are the fourth or fifth most common – a sustainable business model because it doesn’t attract much attention.

Cyber Attack Trends: Low and Slow2. Snowshoe spam: So named because much like a snowshoe that has a large but faint footprint that is harder to see, with this technique the attacker spreads a lot of messages across a large area to avoid detection by traditional defenses. Snowshoe spammers send unsolicited bulk email using a large number of IP addresses and at a low message volume per IP address in an attempt to bypass IP-based anti-spam reputation technologies. They rapidly change body text, links, the IP addresses used to send from, and never repeat the same combination.

3. More sophisticated spear phishing: Adversaries continue to refine messages, often using social engineering tactics, so that even experienced end users have a hard time spotting fake messages. The latest round of spear-phishing messages appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers. These emails may include a trusted name and a logo and a call to action that is familiar to recipients, such as a notice about a recent order, or a delivery tracking number. This well-planned and careful construction gives users a false sense of security, enticing them to click on malicious links contained in the email.

4. Sharing exploits between two different files: Flash malware can now interact with JavaScript to hide malicious activity by sharing an exploit between two different files and formats: one Flash, one JavaScript. This conceals malicious activity, making it much harder to identify and block the exploit, and to analyze it with reverse engineering tools. This approach also helps adversaries to be more efficient and effective in their attacks. For example, if the first stage of an attack is entirely in JavaScript, then the second stage, the payload transmission, would not occur until after the JavaScript executes successfully. This way, only users who can run the malicious file receive the payload.

5. Malvertising from browser add-ons: Malware creators have devised a refined business model using web browser add-ons as a medium for distributing malware and unwanted applications. Users pay a small fee to download and install applications such as PDF tools or video players from sources that they believe are legitimate. In reality the applications are bundled with malicious software. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign. Attackers make money from many individual users in small increments by persistently infecting their browsers and hiding in plain sight on their machines.

Security professionals and online criminals are in an ongoing race to see which side can outwit the other. Adversaries are becoming more sophisticated not only in their approaches to launching attacks, but also in evading detection in ways we haven’t seen before. But defenders aren’t standing still. By continuing to innovate and learn based on what we’re seeing in the wild, defenders can identify and thwart the latest round of attacks.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...