Right now RSA, an annual cybersecurity conference held in San Francisco, is wrapping up. We would not miss this event. Our experts spoke in a number of tracks, briefing the audience on the ecosystem of Russian-speaking crypto ransomware and the challenges of APT attribution. Also, we shared our general vision of today’s threat landscape at Kaspersky Lab’s booth.
It’s no secret that the threat landscape is constantly changing. However, the key trend here is the consolidation of the cybercriminal industry. We used to divide threats into conventional (having only a moderate impact but still annoying) and professional cybercrime, and APTs (advanced persistent threats, a token contingent of government-sponsored hacker groups). But now, these lines are getting very blurred. Professional cybercrime gangs, motivated mainly by profit, on the one hand are increasingly prone to using conventional methods and on the other hand frequently act as mercenaries, serving the interests of various groups (which sometimes are governments). This has a dual impact on the cybersecurity environment. First, advanced attacks are increasingly becoming massive, and second, it makes attribution even more challenging. In turn, complex and “high-end” APT attacks are replaced by just “targeted attacks,” which do not rely so much on persistence and can use old — but still effective — Trojans and even legitimate tools.
However, let’s get a detailed view on the methods cybercrooks use increasingly often in targeted attacks.
Practically every single targeted attack relies on exploits. Until recently, those were zero-day exploits —vulnerabilities as yet unpublished. Of course, such exploits are still menacing, but zero-day attacks are now rare. Now, major disaster is caused by so-called one-day vulnerabilities — exploits that have been already found and, what’s worse, published. Even if developers have issued patches, the time it takes to apply patches to the affected systems is enough for cybercriminals to attacks thousands of victims. Moreover, there are “any-day” vulnerabilities; a staggering number of systems remain unpatched for years.
A number of methods exist to battle this disease, but we think true cybersecurity can be achieved through a combination of technology levels. First, patching should be fully automated. No doubt, patching is a complex and difficult task administrators have trouble keeping up with. But patching alone is not enough. It’s necessary to make sure exploits are harmless before patching. Fortunately, fewer exploit techniques exist than actual exploits. So, our security toolset includes several methods to protect critical processes against exploitation. We prefer noninvasive methods based on behavioral analytics, which can detect activity related to exploits and don’t require deep inspection of processes.
Another problem that is gaining increasing prominence is fileless malware. It cannot be detected by scanning a hard drive, and as soon as it completes its tasks, it disappears, leaving no traces to aid investigation.
However, we know how to fight that type of threat. To detect threats that operate in system memory, we have to work on a number of levels. First, we have to keep an eye on memory activity and kill any processes that are not normally used by legitimate software. However, for that method to be effective, the technology that keeps track of memory processes needs access to additional data such as URL reputation and a control center white list. Machine-learning technologies are also required: to process and streamline this information, and to assess new process-related behavioral data. This approach makes detection more effective, regardless of any tricks a cybercriminal might pull.
Strange as it may seem, legitimate programs, in particular code interpreters, have become a threat. When malware uses legitimate tools to launch, attacks become quite hard to detect. The processes associated with installers are usually viewed as trusted, even if they perform malicious instructions. Such programs are also frequently cross-platform, which means a threat can have even more impact.
One of the most dangerous tools of this kind is PowerShell. PowerShell scripts are, well, very powerful. PowerShell-based malware can do many things: download more malware, remotely execute code, and run exploits — even fileless Trojans — for example. It’s no wonder cybercriminals have been using PowerShell lately.
To protect against the threat of legitimate tools being used maliciously, we recommend getting rid of unnecessary code interpreters installed in your system or using application control to block them. Also, use proven security solutions that rely on a multilevel approach and methods of behavioral analysis that uncover both suspicious activity and methods of running scripts and their sources.
Of course, these are not the only methods cybercriminals tend to use in targeted attacks. Our experts think that true cybersecurity within an organization requires the use of an adaptive cybersecurity model. Such a model presupposes the use of systems that constantly adapt to the ever-changing threat landscape. In general, we recommend that you:
- Protect all endpoints with the help of a multilevel IPS system;
- Deploy solutions to fight unknown threats across the infrastructure;
- Make sure employees are ready to respond to threats and have access to an effective toolset, including access to outside experts;
- Regularly audit infrastructure and application security with help of outside researchers and use additional sources of threat analytics to predict the next attack vector;
- Nurture employee awareness about the latest cyberthreats.
Having these processes deployed and streamlined across the entire organization will help protect it against any cyberattack, targeted or not.