Hackers Shift Tactics, Study Warns

Cybercriminals are shifting tactics to bypass corporations' first line of defense, which typically include antivirus software, firewalls, and intrusion prevention systems, a study released last week shows.

Evasion techniques that are on the rise include diversifying malicious e-mail attachments and using short-term domains in drive-by attacks, according to the biannual report from FireEye, a security vendor focused on advanced persistent threats.

In the first half of the year, the study-- based on a trend analysis of data gathered from FireEye customers -- found a 225 percent increase over the previous six-month period in the amount of advanced malware successfully evading signature-based detection, such as blacklisting technology and AV software. That amounted to an average of 643 infections per week per company.

"Clearly, there is a need for better intelligence in defense," Scott Crawford, a security research director for Enterprise Management Associates, said in an email. "Greater awareness of the threat landscape in as close to real time as possible is required, regardless whether to inform human defenders or to arm security technologies."

FireEye finds that hackers have increased the number of "throwaway" domains used in spear-phishing e-mails, in order to evade technologies that rely on domain reputation analysis and URL blacklists. The number of domains used fewer than ten times rose 45 percent from the second half of 2011.

"The domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown," the report says.

Another popular evasive tactic is greater diversity in malicious e-mail attachments. In the first half of this year, the top 20 malicious payloads accounted for 26 percent of attachments that evaded AV and other perimeter defenses, compared to 45 percent in the second half of last year. The drop indicates that hackers are using many more different types of malware.

"These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion," the report says. "In this way, the task of creating signature-based defenses to thwart these malicious files grows increasingly difficult."

E-Mail Remains Point of Entry

E-mail remains the most popular vector for getting malware or links to a malicious Web site in front of corporate employees. The messages are often crafted to trick the recipient into opening the malicious attachment or clicking on the link.

To defend against increasingly agile attackers, security vendors are adopting more data-driven models to adjust to new threats as close to real-time as possible. Rather than rely on signature updates sent in batches intermittently, vendors are gathering threat data from a variety of sources and are quickly applying updates to products, Crawford said in a recent blog post.

Such real-time data is coming from service provider networks, customers, botnets, attacker profiles, and more.

Vendors adopting some form of this approach include Symantec, McAfee, Trend Micro, Damballa, FireEye, and Endgame Systems, Crawford says.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Subscribe to the Daily Downloads Newsletter

Comments