Hackers shift to outflanking the first line of defense

Cybercriminals are shifting tactics to bypass corporations' first line of defense, which typically include antivirus software, firewalls and intrusion prevention systems, a study released on Wednesday shows.

Evasion techniques that are on the rise include diversifying malicious email attachments and using short-term domains in drive-by attacks, according to the biannual report from FireEye, a security vendor focused on advanced persistent threats.

In the first half of the year, the study-- based on a trend analysis of data gathered from FireEye customers -- found a 225% increase over the previous six-month period in the amount of advanced malware successfully evading signature-based detection, such as blacklisting technology and AV software. That amounted to an average of 643 infections per week per company.

"Clearly, there is a need for better intelligence in defense," Scott Crawford, a security research director for Enterprise Management Associates, said in an email. "Greater awareness of the threat landscape in as close to real time as possible is required, regardless whether to inform human defenders or to arm security technologies."

FireEye found that hackers have increased the number of "throwaway" domains used in spearphishing emails, in order to evade technologies that rely on domain reputation analysis and URL blacklists. The number of domains used fewer than 10 times rose 45% from the second half of 2011.

"The domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown," the report said.

Another popular evasive tactic is greater diversity in malicious email attachments. In the first half of this year, the top 20 malicious payloads accounted for 26% of attachments that evaded AV and other perimeter defenses, compared to 45% in the second half of last year. The drop indicates that hackers are using many more different types of malware.

"These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion," the report said. "In this way, the task of creating signature-based defenses to thwart these malicious files grows increasingly difficult."

Email remains the most popular vector for getting malware or links to a malicious Web site in front of corporate employees. The messages are often crafted to trick the recipient into opening the malicious attachment or clicking on the link.

To defend against increasingly agile attackers, security vendors are adopting more data-driven models to adjust to new threats as close to real-time as possible. Rather than rely on signature updates sent in batches intermittently, vendors are gathering threat data from a variety of sources and are quickly applying updates to products, Crawford said in a recent blog post.

Such real-time data is coming from service provider networks, customers, botnets, attacker profiles and more.

Vendors adopting some form of this approach include Symantec, McAfee, Trend Micro, Damballa, FireEye and Endgame Systems, Crawford says.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Show Comments