Hackers shift to outflanking the first line of defense

Cybercriminals are shifting tactics to bypass corporations' first line of defense, which typically include antivirus software, firewalls and intrusion prevention systems, a study released on Wednesday shows.

Evasion techniques that are on the rise include diversifying malicious email attachments and using short-term domains in drive-by attacks, according to the biannual report from FireEye, a security vendor focused on advanced persistent threats.

In the first half of the year, the study-- based on a trend analysis of data gathered from FireEye customers -- found a 225% increase over the previous six-month period in the amount of advanced malware successfully evading signature-based detection, such as blacklisting technology and AV software. That amounted to an average of 643 infections per week per company.

"Clearly, there is a need for better intelligence in defense," Scott Crawford, a security research director for Enterprise Management Associates, said in an email. "Greater awareness of the threat landscape in as close to real time as possible is required, regardless whether to inform human defenders or to arm security technologies."

FireEye found that hackers have increased the number of "throwaway" domains used in spearphishing emails, in order to evade technologies that rely on domain reputation analysis and URL blacklists. The number of domains used fewer than 10 times rose 45% from the second half of 2011.

"The domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown," the report said.

Another popular evasive tactic is greater diversity in malicious email attachments. In the first half of this year, the top 20 malicious payloads accounted for 26% of attachments that evaded AV and other perimeter defenses, compared to 45% in the second half of last year. The drop indicates that hackers are using many more different types of malware.

"These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion," the report said. "In this way, the task of creating signature-based defenses to thwart these malicious files grows increasingly difficult."

Email remains the most popular vector for getting malware or links to a malicious Web site in front of corporate employees. The messages are often crafted to trick the recipient into opening the malicious attachment or clicking on the link.

To defend against increasingly agile attackers, security vendors are adopting more data-driven models to adjust to new threats as close to real-time as possible. Rather than rely on signature updates sent in batches intermittently, vendors are gathering threat data from a variety of sources and are quickly applying updates to products, Crawford said in a recent blog post.

Such real-time data is coming from service provider networks, customers, botnets, attacker profiles and more.

Vendors adopting some form of this approach include Symantec, McAfee, Trend Micro, Damballa, FireEye and Endgame Systems, Crawford says.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place