Defending against exploit kits

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Exploit kits comprised of malicious programs that identify and then attack cyber-vulnerabilities and spread malware represent the dark but massively profitable side of cybersecurity attacks.

The kits are created, sold and rented, individually or in bundles, on the black market. The majority released today come from countries with a thriving underground cybermarket, like China or Russia. Bundled exploit kits are encrypted to evade malware detection by security software. To rent a bundle for a week costs just £85, and if a cybercriminal needs only 24 hours for his attack, the same bundle is less than £20.

[ ROUNDUP: The year's worst data breaches (so far) ]

These exploit kits are frameworks with packaged client-side exploits and payloads created by cybercriminals to automate the process of infecting and infiltrating end user systems. The kits allow cybercriminals to easily scale their operations and evolve quickly to the changing infection vector landscape. Various exploit kits have surfaced in the last few years, such as Crime Pack, Phoenix, Elenore, Neosploit but the most prevalent one has been the Blackhole exploit kit.

According to a report by the Internet Crime Complaint Center (IC3), the Blackhole exploit kit is the most widely purchased kit in the underground market. It originates from Russia and is sold on various underground forums. The kit was first seen in September of 2010 and has been updated regularly since then. It sells both as a licensed tool as well as a hosted solution.

The kit has quarterly, semiannual and annual licensing options, but the hosted option makes it extremely easy for cybercriminals to build a new cybercrime setup without spending much time or effort. An annual license costs under £1,000 whereas a hosted solution can run as high as £4,000 annually, according to the advertised pricing on the underground forums. It is a web-based kit and follows a drive-by infection model through the web browser.

In a typical infection scenario, an unsuspecting user is lured into visiting a malicious link that redirects to the Blackhole exploit kit hosting site which starts to try to silently inject the kits in the background. When an exploit succeeds, it leads to the silent download and execution of malware. This kit is known to target various vulnerabilities in Java, Adobe Flash, Adobe Acrobat, Internet Explorer and Windows. [Also see: "Most Java-enabled browsers vulnerable to widespread Java exploits, Websense says"]

We predict exploit kits will be increasingly used because of their ease of deployment (rental model) and the ease and speed with which they deliver infections. The impact of these attacks will be felt in loss of data, intellectual property identify theft, financial fraud and theft, as well as in diminished business productivity and continuity.

Dell SonicWALL estimates that 70%-80% of attacks via the Internet now originate from exploit kits and expects to see continued focus and growth of these kits targeting Windows 8, Mac OS X and mobile devices, particularly Android-based.

The Dell SonicWALL GRID Network observes that Java was the most targeted application in 2012 for exploitation. Not surprisingly, considering an estimated 3 billion devices run Java -- offering a large and cross-platform user base for cybercriminals to exploit.

What can businesses do to protect themselves?

The most important steps to protect yourself is to be aware of the most obvious and dangerous variants. Second, it is key to educate employees how to recognize and avoid accidentally bringing a virus/malware/trojan into the corporate network. A recent survey of Dell SonicWALL customers shows that 68% of all businesses reported that employees cannot identify fraudulent attacks on the corporate network.

Intrusion prevention systems (IPS) and unified threat management are the heroes here. Advanced and complete security systems that include gateway antivirus, anti-spyware, intrusion prevention, and application intelligence and control serve to provide intelligent, real-time network security protection against sophisticated attacks such as those resulting from exploit kits.

Many businesses believe their existing firewalls will protect them from an attack. The reality, however, is that old firewalls pose a serious security risk to organizations today. First-generation firewall technology has become obsolete as it fails to inspect the data payload of network packets circulated by today's Internet criminals.

To prepare and defend against the massive growth in social media, applications, BYOD and multimedia files flowing through the corporate network and the threats they may carry, entirely new technology is needed. First-generation firewalls were designed to block direct threats coming from outside in a perimeter-based attack. However, the dramatic shift in how and where people access the corporate network has rendered these stateful firewalls inadequate.

Mobile employees connecting to critical business data from home broadband or public wireless hotspots, and mountains of media and rich digital content, are an ever-growing part of business software applications. Data inspection at the application-content level is vital to protect against sophisticated hacking schemes, which is why "deep packet inspection" (DPI) is now the preferred approach over SPI. In particular, stream-based DPI gives robust network protection via application-level inspection and is a very low-latency approach.

If an organization does business anywhere on the Internet, it is likely not a question of if, but when it will be targeted by cybercriminals. There is much that business can do to minimize and deflect the impact of these potential threats. In particular, IT should closely collaborate with the company leadership to identify where vulnerabilities exist and prepare with appropriate countermeasures, including advanced network security and employee education; this combination is the most powerful one-two punch to defend from current and future attacks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.