Cybercrime is a multi-trillion-dollar business, which means that you need the best resources to stay ahead.
Exploits take advantage of weaknesses in legitimate software products like Adobe Flash and Microsoft Office to infect computers for criminal purposes.
They’re commonly leveraged by cybercriminals in order to penetrate organizations’ defenses. The objectives of these criminals are diverse: stealing data or holding it for ransom, performing reconnaissance or simply as a means to deploy more traditional malware.
It’s common to find exploits used as part of cyberattacks; upwards of 90 percent of reported data breaches find that an exploit is used at one or more points in the attack chain. Including exploit prevention as part of a comprehensive lineup of security defenses is clearly valuable.
Exploits have been around for more than 30 years, so it should come as no surprise that almost every major security vendor can claim some level of exploit prevention. However, the breadth and depth of that protection varies significantly between vendors. For some, it’s a box to tick; for others, it’s a major focal point.
Thanks to exploit kits, malware authors don’t need to worry about how to find bugs in Java or Silverlight or Flash; how to build those bugs into working exploits; how to find insecure web servers to host the exploits; or how to entice prospective victims to the booby-trapped web pages.
Likewise, exploit kit authors don’t have to worry about writing full-blown malware - they don’t have to run servers to keep track of infected computers or to collect money from individual victims; they don’t have to get involved in the exfiltration of stolen data or selling that data.
With cybercrime now a multi-billion-dollar industry that is projected to cause nearly $2 trillion annually in damages by 2019, each aspect of an attack has been industrialized. Criminals have the luxury of being able to specialize in one or more parts of the threat landscape in what’s become known jokingly as CaaS, or “Crimeware as a Service.”
In this now-lucrative industry, exploit brokers have emerged. They buy exploits from people who discover them and sell them to people who want to make use of them, whether government agencies or nefarious hackers.
Buyers invariably keep their purposes to themselves. As Kevin Mitnick, founder of Mitnick’s Absolute Zero Day Exploit Exchange, explained to Wired, “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us. Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Continue to page 2 for techniques on stopping exploits...
Exploit mitigation techniques
With more than 400,000 unique malware samples created each day and thousands of new vulnerabilities discovered each year, the challenge of preventing malicious attacks is daunting. This explosion of growth in malware variants requires new and innovative approaches when it comes to defending against cybercriminals.
A careful examination of the modern cybercrime industry shows an opportunity for asymmetric defense. As it turns out, despite the seemingly endless parade of new attacks, there are only about 20 or so techniques that can be used to exploit software. So, an approach that’s able to counteract this handful of exploit techniques - instead of targeting each and every exploit - is extremely powerful.
What’s more: depending on the vulnerability, attackers often end up having to chain a handful of exploit techniques together to get to the stage where they can deliver malware. These techniques don’t change much from year to year; perhaps one or two new tricks are added to the list of available techniques.
When evaluating major security products, the absence of significant exploit technique mitigation can be surprising. And while some of the newer vendors who claim to offer next-generation technology have broader support for exploit mitigation, even there the coverage is spotty.
When you are speaking with your dental IT provider, make sure they are providing you with the proper software and services to protect your practice against these common exploits. The expression “An ounce of prevention is worth a pound of cure” is extremely appropriate when it comes to malware and ransomware protection.