Cyber crime: Exploit kits in the enterprise

Cyber crime is big business and exploit kits represent one of the most critical security challenges facing the enterprise today...

The Crimepack exploit kit console (courtesy of a Qualys demo installation) that reveals stats per exploit and stats per OS.

Getting jiggy with IT: Exploit kits in action

Simon Leech, director for HP's enterprise security arm in Europe, the Middle East and Africa (EMEA), has insight into how a successful exploit kit works in the real world, typically combining any number of exploits that focus upon on both known and unknown (zero day) vulnerabilities together with a method of wrapping these all up into a single executable.

The user chooses the platform he is aiming to exploit, such as a PDF reader vulnerability or a web browser client vulnerability. The exploit kit will then handle the attack distribution as well as monitor its success rate. "The more effective exploit kits will be provided with updates from the vendor, much like the way AV vendors update their signature set," Leech says. "The kit writers will monitor the success of various exploits, and once they see the success rates dropping, they will add additional new exploits to the portfolio."

Importantly, exploit kits are also being used as just one of the 'stepping stones' in multi-vector attacks. "Whilst using an exploit kit as part of an email campaign is fairly simple to set up, attackers wishing to use their exploit on a website will first have to compromise the website they wish to infect, and then try and hide the exploit kit in the website code," Leech adds. "A couple of years ago, when version 1.0 of Blackhole was at its prime, we saw a number of high profile sites, including those belonging to USPS and MySQL, being hacked and configured to serve up Blackhole pages in an attempt to infect their visitors with various malware."

The consumerisation of cyber crime

Exploit kits are considered to be very much a consumer product on the dark market, the online underground consisting of forums and sites where hackers and cybercriminals buy and sell stolen data and the tools of their trade.

And, as Sharf explains, the popularity of one kit over another depends on the feature set it supports, the update frequency and ultimately the price.

"A recent example includes the numerous Java vulnerabilities that the Websense Security Labs discovered in January 2013 - notably the new Java zero day vulnerability (CVE-2013-0422) that was added to exploit kits and was actively being exploited in the wild," Sharf says.

"The kits identified as using this particular zero day code were Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack. In the same month a new version of the infamous Blackhole Exploit Kit, by far the most popular web-based exploit kit in the underground market to date, was released."

The advertisement for the new version of Blackhole was posted on an underground forum, as is often the case when new exploit kit versions are rolled out by their authors. What's more, it was written in Russian ready for cyber criminals to use off the shelf...

Mitigating the risk

This just leaves us with the somewhat obvious, but big, question: how can your enterprise best mitigate the risks posed by exploit kits and protect against their use? Ross Parsell - who has responsibility for the Government and Commercial sector at Thales, the UK's second largest defence electronics supplier - suggests that in this era of connected devices and un-trusted locations the enterprise will get the best results by looking at the bigger picture. As such, Parsell suggests the following four step risk mitigation and protection plan:

1. Assessment

The first step is to mitigate the risk. This should be a two pronged approach starting with assessing what your vulnerabilities are and then by performing penetration tests. These tests seek to display what could be leveraged by an attacker as a result of missing operating system patches, mis-configured web servers or web applications. In identifying what vulnerabilities lie within a particular infrastructure or web application that could easily be exploited by attackers, companies have already erected a first line of defence.

Once the exploitable vulnerability points of entry are identified, an attempt to gain access to the system or web application will be made in order to obtain evidence of compromise, which may be the result of a single vulnerability or by multiple interconnected vulnerabilities."

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021
Why the financial industry is turning to the cloud
Sponsored

Why the financial industry is turning to the cloud

25 Oct 2021