Threat actors use several techniques against which we cannot prepare our defenses in advance. I tend to call these techniques “Infiltration by Design”, since attempting to ward off the threat actors using these techniques through infiltration-oriented technologies (from anti-phishing and reputation controls through to anti-exploitation) just won’t work.
Here are four “infiltration by design” techniques:
- Infecting a device early on in the supply chain. In this scenario, a backdoor is inserted as early on as in the supply chain. Just a few weeks ago it was revealed that certain versions of Dell laptops were pre-installed with the private key of their certificates. A threat actor exploiting this vulnerability would be able to conduct a Man-in-the-Middle attack to intercept communications entering and leaving the user’s device.
- Infecting a Cloud service used by the organization. In this scenario, the threat actors abuse a cloud sync service to infect multiple users in the organization. Threat actors are also known to communicate via cloud storage services to bypass reputation controls, as was the case exposed recently of China targeting Hong Kong hacktivists through Dropbox.
- Leveraging design vulnerabilities. In this scenario, threat actors bypass defenses until exploits and vulnerabilities are discovered and signatures or new work-around detection techniques are developed. For example, Sandworm is a design flaw vulnerability appearing in a Windows component which can lead to remote code execution. Sandworm was used in cyber-espionage campaigns attributed to Russia, where targets included: NATO, Ukraine, Poland, EU, European Telcos and the Energy Sector.
- Data-only attacks. In this scenario, an exploit based on common memory corruption vulnerabilities such as Buffer-Overflow and Use-After-Free enables arbitrary remote code execution. What makes this scenario so unique, and hence extremely difficult for infiltration tools to detect, is the fact that the exploitation is done by manipulating existing data only. In other words, the attack introduces no payload, but changes the application behavior by manipulating data only in the application address scope. Such an attack was presented in Black Hat Europe by Francisco Falcon "Exploiting Adobe Flash Player in the era of Control Flow Guard".
“Infiltration by Design” methods bypasses all anti-infiltration solutions. It’s for this reason that we can predict that such attack methods will continue to grow.
For a more detailed review of “Infiltration by Design”, you’re welcome to read the article: “Four ways an attacker can infiltrate an organization by diverting security solutions” appearing on Help Net Security.
Unfortunately, we cannot prevent the next advanced attack from infiltrating the business. With this in mind, the industry must change its approach to targeted attacks and work towards preventing the actual consequences of the attack – i.e. preventing the actual theft or ransoming of data.