Diving Into the Dark Web - Part 2
In Part 1, we saw a few examples with dark web storefronts offering stolen data. In this post, Part 2, we will be discussing malware (software that is intended to damage or disable computer and computer systems), and solutions to protect your assets from one of our partners in cyber security, FireEye.
As we saw in the first part of the series, the dark web uses digital currency - bitcoins. Expanding on this, the dark web also offers bitcoin based support for activities that lead to a breach - these services include: dedicated help desk with defined service level agreements, tech support for root kits, malware framework, Command and Control (C&C) servers, social media hacking, propaganda, and more. All of these broadly use malware or malicious software.
Malicious software comes in multiple forms such as: adware, bots, root kits, worms, Trojan horse, virus, key loggers, and spyware. All have malicious intent, are generally classified under malware, and most follow the same exact workflow for attacks. This attack workflow typically consists of Reconnaissance ==> Intrusion ==> Infection ==> Credential Theft ==> Lateral Movement ==> Data Exfiltration.
Each stage of malware life cycle is designed to get a stronger foothold to lure the victim deeper into the infection. FireEye classifies Malware into 6 broad groups, and below are some attributes specific to each category.
- Dropper/Downloaders: 1st stage, typically downloads additional pieces, URL based, often custom
- Rouge Utilities: poses as legit products, reaches out to C&C, often as drivers, password vaults, and browser addin's
- Trojans, RAT's (often APT tools): full control escalation, guided to C&C servers, highly sophisticated
- Root Kits: stealthy, highly sophisticated, damages assets, hides activities
- Virus: binaries that infect other binaries and boot sector
- Worms: spreads automatically - exploits, removable drives, email, network shares, etc.
Entry point for malware could be through the network, and sometimes through physical media. Strategically placing detection and prevention solutions at the network and endpoints can most likely protect against known malware. For unknown malware there could be a patient '0' but it is possible to avoid further infection with a strong, operational security program.
For example, the cheap charger for your mobile device from EBay could contain a strong dose of malware, which can springboard off your machine to infect your organization. One way to protect your assets is employee awareness and education - the 'think before you click' slogan should now include think before you plug-in.
FireEye solutions protects against advanced threats and attacks with an adaptive defense technology. This approach is much different from the traditional signature-based defenses such as firewalls, IPS, Gateways, and Antivirus that can only stop known malware and attacks. This signautre-based blocking is evaded by most criminals by altering the packages to change the signature value, making the traditional security solutions defenseless against 'unknown' packages and 'unknown' actors.
FireEye solutions can detect both known and unknown threats through a signature-less, milti-flow, virtual machine based approach. This approach is further enriched with FireEye's threat data to create a platform that delivers comprehensive detection. Prevention and response to APT's.
The portfolio of products from FireEye is comprehensive and includes solutions for:
- Network Security
- SLL traffic
- Email Security
- Mobile Security & Threat Prevention
- Endpoint Security
- Mandiant Intelligence Response
- Enterprise Forensics and Packet Capture Series
- Malware Analysis
- File System and Storage security
- File Content Security
- Threat Analytics Platform
- Central Management solutions
- Security Orchestrator
- FireEye and a Service and Threat Intelligence
Stay tuned for more solutions in this multi-part series. In our next blog we break open and look under the hood of CryptoLocker - a Trojan that encrypts Microsoft Windows Machines to hold users at ransom for payment.