Enterprises Face a New Wave of Stealth Attacks

The days of traditional cyber defenses protecting your company are over. Stealth attacks in which hackers ride into your network using web encryption or hide their malware’s command and control in cloud services are here. And it’s only going to get worse. Here’s what you need to know about how stealth attacks work — and how to protect your enterprise against them.

The depth of the problem with stealth attacks became clear earlier this year, when Symantec found that the cyber espionage group known as the Inception Framework significantly upped its operations by using the cloud and IoT to hide their attacks. The Symantec report noted that “the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services.”

It hides its attacks in two primary ways. One is that the malware it implants in an enterprise uses cloud service providers for command and control. When IT examines outgoing traffic, it won’t find telltale traffic going to malware servers. Instead, the traffic goes to well-known cloud providers — initially just CloudMe.com, but eventually to four other cloud providers as well. Ultimately, it looks to IT just like normal outbound traffic.

In addition, the group uses chains of infected routers to act as proxies to mask communications between attackers and the cloud service providers they use for command and control. That makes the attacks even stealthier.

“There’s a reason you’re seeing an increase in these kinds of stealth attacks,” says Jake Williams, founder of the cyber security firm Rendition Infosec. “As enterprises get smarter about security, malware writers have had to up their game. So, malware writers have turned to stealth methods for targeting enterprises.”

Making it easier to launch these kinds of stealth attacks is that malware writers have easy access to infected home routers to act as proxies. For example, this spring malware called VPNFilter targeted home and enterprise routers from many different manufacturers, including Asus, D-Link, Huawei, Linksys, Netgear and others. (To check if your router has been infected, use Symantec’s VPNFilter Check Tool.)  Timothy Chiu, Senior Director of Product Marketing for Symantec, estimates that up to 80 percent of all home routers might have been vulnerable to the attack.

Web Encryption

Chiu warns about another stealth threat — malware that rides its way into organizations via the HTTPS protocol which encrypts web traffic. Ironically, encryption designed to protect privacy is now being used to hide malware.

It’s a threat that will grow as the amount of web traffic that uses HTTPS grows. By early 2017, 50 percent of all web traffic was encrypted, according to the Electronic Frontier Foundation. Chiu says that by 2019, 80 percent of all web traffic is expected to be encrypted, making it even easier for malware writers to infect enterprises using this stealth method. Gartner says that approximately half of all malware campaigns this year will use some kind of encryption.

Old detection methods won’t protect against these kinds of stealth attacks, but there are ways for vigilant enterprises to keep themselves safe. Chiu stresses the importance of decrypting traffic at the gateway level and inspecting it before it makes its way to end users.

"You don’t know the last time users updated their virus signatures, and how secure their PCs are,” he says. “So, decrypting traffic and examining it before it reaches them has become extremely important.”

He adds that most companies don’t do this right now. And while decrypting traffic in this way is important for all enterprises, he says that it’s especially important for industries such as financial and healthcare that are frequent targets of hackers.

Williams stresses the importance of logging as much information as possible about network traffic, including DNS resolutions and more, and keeping the log information available. That helps not just with real-time detection, but also lets companies examine historical data which can give clues that they’ve been infected.

“If you’re keeping the data, you might be able to find out that three days ago you were compromised, and then clear out the infection,” he says. “In general, capturing more information is better. Very rarely do organizations say, ‘We really regret logging all that data.’”

He adds that given the sophistication of stealth attacks, companies should assume they will be compromised at some point, rather than assuming they can ward off all attacks. That means designing ways to quickly recover from successful attacks.

And overall, he concludes, “For stealth attacks that we don’t even know about yet, you need to log as much as you can and think outside the box. That way, you may not know exactly the kind of stealth attacks that are coming, but you can extrapolate from what you know and keep yourself safer.”

If you found this information useful, you may also enjoy:

• Symantec: Check Your Router for VPNFilter