Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 22nd, 2013




    One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares.

    These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?

    • Give these programs a good name. This may sound trivial, but there’s a reason to do this. “Catchy” names may well become the butt of jokes, but it keeps training programs – and their lessons – in the minds of users.
    • Put users on the other side of the attack – teach them basic social engineering. There’s no better way of understanding how social engineering works than teaching how to do it. By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”
    • Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. This can be dealt with culturally: let employees (and managers) know that there will never be a penalty for saying “no” and verifying with whoever’s in charge. Call/mailbacks (via information in company address books) should be part and parcel of company procedure.

    Part of a good social engineering training program is “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees. However, some organizations try to reduce costs and rely on automated tests alone. This can be a problem – obviously “fake” tests will annoy employees and make them more vulnerable to real attacks. Organizations have to ensure that any tests carried out are as realistic as possible, to realistically and accurately measure the ability to resist social engineering.

    Both testing and training have to be a continuous and never-ending process. Social engineering attacks, as with all attacks, only become stronger over time. Employees join and leave the company, or change their roles. A truly effective training program has to keep all of these in mind in order to protect an organization for the long haul.

     
    Posted in Social | Comments Off



    Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn’t be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it?

    The most basic method used by attackers is an IP blacklist. Just like security vendors have extensive blacklists of IP addresses used to send spam, host malicious sites, and receive stolen information, attackers have lists of the IP addresses that they believe are used by security vendors and block all access from these addresses.

    A more sophisticated method is to infect a given IP address only once. How would this work?

    Suppose that a vendor would have a list of websites that is associated with a certain attack. They would access one site (either manually or with automated tools), but the attacker would note that this particular IP address had already accessed a site associated with this attack in a backend database of their own; if the vendor would access other sites that checked with that database they would not be able to successfully access the malicious content.

    Figure 1. Crawling avoidance

    Backend databases like this can also be used together with dynamic DNS services. The attackers would dynamically create so many random URLs with these services so that they can afford to deactivate a URL within minutes of somebody visiting it.

    All of these techniques are supported by exploits kits to different degrees. One of the most common ones is the “infect once” technique, which is used by both versions (1.x and 2.x) of the Blackhole Exploit Kit, as well as Styx and CoolKit.

    While individual countermeasures are available, these do place an additional burden on vendors and researchers. While we are able to work around these limitations, it also highlights how important it is not to rely on any one particular method to secure users.

    There is no silver bullet to security. A “defense in depth” strategy that uses both cloud and endpoint methods is still the most effective way to ward off threats in today’s security environment. Most importantly, correlation between these multiple methods in order to find all aspects of the infection chain is vital to finding and analyzing new threats.

    Securing users via the cloud is still an efficient way of protecting users with broad coverage, powerful correlation and protection while using few resources. Like a cat and mouse game, we will continuously make improvements to crawlers and honey pots to stay ahead of cybercriminals.

    However, endpoint protection is a still an essential complement to cloud protection – the threat is running on the end point in real time, with a real user, and in a real environment. On the endpoint, files and sites the user can be inspected in right away, while potentially malicious content (like Javascript and Java) can be executed and analyzed for malicious behavior. Users can be protected before any malicious files are saved onto the user’s system.

    In the meantime, information about any newly detected threats is fed back into the cloud and the Smart Protection Network.  This allows us both to protect all users “out of the box” and to gather information about these threats, which we can use to learn more about them and devise more effective methods of protecting users.

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice