With Multi-Vector Attacks, Quality Threat Intelligence Matters

Multi-vector attacks like the "String of Paerls" (sp) require organizations to synthesize threat intelligence from many sources, Cisco's Scott Harrell argues.
String of pearls attacks require organizations to synthesize threat intelligence from many sources, Cisco’s Scott Harrell argues.

In the last year, the world’s attention has been riveted by a series of high-profile hacks of major corporations in retail, finance and the entertainment industry, among others. Each of these incidents is unique, involving different threat actors and motives. However, each of these attacks is also a sterling example of what we, at Cisco, term “multi-vector attack” that employs a range of technologies, deployed in numerous stages, to penetrate the defenses of the target organization.

Here at Cisco, we have studied these attacks in-depth and have identified some commonalities among these multi-vector attack, and useful approaches to combat them. This blog post will discuss some of our findings.

About Multi-Vector Attacks

Any cyber attack, large or small is born from a weak link in the security chain. These weak links take many forms: poorly configured Web servers, gullible employees or vulnerable-but-common applications like Microsoft Office, Adobe Reader and Java are common examples.

Multi-vector  attacks take advantage of these common vulnerabilities: combining elements like social engineering and ‘spear phishing’ e-mail messages with malicious attachments that contains code that exploits known or unknown (zero-day) vulnerabilities on the target system. While these attacks might rely on commodity malware, they are often tailored to bypass most antivirus engines.

 

As an example, Cisco recently analyzed a multi-vector attack that we’ve labeled the “String of Paerls” (sp) attack that serves as a useful example for the kinds of techniques typical of multi-vector cyber attacks.

Scott Harrell_Cisco
Scott is a Vice President of Product Management at Cisco Systems.

The “String of Paerls” attack began with a so-called phishing e-mail sent to specific individuals within the target organization. The e-mail messages contained a malicious Microsoft Word attachment that posed as an invoice.

When that document was opened, it launched a macro that downloaded an executable to the victim’s machine. That executable, once installed, called out to command and control servers on two separate domains in the UK and India. A third call went out to an account on the cloud-based hosting service Dropbox which contained malicious executables. (See the related Cisco infographic.)

Wanted: Visibility

Breaking the “String of Paerls” attack required deep visibility into the attackers’ malicious infrastructure and coordination across the entire security and network infrastructure of the target site. In the case of the “String of Paerls” attack, Cisco was actively monitoring both of the malicious web domains used by the malware for command and control. The same domains had already been linked to other known infections.

Behind the scenes, Cisco’s infrastructure facilitated rapid response to the incident through user and device attribution, prioritization of events using correlation and analytics, and built-in forensic capabilities. In the “String of Paerls” incident, we reviewed over 1 million data artifacts collected over 45 days. Using “Big Data” analysis, we clustered them based on sets of like-criteria. That allowed us to boil that sea of data into just 15,000 related clusters of samples that exhibited similar behavior.

Leveraging threat intelligence and data analysis makes it possible to connect the dots between the behavior observed on the target network and other, malicious behavior online. However, that is just half the battle. Once an identification is made, that same infrastructure also needs to facilitate automated containment across the entire attack continuum through rapid and universal distribution of threat content (URLs, Files, IP Addresses, etc.).  The combination of these capabilities can radically shrink the time between detection and containment. It’s no longer a matter of if attacks will happen, but when they will happen.

How to Respond

Given that these attacks will typically be able to avoid traditional defenses like endpoint anti-malware programs, what are some ways to identify these attacks?

At Cisco, researchers rely on analysis of a web of data sources that encompasses spam e-mail, web and advanced malware detection products. Observations of malicious activity across these threat vectors are correlated and combined using data analysis tools, providing critical clues that teased the malicious spotting the attack. Even if the malicious downloadable slips by endpoint protection products, organizations that can flag suspicious attachment names, note beaconing behavior to IP addresses or spot an unusual sequence of events on an endpoint or network are more likely to spot a malicious event early and begin containing the fallout from that incident.

In Conclusion

The security landscape is constantly evolving and attackers are continuing to innovate at a rapid pace. In the case of the String of Pearls attack, having the capability to gather and correlate extensive threat intelligence is critical to identifying and stopping multi-vector attacks.

The speed, frequency, and severity of attacks has accelerated. Attackers cause damage in most cases starting in days or hours, while the majority of organizations take months to discover they’ve been attacked and respond. We have to begin to radically shrink the time from compromise to discovery and containment. This change requires a true defense-in-depth framework that has the ability to apply multiple sources of real-time threat intelligence, with big data analytics for correlation and context, across multiple threat vectors and dynamically put it into action across the attack continuum–before, during and after an attack.

One Comment