Zero Trust in the Context of Browser Security - July 16th
Icon Rounded Closed - BRIX Templates

Highly Evasive and Adaptive Threats (HEAT)

Why are phishing and malware attacks still on the rise? It's because threats actors have found highly evasive and adaptive techniques to sidestep the typical enterprise security stack.

What are highly evasive and adaptive threats?

Highly evasive and adaptive threats (HEAT) are a type of cybersecurity threat that often exhibit sophisticated techniques such as dynamic behavior, fileless attacks and delayed execution to avoid detection and evade traditional security measures. These threats are designed to fly under the radar and can be particularly challenging for security professionals to identify and mitigate. Evasive threats have existed for some time as threat actors attempt to increase their success rate of gaining initial access onto a user’s system or into an organization’s network. Even as enterprise security controls continue to evolve, threat actors accelerate their evasive techniques used in an attempt to infiltrate our users and their systems.

Despite the continued investments in cybersecurity each year, threats still get through and users are impacted every day. In fact, a whole industry of phishing prevention was created because of this. Security awareness training wouldn’t exist today if we could eliminate 100% of phishing threats. Simple attack techniques can be and still are effective against commonly deployed security solutions.

As a result, industries change and adopt best practices in an attempt to become less vulnerable. For example, Microsoft disabled all macros by default as threat actors were using them as an avenue to evade detection and reach their victims. Companies have invested in extensive security awareness tools to help educate users about the risks of malware and common signs of phishing, such as unknown sender’s address, urgent or alarming language, and even incorrect spelling and grammar, in hopes that users become less likely to fall victim to common malware schemes. Even two-factor/multifactor authentication, which has long been thought of as an impenetrable system since it first came out, has been widely adopted to add an extra layer of security to reduce the changes of unauthorized access to user accounts or theft of sensitive information.

Every enterprise user has at least one browser they rely on to access the web, enterprise cloud and SaaS applications, and even email. This has made the browser one of the most popular targets to mount phishing and malware attacks. Unfortunately, existing security controls such as SWG, EDR and firewalls have fallen short of stopping these attacks, as threat actors have evolved their tactics to include highly evasive and adaptive techniques. They understand at a very low level how these common security solutions work, and work around them. So despite the increased investment enterprises are making in their security stacks, their users remain more exposed than ever.

Highly evasive and adaptive threats which target the web browser as the attack vector are used by adversaries today to employ various techniques designed to evade commonly deployed security. Consequently, these highly evasive and adaptive threats are used to deliver malware, compromise user systems, and steal sensitive data.

Some examples of highly evasive attacks are:

HEATcheck security assessment

Is your organization susceptible to highly evasive and adaptive threats? Find out.

What are the key evasion characteristics used in highly evasive and adaptive threats to bypass commonly deployed security solutions?

HEAT threats typically evade URL filtering, email security tools, file-based inspection, and HTTP content/page inspection.

1. Evades URL filtering

As described above, LURE sites are a common and easy method for threat actors to bypass URL filtering. Another common tactic is the use of Captchas. Captchas are common and useful tool used by website administrators to validate the person interacting with the site is a human and not a bot with nefarious intent. Threat actors can use captchas to add credibility to LURE site, as well as fend off URL crawlers that are trying to categorize the site. The threat actors plan on victims seeing the presence of a captcha and assuming the site is legitimate (the thinking being “why would an illegitimate site bother with a captcha?”), as well as use the captcha to block URL crawlers from seeing the dubious contents of the LURE site.

2. Evades Email Security Tools

Phishing has historically been a 100% email problem, so threat actors are finding new ways to attack users. Threat actors now use evasive techniques to mount phishing attacks. Users are targeted (or speared) with malicious links via communication channels other than email, such as social media, professional web networks, collaboration applications, SMS, shared documents, or other mediums. These malicious links are increasingly used to steal corporate credentials instead of personal ones in order to deliver malware to corporate endpoints, and consequently to bypass corporate security.

In a recent cyberthreat campaign, attackers used spear phishing tactics on business professionals on LinkedIn. Through the platform’s direct messaging feature, attackers presented fake job offers using malicious links to ultimately infect users with a backdoor Trojan that gave attackers complete remote control over the victim’s computer. This spear phishing attack never appeared in the email path and evaded any analysis that would have occurred there.

3. Evades file-based inspection

Traditional Secure Web Gateway (SWG) anti-virus or sandbox solutions are typically used to identify malicious content by scanning for known malware signatures and by monitoring file execution and remote file requests for suspicious behavior.

Evading the sandbox can be as simple as sending a large file – one that’s larger than the file limit on the sandbox, or even a password protected archive file that can’t be scanned. It might take a little trial and error on the part of the threat actor, but can be accomplished with relative ease. Threat actors commonly evade sandboxing by also employing HTML smuggling (as described above). It is a very effective way to get past your inspection tools.

4. Evades HTTP content/page inspection

There are a lot of legitimate websites that obfuscate their scripting so that their scripting source code cannot be viewed.

Threat actors will also leverage code obfuscation to deliver browser exploits and phishing kit code and avoid detection. The malicious code (typically Javascript) is then revealed in the browser at run time executing its active content on the endpoint. Attackers also use website manipulations to hide impersonation logos behind morphed images to avoid visual detections in inspection engines.

Artificial intelligence in the Security Stack – Where AI trains its models matters

Many, if not a majority of security vendors, are leveraging artificial intelligence (AI) based capabilities to help their solutions efficacy, and with profound results. The premise is simple – AI will extend and expand on the capabilities developed and look at production data and telemetry to find new threats. This is the real promise of AI in cybersecurity, as well as other industries. Yet it’s important to note that AI is only as good as the data it was trained on. The common security stack – firewall, SWG, CASB, DLP – can only train the AI model with the data, logging, and telemetry those components generate. In the case of phishing and malware/ransomware attacks where the target is the browser, telemetry from inside the browser is not only useful, it is mandatory when training AI models on how to better detect browser based threats. The common security stack lacks the hooks into the browser to receive and utilize that telemetry, and therefore the AI solutions offer only negligible to incremental benefit and improvement. The AI models that power the HEAT portfolio are training on the deep browser telemetry derived from Menlo Security’s Isolation Core. This is what makes HEAT Shield and HEAT Visibility so powerful and effective in preventing and blocking zero-hour phishing and malware attacks.

How has Generative AI increased the attack surface for threat actors?

Organizations have started to realize the impact generative AI platforms and chatbots like ChatGPT will have on cybersecurity. Many people, rightly so, are nervous that these tools will allow anyone with an Internet connection and a malicious motive to develop evasive threats at an alarming scale. Imagine being able to produce and release thousands of individually targeted malware, phishing emails and other threats at the click of a button within minutes. Even scarier is the fact that threat actors can use AI to even change lines of code within a specific payload, creating a continuous stream of new and never before seen zero day phishing and malware threats, making it extremely difficult for enterprise security to block these attacks.

How does Menlo Security prevent highly evasive and adaptive threats?

There are three stages of a highly evasive and adaptive threat attack:

  1. Gaining the initial foothold
  2. Spreading laterally throughout the network with hopes of compromising additional machines
  3. Executing the final payload to gain control over critical business systems.

Stages two and three are entirely dependent on stage one—gaining initial access.

Menlo Security focuses on stopping highly evasive and adaptive threats before they are able to make the initial access, effectively blocking phishing attacks and malware. Without access, malware can’t spread through the network, gain control, exfiltrate data, or hold systems ransom.