Menlo Security Cloud Security Platform is FedRAMP® Authorized
Most Searched
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Video
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
eBook
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Buyer's Guide
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
What are Highly Evasive Adaptive Threats (HEAT)?
A prevent and detect approach is key to stopping HEAT attacks.
Highly Evasive Adaptive Threats (HEAT) are used by threat actors who employ evasive techniques to bypass traditional web security measures and leverage web browser features so they can deliver malware or compromise credentials. If successful, HEAT attacks render all browser-based security defenses helpless. These include sandboxes, file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis and indicator of compromise (IOC) feeds.
Specific HEAT techniques include:
HEAT attacks leverage one or more of the following four evasive HEAT characteristics to bypass legacy network security defenses:
Termed Legacy URL Reputation Evasion (LURE), sites classified as benign by categorization engines are compromised and then used for malicious purposes, bypassing indicators of compromise-based detection. Threat actors can quickly flip the behavior of that website, reveal the malicious content and drive people to that site – all before offline categorization engines have had a chance to categorize that as malicious. Attackers may even go as far as patiently creating new sites and leaving them to gain a good reputation across categorization engines, before using them to deliver malicious content. Captcha usage in malicious sites is also being used to not only gives users a false sense of security, but also force real user interactions to get to the real malicious content.
Phishing has normally been a 100% email problem, so attackers are finding alternative ways to get in that aren’t protected. SEGs and email link analysis are bypassed by leveraging additional phishing avenues outside the email path such as web, social media, professional networks, collaboration tools and SMS phishing techniques.
Traditional Secure Web Gateway (SWG) anti-virus or sandbox solutions are used to identify malicious content by scanning for known malware signatures and by monitoring file execution and remote file requests for suspicious behavior. Rather than downloading a file directly – which would be analyzed and if malicious – blocked – HTML Smuggling evades detection by embedding tiny bits of malicious code inside of seemingly benign sub-components, or Javascript blobs. These blobs aren’t in any format that’s understandable by the sandbox so they can’t be analyzed, and individually they don’t do anything malicious so they wouldn’t be detected, however these tiny blobs of information dynamically rebuild themselves into a malicious executable at the browser level without any user action, thus bypassing file content inspection engines completely.
Malicious content like browser exploits and phishing kit code are hidden or obfuscated to make the Javascript unreadable in order to bypass detection. Javascript is then revealed in the browser at run time executing its active content on the endpoint. Attackers also use website manipulations to hide impersonation logos behind morphed images to avoid visual detections in inspection engines.
There are three stages of a HEAT attack: gaining the initial foothold, spreading through the network and executing the final payload to gain control over critical business systems. Stage two and three are entirely dependent on stage one—gaining initial access. Menlo focuses on stopping HEAT attacks before they are able to make the initial access—effectively rendering the malware impotent. Without access, it can’t spread through the network, gain control, exfiltrate data or hold systems ransom.
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.