Highly Evasive Adaptive Threats (HEAT)

What are Highly Evasive Adaptive Threats?

Highly Evasive Adaptive Threats (HEAT) are used by threat actors who employ evasive techniques to bypass traditional web security measures and leverage web browser features so they can deliver malware or compromise credentials. If successful, HEAT attacks render all browser-based security defenses helpless. These include sandboxes, file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis and indicator of compromise (IOC) feeds.

Specific HEAT techniques include:

• HTML smuggling
• Sending malicious links through unprotected channels–such as text messaging, social media, professional web networks, collaboration software, SMS, shared documents, shared folders and SaaS platforms.
• Hiding malicious content inside web page source code and using benign websites to deliver sophisticated malware. Essentially hiding in plain sight, these HEAT attacks are able to trick traditional SWGs into assuming they are legitimate traffic.

What are the key HEAT attack evasive characteristics?

HEAT attacks leverage one or more of the following four evasive HEAT characteristics to bypass legacy network security defenses:

1. Evades web categorization and URL reputation

Termed Legacy URL Reputation Evasion (LURE), sites classified as benign by categorization engines are compromised and then used for malicious purposes, bypassing indicators of compromise-based detection. Threat actors can quickly flip the behavior of that website, reveal the malicious content and drive people to that site – all before offline categorization engines have had a chance to categorize that as malicious. Attackers may even go as far as patiently creating new sites and leaving them to gain a good reputation across categorization engines, before using them to deliver malicious content. Captcha usage in malicious sites is also being used to not only gives users a false sense of security, but also force real user interactions to get to the real malicious content.

2. Evades Email Gateways (SEGs) and malicious link analysis

Phishing has normally been a 100% email problem, so attackers are finding alternative ways to get in that aren’t protected. SEGs and email link analysis are bypassed by leveraging additional phishing avenues outside the email path such as web, social media, professional networks, collaboration tools and SMS phishing techniques.

3. Evades content inspection (AV & Sandbox)

Traditional Secure Web Gateway (SWG) anti-virus or sandbox solutions are used to identify malicious content by scanning for known malware signatures and by monitoring file execution and remote file requests for suspicious behavior. Rather than downloading a file directly – which would be analyzed and if malicious – blocked – HTML Smuggling evades detection by embedding tiny bits of malicious code inside of seemingly benign sub-components, or Javascript blobs. These blobs aren’t in any format that’s understandable by the sandbox so they can’t be analyzed, and individually they don’t do anything malicious so they wouldn’t be detected, however these tiny blobs of information dynamically rebuild themselves into a malicious executable at the browser level without any user action, thus bypassing file content inspection engines completely.

4. Evades HTTP page & content inspection

Malicious content like browser exploits and phishing kit code are hidden or obfuscated to make the Javascript unreadable in order to bypass detection. Javascript is then revealed in the browser at run time executing its active content on the endpoint. Attackers also use website manipulations to hide impersonation logos behind morphed images to avoid visual detections in inspection engines.

How does Menlo Security prevent HEAT attacks?

There are three stages of a HEAT attack: gaining the initial foothold, spreading through the network and executing the final payload to gain control over critical business systems. Stage two and three are entirely dependent on stage one—gaining initial access. Menlo focuses on stopping HEAT attacks before they are able to make the initial access—effectively rendering the malware impotent. Without access, it can’t spread through the network, gain control, exfiltrate data or hold systems ransom.