TNP Blog

Understand The Anatomy of Attacks to Stay One Step Ahead

Written by The Network Pro | May 18, 2015 1:32:40 AM

Network (firewall) and endpoint (antivirus) defenses react to malicious communications and code after attacks have launched. OpenDNS observes Internet infrastructure before attacks are launched and can prevent malicious Internet connections. Learning all the steps of an attack is key to understanding how OpenDNS can bolster your existing defenses.

Each step of the attacker's operation provides an opportunity for security providers to observe its presence and defend its intrusion. On the next page, four detailed example attacks are laid out using a seven-step framework.

Here is a high-level summary of the details:

  1. RECON: Many reconnaissance activities are used to learn about the attack target.
  2. STAGE: Multiple kits or custom code is used to build payloads. And multiple networks and systems are staged to host initial payloads, malware drop hosts, and botnet controllers.
  3. LAUNCH: Various Web and email techniques are used to launch the attack.
  4. EXPLOIT: Both zero-day and known vulnerabilities are exploited or users are tricked.
  5. INSTALL: Usually the initial payload connects to another host to install specific malware.
  6. CALLBACK: Nearly every time the compromised system callbacks to a botnet server.
  7. PERSIST: Finally, a variety of techniques are used to repeat steps 4 through 7.

It is not necessary to understand each tool and technique that attackers develop. The takeaway is to understand how multiple, and often repeated, steps are necessary for attackers to achieve their objectives.

[img src="/wp-content/uploads/sites/376/2015/05/anatomy-of-attack2.jpg" class="aligncenter"]

[row]
[column span="6"]

Your Challenge: Existing defenses cannot block all attacks.

Firewalls and antivirus stop many attacks during several steps of the "kill chain", but the velocity and volume of new attack tools and techniques enable some to go undetected for minutes or even months.

Firewall/Antivirus View of Attacks

[img src="/wp-content/uploads/sites/376/2015/05/firewall-r1.png" class="aligncenter"]

Without visibility of where attacks are staged, each step is unique and isolated.

  • Firewalls know whether the IP of a network connection matches a blacklist or reputation feed. Yet providers must wait until an attack is launched before collecting and analyzing a copy of the traffic. Then, the provider will gain intelligence of the infrastructure used.
  • Antivirus solutions know whether the hash of the payload matches a signature database or heuristic. Yet prodders must wait until a system is exploited before collecting and analyzing a sample of the code. Then, the provider will gain intelligence about the payload used.

[/column]
[column span="6"]

Our Solution: Stop 50 to 98 percent more attacks than firewalls and antivirus alone by pointing your DNS traffic to OpenDNS.

OpenDNS does not wait until after attacks launch, malware install, or infected systems callback to learn how to defend against attack. By analyzing a cross-section of the world's Internet activity, we continuously observe new relationships forming between domain names, IP addresses, and autonomous system numbers (ASNs). This visibility enables us to discover, and often predict, where attacks are staged and will emerge before they even launch.

OpenDNS View of Attacks

[img src="/wp-content/uploads/sites/376/2015/05/openDNS-r1.png" class="aligncenter"]

Observe Internet infrastructure as attacks are staged to stay ahead of the subsequent

    • We see that the IP prefixes (4.2.55.0/24, 23.88.2.0/28, 32.13.31.0/26, 42.18.31.0/24) of all four attacks are related to the same Internet infrastructure (AS32442).
    • Web redirects or email links use domains (facebookpic.com, asdfaa.com, Java-se.com) that all have DNS records mapping back to these IP prefixes.
    • Many callback connections use domains (123.13tt.com, 321.btt.com, 222.btt.com, stck.wwxls.com) that have DNS records mapping back to these IP prefixes.
    • But other callback connections use domains (sdfil.ru, y53s.cn, er2ds.us, gmmal.ru, ...) that are generated by a common algorithm. This is discovered by observing co-occurrences over short time intervals, matching authoritative nameservers or WHO'S information.used.

[/column]
[/row]

Your Challenge: Why keep firewalls and antivirus at all?

Once we prove our effectiveness, we are often asked: "can we get rid of our firewall or antivirus solutions?" While these existing defenses cannot stop every attack, they are still useful—if not critical—in defending against multi-step attacks. A big reason is threats never expire—every piece of malware ever created is still circulating online or offline. Signature-based solutions are still effective at preventing most known threats from infecting your systems no matter which vector it arrives: email, website, or thumbdrive. And firewalls are effective at defending both within and at the perimeter of your network. They can detect recon activities such as IP or port scans, deny lateral movements by segmenting the network, and enforce access control lists.

Your Solution: Rebalance investment of existing versus new defenses.

Here are a couple examples of how many customers free up budget for new defenses.

      • Site-based Microsoft licenses entitle custorners to signature-based protection at no extra cost. Microsoft may not be the #1 ranked product, but it offers good protection against known threats. OpenDNS defends against both known and emergent threats.
      • NSS Labs reports that SSL decryption degrades network performance by 80%, on average. OpenDNS blocks malicious HTTPS-based connections by defending against attacks over any port or protocol. By avoiding decryption, appliance lifespans can be greatly extended.