Browser attacks are currently some of the most elusive and hard to detect attacks existing in the cyberspace. They do not require
the attacker to have previous interactions with the victims, such as sending them e-mails, social media or text messages with spearphishing payloads, they just
need the victim to visit the malicious page. And most of the times the malicious pages are the usual pages in legitimate and well established
web sites, with many visitors every day, weaponized with a malicious implant. Some of these attacks mine crypto coins using visitor's browsers (cryptojacking),
others steal credit card information (data skimming) and others, the most dangerous ones, can take full control of visitor's device (browser exploits),
even if the browser is fully updated. Browser attacks focus on traditional devices, such as laptops or desktops, but they also target mobile or IoT devices,
which makes it even harder to detect them.
Browser exploits are programs specially crafted to exploit vulnerabilities inside browsers or technologies used by browsers. A browser
exploit can take full control of the attacked device. Lately, browser exploits became the predilect tactic for APT and cybercriminal
groups, as they are very hard to detect, some of them having been actively exploiting victims for many months, and even years. Browser exploits can
target specific technologies (such as phone makers, browser types, etc.), specific IP addresses, specific browser languages, etc. which
makes them even harder to detect through traditional methods.
Malicious cryptojacking implants inside legitimate web sites use visitor's device computing power in order to mine for various cryptocurrencies.
This behaviour generates latency in overall performance of the device
Data skimming is a web attack in which a malicious implant inside a legitimate e-shop collects the credit card information submitted by the visitor
and sends it to the attacker.
The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a
protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation
of these protocols.
in the webpage it loads.
Traditional antivirus products or intrusion detection sensors would use signature scanning to identify browser attacks,
looking for known code snippets that are involved in these attacks. But in the recent years, browser attacks evolved to using
To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of
the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature
for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request or a HTTPS connection
to a legitimate but compromised website, the attack goes totally undetected.
So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find browser
attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading
each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods
to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are
specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers,
certain technologies or users from a certain geographical area or IP range.
If the client-side honeypot doesn't guess all of the
above, the attack never happens, so the security product fails to identify an offensive web page.
Do browser attacks actually happen?
Unfortunately, yes. Tenths of unknown attacks that compromise devices are discovered yearly in the wild, and we can safely assume
many others remain undetected. Due to their specifics, browser exploits are perfect candidates in penetrating highly secured networks
from banks, defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist
groups, investigative journalists or political disidents all over the world.
This is possible because browsers are very complex pieces of software. With a huge attack surface. While some vulnerabilities get reported
and patches are issued, many more vulnerabilities never get reported and are weaponized by attackers as 0day exploits. Some other times,
even if the attack is known, there is a months gap between the actual browser update and the moment when, for instance mobile vendors
issue the update to their users. This way, even if the attack is reported and a patch was issued, certain users are still vulnerable
to the attack as if it was 0day.
Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years,
sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.
Some other times, browser attacks are simply used to mine cryptocurrencies, while other times they are used to steal credit
card data from unsuspecting users, such is the case with Magecart attack campaigns.
THE SOLUTION - DEKENEAS BROWSER ATTACK DETECTOR
DEKENEAS uses artificial intelligence to understand the contents of a web page looking for signs and behaviour of malicious activities.
Such malicious activities could be the use of encryption or certain coding patterns that are highly specific to malware. Techniques such
as symbolic execution or "Code Logic Emulator (CLE)" allow a better understanding of what the code does, before deciding to further analyze
the code with "Smart Dynamic Analysis". The "Smart Dynamic Analysis" technology is much more intense and time consuming, therefore it is
only used to confirm wether certain elements within the website are actually malicious or not.
If a certain element within the website shows signs of malicious behaviour our "Requirements Extractor (RX)" technology tries to determine
wether that element needs certain conditions to run, such as specific user agents, IP addresses or language settings. If the "Requirements
Extractor (RX)" technology identifies certain requirements that the element needs in order to run, then the "Smart Dynamic Analysis (SDA)"
technology starts to dynamically analyze that element in the specific enviornment requested. For instance, if "Requirements Extractor (RX)"
This behavior greatly reduces the analysis time, as only suspicious HTML elements will be analyzed, in the same time maximizing
the accuracy of detection, by creating the specific environment requested by the website code.
The network traffic resulted from the interaction with the malicious HTML element is recorded and analyzed with "Network Attack Detector (NAD)"
technology which identifies attack signs inside network traffic.
These unique features allowed DEKENEAS to uncover a series of complex attacks carried by APT groups, but also
carried by cybercriminals, all of them using either very new or unknown exploitation vectors.
WHAT IS CYBER THREAT INTELLIGENCE (CTI)
Today’s cyber security climate is constantly evolving and changing, with new threats and new threat actors emerging almost every day. From ransomware
gangs to Advanced Persistent Threat nationstate actors, from financially motivated cybercrime gangs to the lone wolf hacker hacking from his mother’s
basement, the Internet is a dark place with unknown threats waiting to attack the next victim. Traditional antivirus products and security devices can
no longer keep up with the growing complexity of threats they are facing. Cyber Threat Intelligence is knowing who these threats are and what techniques,
methods or tools they are using in order to be able to defend against them even before they attack your infrastructure and cause significant damage to your
THE RIGHT CYBER THREAT INTELLIGENCE FEED
There are many Cyber Threat Intelligence feeds available, but how to choose the right one for you? The right Cyber Threat Intelligence feed should
be relevant to your geographical location, relevant to the industry sector, relevant to the technologies you are using, percentage of unique data,
periodicity of data and measurable outcome. Because Cyber Threat Intelligence feeds tend to contain a lot of Indicators Of Compromise (IOC) and each
IOC comes with a cost to the device in terms of resources. You do not necessarily need information about attackers targeting Middle East if you operate
in Europe, and you are not quite interested in attackers targeting the energy sector if you operate in pharma. You don’t necessarily need IOCs for SMB
if your network does not have Samba. And you want a CTI feed with high percentage of unique data, because many commercial feeds simply compile open-source
feeds. While open source feeds are of great value to the community, their downside resides in the fact that they are not maintained and sometimes they
contain old IOCs who are no longer relevant to today’s climate.
DEKENEAS CYBER THREAT INTELLIGENCE
DEKENEAS NEXT-GEN TECHNOLOGIES in partnership with ORANGE ROMANIA COMMUNICATIONS operate a network telescope and a vast network of honeypots with low, medium and high levels of
interaction, for generic services such as HTTP/S, DNS, SMTP, SSH, TELNET, etc. but also for ICS/SCADA and IoT devices specific to certain industries such as
pharma, energy, financial, etc. We use the network telescope to understand the latest trends in service attacks in order to be able to deploy if needed
new or custom honeypots specific for the attacks we observe. Also, on request we can deploy a honeypot to a specific service you require. Our system collects
IP addresses or domains involved in attacks, command and control IP addresses or domains, attacked services information, file names and hashes. All this
information is made available to our customers through a threat intelligence feed, accessible through our API endpoint.
AVERAGE TIME TO DETECT AND CONTAIN A BREACH IS 287 DAYS
Safeguarding data is a continual process fraught with challenges and a breach in the protection of that data can have major repercussions. Detecting and reporting a breach
in a timely manner is crucial to maintaining compliance standards and ensuring the integrity of an organization’s data. Though many breaches are detected in a timely manner,
it is an unfortunate reality that the majority of organizations take months or even years before detecting a breach. In 2019, security teams at Verizon released the Verizon Data
Breach Investigations Report; an analysis of many of the year’s big data breaches across organizations. A total of 41,686 security incidents were analyzed in the report, shining
a light on a grim reality: While cybercriminals’ first steps towards compromising customer information and data can happen in a span of minutes, the time taken to discover the
breach by these malicious actors often takes months. Using the data from the analyzed incidents, Verizon’s security teams determined that a total of 56 percent of breaches took
months or even years to detect – a significant sample size given the enormity of cyberspace that the 41,686 analyzed sites represent. This revelation tells us of the growing
level of impact a wellestablished system of governance can have for an organization – a system by which attacks can be properly mitigated and reported to save precious time
in recovering from a breach. Blue teams regularly engage in the mission of preventing attacks from occurring but having the systems to detect a breach in progress – assuming
preventative measures have failed – is just as critical to ensure the integrity of an organization’s systems and the confidentiality of customer data.
TRACING THE STEPS
Data breaches and cyberattacks are not singular events. They are an ongoing process with multiple steps. The first step usually is infiltration, during which an attacker gains
a foothold in the network. Infiltration can happen in many ways. It can come by way of targeted credential theft, exploiting vulnerable web applications, third party credential
theft, malware, and more. The next step is usually reconnaissance. This is where attackers try to understand what the network architecture is, what access they have via stolen
credentials, and where sensitive data is stored. Compare this to thieves breaking into a house in the middle of the night. The first thing they do is check the house's layout
and determine where the valuables are being kept. Once attackers are done with basic reconnaissance, usually they will attempt lateral expansion in the network. They move within
the network into a higher tier with better access, perform privilege escalation to gain permissions with wider access, acquire sensitive data, and finally exfiltrate it outside
the network. These steps take weeks and months to progress, performed via a painstaking trial-and-error process by attackers, as they strive to identify sensitive resources and
expand within the network. Usually, in the case of a cyber-attack, we hear only of the first and last steps – infiltration into the network and data exfiltration. But during the
steps in between, there is a whole world of activity that often goes unnoticed.
AM I OWNED
We do not provide another network monitoring tool. These tools are known to have problems in detecting complex attacks and sometimes they even unwillingly help the attackers
through security holes in their own code. While we acknowledge the importance of intrusion detection sensors and traffic monitoring instruments, we also found that most of the
times, in practice this is not enough as even the best ones give a lot of false positives and “noise” traffic, generating significant amounts of information fatigue, making it
difficult for the analyst to pinpoint the malicious activities. What we do instead is giving the attackers what they are looking for: juicy documents, user accounts and credentials,
database access, etc. But with a twist.. All these resources are decoys, being specifically crafted to “call home” when accessed, just like a tripwire alarm, forcing the attacker to
reveal himself before being able to mount further more damaging attacks against the network and devices and giving the beneficiary actionable intelligence needed to counter the threat
in a timely manner while at the same time giving the blue team a clear timeline of the attack, based on the chronology of decoys triggered.