Q

Multi-stage attack detection best practices for enterprises

Nick Lewis explores the growing popularity of multi-stage toolkits among attackers and reveals strategies for early detection of multi-stage attacks.

The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection. Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components?

Ask the Expert

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)

In order for malware authors to be successful, they must constantly adopt new techniques and technologies. The "g01pack" -- a general toolkit for malware authors that includes functionality to customize or improve individual malware components over time -- is becoming an increasingly popular example of a multi-stage toolkit. Since preventing detection of malware is often more important to the author than advancing the functionality, many authors may add an additional step to the malware attack process, often to obfuscate the Java applet used in the malware's initial infection.

Detecting multi-stage toolkits early in their infection process can be done in several different ways, depending on the malware and the tools available. One of the most effective techniques for identifying such attacks is detecting irregular outbound network traffic originating from the infected host -- this is often an indicator that it could be signaling to download the next stage of the malware. Organizations can also pick up on anomalous interactions with the Java Runtime Environment (JRE) by monitoring what commands are executed on a system. Another common next-step malware authors will likely take to separate the exploit, and the downloader could include functionality from Metasploit or a vulnerability scanning tool that identifies the weakest vulnerability and best place for the malware to exploit on the system.

This was first published in November 2013

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close