Manage Learn to apply best practices and optimize your operations.

Multi-stage attack detection best practices for enterprises

Nick Lewis explores the growing popularity of multi-stage toolkits among attackers and reveals strategies for early detection of multi-stage attacks.

The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection. Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components?

Ask the Expert

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)

In order for malware authors to be successful, they must constantly adopt new techniques and technologies. The "g01pack" -- a general toolkit for malware authors that includes functionality to customize or improve individual malware components over time -- is becoming an increasingly popular example of a multi-stage toolkit. Since preventing detection of malware is often more important to the author than advancing the functionality, many authors may add an additional step to the malware attack process, often to obfuscate the Java applet used in the malware's initial infection.

Detecting multi-stage toolkits early in their infection process can be done in several different ways, depending on the malware and the tools available. One of the most effective techniques for identifying such attacks is detecting irregular outbound network traffic originating from the infected host -- this is often an indicator that it could be signaling to download the next stage of the malware. Organizations can also pick up on anomalous interactions with the Java Runtime Environment (JRE) by monitoring what commands are executed on a system. Another common next-step malware authors will likely take to separate the exploit, and the downloader could include functionality from Metasploit or a vulnerability scanning tool that identifies the weakest vulnerability and best place for the malware to exploit on the system.

This was last published in November 2013

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.