By Jonathan Lee, Senior Product Manager, Menlo Security
Insecurity today we often see the continued reliance on legacy systems and solutions.
As cybercriminals have evolved their methods, the security adopted by firms has been unable to keep up with a mindset that is focused on detection and response – and criminals know this.
The recent shift of data, users and applications to the cloud has made the browser the primary place of work. Yet when it comes to the cloud, those same on-prem security measures that are still heavily relied upon today are no longer adequate.
To capitalise on this new landscape, threat actors are targeting web browsers with a category of threats, termed Highly Evasive Adaptive Threats (HEAT) that bypass traditional security defences.
HEAT attacks make web browsers the primary attack vector, deploying various methods to evade multiple layers of detection in legacy security stacks. This allows them to bypass traditional web security protection and leverage the standard capabilities of modern web browsers to deliver malware or compromised credentials.
In its analysis of almost 500,000 malicious domains, Menlo Security Labs discovered that 69% of these websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July of last year, our research team has seen a 224% increase in HEAT attacks.
Given that many of us now spend around three-quarters of our day using a web browser, it’s an obvious target.
HEAT attacks leverage one or more of the following core techniques that bypass legacy network security defences:
- Evades both static and dynamic content inspection: HEAT attacks evade both signature and behavioural analysis engines to deliver malicious payloads to the victim using innovative techniques, such as HTML Smuggling. This technique was used by Nobelium the hacking group behind the SolarWinds ransomware attack. In a recent case, dubbed ISOMorph, the campaign used the popular Discord messaging app to host malicious payloads. Menlo Labs identified over 27,000 malware attacks, which were delivered using HTML Smuggling within the last 90 days.
- Evades malicious link analysis: These threats evade malicious link analysis engines traditionally implemented in the email path where links can be analysed before arriving at the user.
- Evades offline categorisation and threat detection: HEAT attacks evade web categorisation by delivering malware from benign websites, either by compromising them or patiently creating new ones. Referred to as Good2Bad websites. Menlo Labs has been tracking an active threat campaign dubbed SolarMarker, which employs SEO poisoning. The campaign started by compromising a large set of low popularity websites that had been categorised as benign, infecting these websites with malicious content. Good2Bad websites have increased 137% year-over-year from 2020 to 2021.
The case for Zero Trust and SASE
Be it file inspections performed by SWG anti-virus engines and sandboxes, network and HTTP-level inspections, malicious link analysis, offline domain analysis, or indicator of compromise (IOC) feeds, many legacy defences are rendered near useless when confronted with these evasive techniques.
A significant part of the challenge lies in the fact that HEAT characteristics equally have genuine uses. Therefore, they cannot simply be blocked at the function level. Rather, they need to be prevented.
To achieve this, a shift in mindset and an updated security posture is required. Trying to overcome the challenges of web security with endpoint security creates a square peg in a round hole scenario – it simply does not guarantee protection.
Critically, endpoint security only detects a threat once it is written to the file system, at which point a network will likely have been compromised already. Further, it is not able to protect unmanaged devices, while also harbouring a high chance of inundating the security operations centre (SOC) with too many alerts.
In dealing with HEAT, prevention is the best policy. Not only can it help to alleviate pressures on endpoints, but it can also make the already challenging lives of SOC teams much easier, creating a more sustainable environment of investigation, escalation and resolution.
This shift begins with a thorough review of existing security policies. Those that still remain built around a central policy pillar of detection and response need to be adapted and enhanced so they are fit for purpose in the modern work environment.
A Zero Trust approach, backed by the Secure Access Service Edge (SASE) framework, which features key security technology components will cater to today’s remote and hybrid workforces. SASE ensures security is built around users, core applications and company data at the edge by converging connectivity and security stacks. No longer are security stacks on the outside looking in; they are integrated within the cloud.
In the face of HEAT, organisations should focus on three key tenets to limit their susceptibility to these types of attacks: shifting from detection to a prevention mindset, stopping threats before they hit the endpoint, and incorporating advanced anti-phishing and isolation capabilities.
For more information on HEAT: Too Hot to Handle.
About the Author
Jonathan Lee, Senior Product Manager, Menlo Security. Jonathan Lee serves as a trusted advisor to enterprise customers and works closely with analysts and industry experts to identify market needs and requirements and establish Menlo Security as a thought leader in the Secure Web Gateway (SWG) and Secure Access Service Edge (SASE) space. Jonathan previously worked for ProofPoint and Websense. As an industry expert, commentator and speaker, Jonathan is well versed in data protection, threat analysis, networking, Internet isolation technologies, and cloud-delivered security.
Jonathan can be reached online at @Menlosecurity and at our company website: https://www.menlosecurity.com/