Web sites that take advertising need to protect against inadvertently delivering malware to their users, before, during and after an attack, explains Terry Greer-King.
Internet advertising spend now outpaces all other forms of media. In the UK alone, digital will make up almost 50 percent of the total ad spend and it will be worth £13.9 billion this year according to GroupM, WPP's media buying arm. With numbers like that, it's no surprise that cyber attackers are also turning their heads towards internet advertising. Media and publishing sites, large and small, attract a wide range of traffic from individual consumers and organisations across the globe. They also rely largely on advertising for revenue. According to our (CISCO's) recent Mid-Year Security report it is likely that the growth in malvertising (online advertising used to spread malware) is partly responsible for the surge in web malware encounters for the media and publishing industry in the first half of 2014.
Malvertising is becoming more prevalent. Supported by the cybercriminal economy that has formed around the attack chain, it has become increasingly easy for adversaries to gain access to the tools they need to launch these highly targeted campaigns. For example, a malvertiser who wants to target a specific population at a certain time — such as football fans watching a big match — can turn to a legitimate ad exchange to meet their objective. Just like legitimate advertisers, they contact companies that are gatekeepers for the ad exchanges. They will pay up front for the advertising, perhaps £1,500 or more per ad run. They then instruct the companies to tell the ad exchanges to serve the ads as quickly as possible, leaving little or no time for the ad content to be inspected.
Malvertising victims are infected with malware in the course of their normal Internet browsing, without even clicking on the advertisement, and therefore have no idea where or how they were infected. These drive-by attacks on visitors to high-profile, legitimate websites are virtually impossible for the user to detect. Website visitors are seamlessly redirected to websites that host exploit kits that the adversary has either rented or purchased. These kits push a ‘dropper' onto users' systems and infect vulnerable systems. Not only are their infiltration methods stealthy, but tracing the source is next to impossible because the ad that delivered the malware has long since disappeared.
So how can security professionals help to prevent these attacks from being successful? Secure web gateways are becoming an increasingly important component of any cyber-security strategy. However, conventional secure web gateways operate at a point in time – one shot to detect and stop traffic. Advanced attacks don't occur at a single point in time, so while visibility and blocking at the point of entry is important, it isn't enough. These attacks are ongoing and require continuous scrutiny. When evaluating secure web gateways, security professionals should identify solutions that include a series of checks across the full attack continuum – before, during, and after an attack – for more effective protection.
· Before an attack: Defenders need comprehensive awareness and visibility to implement policies and controls to defend their environment. URL filtering and web reputation filtering are the first checks in the process. With URL filtering, system administrators can set policies to block known malicious sites but can also block categories of URLs based on content, for example allowing news but blocking all ads. For those concerned with the impact on user experience by blocking all ads other layers of security can be added. Similar to giving a web site a credit score, reputation filtering provides another layer of protection. It leverages a vast amount of data, including the length of time the domain has been malware-free, to assign a reputation to a URL. When a user requests a web page, the reputation is requested and based on pre-set policies a decision is made on how it should be handled. Working together, URL filtering and reputation filtering help block malvertising attacks at the point of entry. But attacks are incredibly stealthy and can still get through.
· During an attack: Defenders must be able to continuously detect and block malware. If the web content the user requested has passed URL filtering and reputation filtering, real-time malware scanning now takes over. Before the content is delivered to the user the file is scanned against various parameters, including the latest threat intelligence, and blocked if found to be malware. If the disposition is still unknown or untrusted it is run in a sandbox, a tightly controlled environment, and watched for suspect or malicious behaviour. If the sandbox verdict is malicious, the administrator is notified to take action and defences are updated to protect against future similar ads. Sandbox technology can mitigate risk, but it doesn't remove it entirely; attacks are being designed to evade sandbox detection.
· After an attack: Because some advanced threats still penetrate networks, defenders need protection that includes retrospective security. Retrospective security continues to track files and analyse their behaviour against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate. The various layers of defences are then updated with the latest intelligence so that a similar malvertising attack will be blocked in the future.
Internet advertising is important because it enables people to freely consume the vast majority of the web – without monetisation many sites would falter. If that model were to change or if people were to stop trusting Internet advertising altogether, the repercussions for the Internet could be monumental. But just as advertisers see huge opportunities to reach their targets with Internet ads, hackers see similar opportunities.
Malvertising affects all Internet users and is a disruptor for the Internet economy. It underscores the sophistication of the modern cybercriminal economy in terms of the division of labour, cooperation, and specialisation across the attack chain. It also underscores the need for an approach to security that addresses the full attack continuum. With ongoing visibility and control, and intelligent and continuous updates, security professionals can take action to stop the inevitable outbreak.
By Terry Greer-King, director of cyber security, Cisco