Companies may want to reconsider security policies that de-emphasize remediating commodity threats. While click-fraud software, adware and other commodity threats may seem relatively benign compared to the more serious issues security teams face, such as DDoS attacks, attackers are upgrading commodity threats with components found in malware, making these programs much more malicious.
"The major problem is that all malware today, including simple click-fraud programs, are all remote access tools and can be used by attackers to do what they want to a machine," said Cybereason CISO Israel Barak. He'll speak about the dangers of dismissing commodity threats during a Black Hat briefing on Wednesday, Aug. 3 from 5:30 p.m. to 6 p.m., local time.
And while the criminal organization behind a non-targeted commodity threat may not have any interest in accessing the compromised company's network, other attackers would pay for this access, he said.
"Multiple cyber-criminal organizations have diversified business interests and sell compromised corporate assets on black markets," Barak said. The price for access to compromised corporate networks varies and is influenced by factors such as the type of organization, the number of computers and servers the attacker has access to and the compromised machines' user privileges. The greater the access, the more the asset will sell for, Barak said.
Most companies, though, don't see commodity threats as a major concern since most of those attacks don't target an organization, a point attackers realize and are eager to exploit.
"Many SOCs disregard the fact that compromised machines that have commodity adware used in an untargeted attack can turn into a targeted attack within days. We've seen that attractive machines are sold in less than 24 hours," he said.
During his presentation, which will be held at Lagoon K in the Mandalay Bay Convention Center in Las Vegas, Barak will talk about how attackers prepared one asset for sale after realizing that their commodity threat had found its way into the network of a Fortune 500 company. Just eight days after Cybereason detected the threat, attackers upgraded their basic click-fraud malware with a more sophisticated persistence mechanism and re-programmed the software to communicate by using domain generation algorithms, among other enhancements.
The challenge organizations face, said Barak, is being able to determine when a "threat that was previously seen as a commodity threat becomes a targeted attack."
"Organizations that only focus on if something is targeted or untargeted miss an opportunity to stop a threat before it goes to a targeted actor, " he said.
Identifying when a commodity threat becomes malicious becomes an even greater challenge when factoring in the volume of threats SOCs deal with on a daily basis, Barak said. Security analysts simply lack the time to review every threat, especially those that are low on the remediation list.
Barak suggested implementing a system that monitors the behavior of commodity threats and can detect when they begin to displaying malicious behavior.
"Based on the tactics, techniques and procedures used by a seller and buyer, we can build a methodology to identify the escalation process happening on threats that were identified as low priority but are turning into something more malicious," he said. His Black Hat talk will detail how a companies can establish a mechanism that looks for these behavioral changes.
"You want to identify if you're company has been infiltrated before the attackers establish a command and control channel, the asset changes hands and the incident becomes more serious," Barak said.