How do cybercriminals get inside corporate infrastructure? Movie plot devices where an infected flash drive is left lying around do occur in real life, but not all that often. Over the past ten years, by and large, the main threat delivery channels have been e-mail and malicious Web pages. With e-mail, everything is fairly clear: a security solution with a decent antiphishing and antivirus engine on the mail server will eliminate most threats. By comparison, Web threats usually get much less attention.
Cybercriminals have long been using the Web for all kinds of attacks — and we don’t just mean phishing pages that steal users’ credentials for online services, or malicious sites that exploit browser vulnerabilities. Advanced attacks aimed at specific targets also use Web threats.
Web threats in targeted attacks
In Securelist’s 2019 APT review, our experts give an example of an APT attack that uses the watering-hole method. In the attack, cybercriminals compromised the website of India’s Centre for Land Warfare Studies (CLAWS), and used it to host a malicious document that distributed a Trojan to gain remote access to the system.
A couple of years ago, another group launched a supply-chain attack, compromising the compilation environment of the developer of a popular application and embedding a malicious module into the product. The infected application, with its bona fide digital signature, was distributed on the developer’s official website for a month.
The above are not isolated cases of Web-threat mechanisms deployed in APT attacks. Cybercriminals are known to study the interests of employees and send them malicious links in messengers or social networks that look like websites likely to appeal to their tastes. Social engineering works wonders on trusting individuals.
It became obvious to us that to improve protection against targeted attacks, we needed to consider Web threats in the context of other events on the corporate network. Therefore, Kaspersky Web Traffic Security 6.1, released in the run-up to the new year, is integrable with the Kaspersky Anti-Targeted Attack platform. Operating in tandem, they complement each other, beefing up the network’s overall defenses.
It is now possible to set up bidirectional communication between the solution protecting the Web gateway and the solution guarding against targeted threats. First, that lets the gateway-based application send suspicious content for in-depth dynamic analysis. Second, Kaspersky Anti-Targeted Attack also now has an additional source of information from the gateway, enabling the earlier detection of the file components of a complex attack and blocking of malware’s communication with C&C servers, thereby disrupting the targeted attack scenario.
Ideally, integrated protection can be implemented at all levels. This involves setting up a targeted threat defense platform to receive and analyze data from workstations and physical or virtual servers, as well as the mail server. If a threat is detected, the results of its analysis can be forwarded to Kaspersky Web Traffic Security and used to automatically block similar objects (and attempts by them to communicate with the C&C servers) at the gateway level.
See the Kaspersky Web Traffic Security page for more information about our gateway protection application.