Since the dawn of the internet, the clash between the “hackers” and the cybersecurity engineers consisted on finding new solutions to the other’s inventions – here we will describe several attacks which surpass some of the best weapons in the fight against the cybercriminality: firewalls and end-point antivirus.
Phishing and Spear Phishing
More and more common in these days, phishing attacks do not attempt to directly install malware on the end device, but try to coax the user into giving up their passwords, banking credentials, personal identification data or any other information.
How does it work
Falling into the social engineering category, these attacks utilize user as the weakest link and often involve websites pretending to be your bank or a delivery service – just about any website you trust.
The same applies to e-mail addresses: using lowercase ‘l’ instead of ‘1’, uppercase ‘O’ instead of ‘0’ or some special UNICODE signs, they can for example confuse users into thinking that their IT service is asking to renew their password.
Spearphishing is an attack tailor-made to attack a specific user in a company – often a high ranking executive with elevated privileges and access to a wide variety of systems. A lot of effort goes into such attack. The bad actors mimic the brand identity of the victim company, use localization, analyze relations between the employees, all to make the email/message/site as believable as possible. Nowadays, it is a very popular practice.
Why is it dangerous?
Many users have one work password for everything, including CRM, client databases, or company’s social or advertising profiles. Today, most services are cloud-based – and cloud attacks rise on popularity accordingly. Moreover, it opens a way to other attacks which may well cripple the whole company, such as the dreaded ransomware.
How Immunity saves the day?
The chance of a spearphishing attack success is rapidly increased by the "authenticity" the attackers can mimic. Everything from the people's names on LinkedIn, to email styling (color, fonts, logo) and the similarity of the domain of the phishing link. For the resolver however, this is easily detectable and it blocks any DNS requests similar to the actual domain which Immunity protects.
IoT Attacks
IoT devices are everywhere – printers, TVs, personal assistants, modern lights, and security systems are connected to the internet and have mostly better computing power than the computer which sent the first people to the Moon. Nevertheless, there is a reason why many people in the IT industry do not trust them and refuse to buy smart gadgets for their home: they can be targeted by attackers and serve as a gateway to your network.
How does it work
IoT devices can have their own embedded software or an operating system, which is – as any software – vulnerable. Also, they are connected to the server in the similar manner your devices are, bringing a potential avenue for the attacker.
The attackers can exploit a bug in the software, try to attack its older versions where some vulnerability was not patched (how often have you postponed a software update?) or use a vulnerability in the connection between the device and the server.
Why is it dangerous?
Most IoT devices do not have an embedded antivirus software, which otherwise does a good job in protecting our computers and cellphones. Their functionality is limited – and so are their means of protection. They can be than used for some crude attacks such as DDoS (some companies have been literally attacked by a bunch of refrigerators) or as an access point to your network to distribute malware.
How Immunity saves the day?
Whalebone protects devices regardless of the operating system and embedded software. If some domain generates malicious communication, the traffic is blocked no matter which device sent the request.
DNS Spoofing/DNS cache poisoning
Any time you try to access some website on the web for the first time via URL, your computer first needs to ask the Domain Name System server what IP address to connect to. The problem occurs when someone manages to impersonate the DNS server and to redirect the traffic to another website, often one which looks like the original.
How does it work
Your computer does not want to ask the DNS server for the right IP address every time you want to check your e-mail – instead, it keeps the information in a DNS cache for a certain time (Time To Live, TTL). Afterwards, it asks the DNS again, to check if everything is still the same. At that time, the attackers attempt DNS cache poisoning – basically telling your device false info before the DNS authoritative server does.
Why is it dangerous?
The false website is a gold mine of attack opportunities. Fileless attacks, which alter a code of native files in your computer to elude antivirus scans, can be launched. You could be asked to insert your personal data, or some more traditional malware dropper could be employed – since the website will be very similar to the one you visit regularly, and you would input the URL via writing it or clicking on your bookmark, your trust threshold might be considerably higher.
How Immunity saves the day?
This is achieved by implementing relevant RFCs – namely those outlining the use of DNSSEC. By enforcing it, Whalebone's cache cannot be easily poisoned.
0-day Threats
0-day threats is a umbrella term for threats which have not yet been widely detected and included in threat databases, or the vulnerabilities they exploit have not yet been patched. They can take many forms and attack different parts of your network. What they have in common is that they are fast.
How does it work?
They exploit the fact that the databases of antivirus software or firewalls need to be updated and that it might take them some time to do so. Once the attack gets to the collective crosshairs of the security engineers, it becomes less effective.
Why is it dangerous?
Well, it is an attack as any other – and if you have read up to here, you already know many of the terrible scenarios a cybernetic threat can cause in your device or company network. The cherry on the top of 0-day threats is that it is hard to say what they will do, and how to prevent them.
How Immunity saves the day?
No rule-based firewall can encompass the vast amount of domains that can be generated by a DGA. If it could, the number of rules would have to be infinite, therefore no amount of disk space would suffice. Immunity’s filtering is powered by AI that evaluates domains thanks to data from threats to millions of our users and can therefore block domains no threat intelligence list yet knows about.
Password Attacks and Password Spray Attacks
Remembering multiple passwords is a tedious task, and the attackers know it. There are vast databases of passwords and their fragments which are often used, or a processes used to create them (the address of the building, one’s date of birth, etc.). Those can be used to gain access to your profile on any site without proper anti-bot protection. In the case of password spray attacks, those attacks are used in short bursts, usually against a specific company to maximize the effectiveness of password “guessing”.
How does it work?
In the past, the hackers just used to “brute-force” attacks (punching in every possible combination until they succeeded or were blocked) and were very effective at that. Nowadays, with people being smarter about their passwords, using numbers, special symbols or strings of random words (which is widely considered a best practice for personal use), simple brute force might not be enough.
Unfortunately, aforementioned databases, psychology, and powerful AI helps the hackers to try to guess what your password might be. Especially if it concerns company e-mails and other work-related logins, where people might use words related to the business, location, and position.
Why is it dangerous?
It is a universally respected truth that an attacker having someone’s login information is bad news. Ranging from identity theft, social profiles attacking, installing malware, ransomware, or straight up blackmail, the possibilities of the bad actors are unfortunately nigh endless.
How Immunity saves the day?
Thanks to our Dark Web Scouting team, Immunity’s Identity Protection feature identifies leaked passwords and other sensitive information connected to your domain on the dark web and hacker forums for historical and new leaks. Thanks to Identity Protection, you can notify the employees who’s credentials were breached and they can change them, thus preventing the consequences.
So there are a lot of those. Now that I know that, what should I do?
The best tools at your disposal are caution, education, and caution again. Do not click on any suspicious links, use a password manager, secure your network, update your software as soon as it asks, install a proper antivirus software and use appropriate firewall. If you are an IT or network manager, educate your employees properly.
But do not despair – we can help. Our DNS-based security can protect your network on the DNS level, making sure that you or your colleagues do not wander into the dodgy part of the web. And if you or your users do, it will block the communication between your network and the attacker, giving you time to deal with the issue (the deep visibility into your network’s DNS traffic which we provide will help a lot, too).
Read more about Whalebone Immunity or set up a call with our technical experts – and let’s talk DNS security.