Infinity vs. The Real World: The Blackstone Group

 (Ed: The Blackstone Group is an investor in Cylance, Inc.)

The Blackstone Group recently deployed CylancePROTECT on a group of pilot users. PROTECT doesn't rely on signatures to determine the true nature of files. Instead, it uses mathcomplex algorithms and machine learning.

Incident responders have to deal with different types of threats every daysome more sneaky and interesting than others. In the cybercrime field, web exploit kits are an extremely common threat that can cause damage to any environment. Their modular design allows attackers to easily modify and obfuscate specific parts of the kill chain such as initial redirection, exploitation, or the actual payloads. To make things worse, malvertising campaigns can have a very high success rate in presenting exploit kit landing pages to victims while bypassing URL categorization or blacklisting controls.

Identifying, investigating, and mitigating these attack vectors can quickly become a big challenge for security teams. Existing signature-based detection and prevention technologies such as common antivirus or IDS/IPS can be easily bypassed by exploit kit campaigns. Blue teams need to innovate in their tactics and technology to better defend from such a polymorphic threat.

A few weeks ago we responded to an exploit kit incident that illustrates some of the described challenges. A user was performing google searches which eventually led him to an exploit kit landing page.  After a couple of redirection steps, a SWF object was presented.

 

1

A following request was performed to the same host after the SWF object. This time, the content of the response was a PE binary. At the time of investigation, major AV vendors listed on public and private malware feeds, failed to detect this sample as malicious. Signature-based network security controls were also bypassed by this attack vector and the payload made it to the host.

2

 3

CylancePROTECT was deployed to this host after the initial alert was identified. It identified the dropped payload as malicious almost instantly. I've seen the power of math firsthand, and it works. 

Mauricio Velazco
The Blackstone Group
www.blackstone.com