By Chris Tribbey
For today’s IT teams, the sheer amount of malware out there can be daunting to look at. Billion of URLs are used for the delivery of malware, with approximately 100 million malware samples “in the wild,” according to Neal Hartsell, EVP of marketing and product management at NSS Labs.
Instead of trying to watch for each piece of malware, IT teams need to look at the active exploits being used instead, Hartsell said during an NSS Labs security presentation. “IT teams continue teams continue to be given loads and loads of data, but it’s hard to turn that security data into actionable work that will guard against critical threats,” he said.
NSS Labs estimates that 97% of all breaches come as a result of just a couple hundred commercially available exploit kits. Further, NSS Labs found that 60% of vulnerabilities discovered in apps deployed on enterprise networks go unmitigated, and it takes an average of 176 days for the problem to even be discovered.
“More times than not, they’re popular sites displaying ad network traffic, and if someone clicks on the ad, and they’re running one of these popular applications, the payload gets delivered, and the rest is history,” Hartsell said.
In 2015, NSS Labs noted there have been defensive improvements, at the operating system, browser and browser plug-in levels. But the attackers are crafty, nimble, and they’re responding to those measures on a regular basis: In 2013, common exploits would live in the wild for several weeks, and wouldn’t change. But this year, NSS Labs has seen exploits change within hours of being discovered, showing that attackers are often adjusting faster than the defenders can manage. There’s also a lot more targeting of exploit delivery now, with attackers going after specific machine profiles in very specific verticals.
And NSS Labs believes there’s maybe a couple dozen key exploit kit writers in the world, “certainly not hundreds or thousands,” Hartsell said. He compared them to drug lords, who carve out areas of expertise, and mutually agree to not tread on each others’ turf (scripts of attack). “We know who these writers are, not by their name, but by their work,” he said. NSS Labs puts the number of active exploit kits at just over a dozen, delivering a combined, approximate 39,000 unique exploits.
On the browser side, NSS Labs found that Internet Explorer remains the most troublesome of the lot, and can still be a source of major malware vulnerabilities, compared to Chrome or Safari. “Safari remains one of the better browsers in terms of exploit activity,” Hartsell added. In the past year, NSS Labs has seen attackers increasingly go after browser plug-ins as the mode of delivery.