Highly Evasive Adaptive Threats & Advanced Persistent Threats

In the fast-paced world of enterprise security, the last two years have seen a whirlwind of change unlike any other. The rise of remote work, cloud migration, and Software-as-a-Service (SaaS) applications has revolutionised the way we do business, but it has also opened up a Pandora’s box of security vulnerabilities.

A new breed of attacker has emerged, one that has learned to weaponize the most crucial tool for knowledge workers today: the web browser.

The Highly Evasive Adaptive Threats (HEAT) they’ve been leveraging to compromise browsers, gain initial access to the endpoint, and ultimately deploy threats like ransomware or malware are unmatched in their ability to evade detection. 
 
Given their ability to evade detection and get malicious payloads onto endpoints, confusing HEAT attacks with advanced persistent threats (APTs) is an easy mistake to make. But there are key differences between the two, and they operate in completely different stages of the attack kill chain. 
So how exactly do HEAT attacks differ from APTs?  

What is a Highly Evasive Adaptive Threat? 

As you look at Highly Evasive Adaptive Threats (HEAT), there are a ton of threats out there by volume. But the key thing for the threat actors out there is to maximise their chances of success. The two key descriptors in the name are evasive and adaptive—very important as far as the attacker is concerned. They want them to be as evasive as possible to avoid detection. 

So that means they understand how to bypass a particular technology or security technique that’s commonly in place. Whether that’s phishing detection on email or sandboxing, there’s a reasonably well understood level of “standard” technology that’s in place to protect organisations. And if they know that they can evade that type of detection, then they have a higher level of success. 

Then you have the adaptive piece of it, how it changes over time to maintain that evasiveness. A good example is evading URL reputation, where rather than moving fast to register a domain populated with content and malware and push it out, attackers adapt to how URL reputation systems find out whether a site is malicious or not and behave in a way they know will be classified as legitimate. Attackers will register a domain for a certain amount of time before they use it so that it’s not new. They then populate it with content that is all relevant and in a similar theme, so it gets categorised a certain way. And then once they confirm the site is seen as good, they can use it for an attack. If the URL reputation solutions or engine changes, then they can monitor that and change what they do with that website before they use it for a HEAT attack. 
 
The other key thing is that it’s really all about initial access. This isn’t a new class of malware, necessarily. This is a method of getting malicious content onto a victim machine in a way that is highly effective. So, whether that’s ransomware, keyloggers, or any other type of malware, they use HEAT attacks to get it there. 
 
Why Should Security Teams Care About HEAT Attacks? 

For starters, the volume of attacks. Threats in general are going up, but as we look at HEAT attacks and measure the frequency that they’re being used, we’re seeing those increase as well. Some may not care about HEAT attacks, or they may but without labelling them as such. It’s still a problem for them. 

I think the other big thing that they should care about is how HEAT attacks can be used by Ransomware as a Service (RaaS) operators to easily gain initial access.

Some cybercriminals’ entire business model is to gain initial access into as many networks as they can and eventually sell it to someone who wants to deploy malware onto that network. They won’t just sell it to one person, they’ll sell it to multiple people, which multiplies the effects of the breach. A single breach can result in five, 10, 100 or even more threat actors being able to put their malware on that network. So, you might not see it, you might not feel it because nothing happens, but you really need to care about it, you need to protect against it. 
 
What’s an Advanced Persistent Threat (APT)? 

An APT is a class of threats that are designed to be undetectable. Once they’re in the network, they’re designed to stay there for as long as possible and do whatever it is that the threat actor wants to do with that threat - whether it’s searching around looking for data, stealing data, stealing credentials, or deploying ransomware. They’re used by nation or state sponsored groups to go after high value targets, and recently, the term has been used more broadly to include some crimeware groups. 

What’s the difference between a HEAT attack and an APT? 

The HEAT attack is used for the initial access piece to get into the network, and the APT can then be deployed. They’re very much two sides of the same coin, or two parts of the same process. You’ve got the HEAT attack that will be able to get you access to your target network, and then your APT will go and do whatever damage it is that you want it to do.

The HEAT attack itself is not going to do any damage - it delivers the thing that does the damage. I think that’s the big difference between the two. But they shouldn’t necessarily be thought of as distinct and separate, because they can be put together and even used in the same attack. For example, the Nobelium attack used HTML smuggling, which is a HEAT characteristic, to deliver APTs down to their victims. That’s a good example of the two being used hand in hand as opposed to being overlapping or separate. 
 
As we head into the thick of the year, what do you think cybersecurity teams should know about HEAT attacks and modern work? 

One of the key things here is looking at hybrid work and people working remotely on any device connected to the corporate network, whether it’s a mobile phone or something else, they all have to be treated like a single system. If you use a Mac, that’s connected to your iCloud, and so anything coming through and attacking you personally as a consumer, or maybe as a professional because they know who you work for, can be relayed to your corporate device. 

The impact of that potential exposure, especially as it relates to HEAT attacks, can be huge. Coming back to the fact that the HEAT is all about the initial access, if somebody can get initial access into a personal device of mine - I’ll call it an unmanaged device - that can be used to access corporate resources.

That’s a huge issue that’s almost exactly the same or just as bad, at least, as having initial access into a corporate owned device with all of those same rights. 
 
The other key thing to be aware of is the adaptive side of things. Obviously, things are going to change. Attackers are getting better at tricking the technology that’s in place to secure organisations, but also tricking the humans that are being used to click on the link, download the file, whatever it might be, to activate the threat. As we go through the years, I think not only do we need more education about what to look for with HEAT attacks and how they work, but also to have improved visibility control around what a HEAT attack might look like as it’s trying to come in. We talk about prevention a lot, but I think we also need to have better levels of detection as well. 

The third thing, and this may be the most important one, is visibility into the browser. HEAT attacks exist among web traffic. They exist in the browser, and though the browser is on an endpoint, endpoint security solutions don’t necessarily have visibility into what’s going on inside a browser. Inside a browser is a massively powerful platform where you can run scripts and execute code. You can do all this stuff inside the application before anything happens. This is a huge potential blind spot. Not only is the browser a blind spot, but it’s also the most targeted access point. 

We spend so much time online on a browser. Every single device has a browser—there are probably more browsers than devices. It’s the most widely deployed enterprise application. We use browsers to access everything, not just websites, but applications. The browser encompasses everything else that we use to live our lives and do work, yet for traditional security solutions like endpoint detection and response (EDR), it’s a visibility black hole. It doesn’t have to be. 

Mark Guntrip, Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Charting A Course To Address The Cyber Skills Shortage
Pakistan's Hackers Attack India's Education Sector »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CCL Solutions Group

CCL Solutions Group

CCL is one of Europe’s leading digital investigation specialists, supporting law enforcement, government and organisations across both public and private sectors.

Zentera Systems

Zentera Systems

Zentera's CoIP (Cloud over IP) solution offers enterprise-grade networking and security for the emerging cloud ecosystem.

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

Secardeo

Secardeo

Secardeo is a provider of corporate solutions using digital signatures and certificates. Our solutions enable the user transparent end-to-end encryption of e-mails between organizations.

RedLock

RedLock

The RedLock Cloud 360TM platform correlates disparate security data sets to provide a unified view of risks across fragmented cloud environments.

Wolfpack Information Risk

Wolfpack Information Risk

Wolfpack specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business resilience capabilities.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

Experis

Experis

Experis provide IT resourcing, project solutions and managed services. We enable organizations to cultivate individuals and teams prepared for the digital age.

Secret Intelligence Service (SIS - MI6)

Secret Intelligence Service (SIS - MI6)

The UK’s Secret Intelligence Service, also known as MI6, has three core aims: stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

Chartered Institute of Information Security (CIISec)

Chartered Institute of Information Security (CIISec)

CIISec is dedicated to helping individuals and organisations develop capability and competency in cyber security.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

RiverSafe

RiverSafe

RiverSafe is a professional services provider specialising in Cyber Security, Data Operations and DevOps, putting security at the heart of everything we do.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

Boldend

Boldend

Boldend offers leading-edge offensive and defensive cybersecurity solutions that empower government and commercial organizations to stay resilient in an evolving threat landscape.