Reputation filtering is one such layer than works in a similar way as to giving a web site a credit score. It leverages vast amounts of data, including the duration in which the domain has been malware-free, and assigns a reputation to a URL. When a user requests a web page, the reputation is requested and a decision on how it should be handled is made based on pre-set policies.
While the combination of URL and reputation filtering can help block malvertising attacks at the point of entry, attacks are incredibly stealthy and may still get through.
During an attack: Upon passing through both URL and reputation filtering, real-time malware scanning now takes over.
The file is scanned against various parameters before being delivered to the user, or blocked if identified as malware. If the disposition remains unknown or untrusted, it will be run in a sandbox (a tightly controlled environment) and watched for suspect or malicious behavior. In the case of a malicious sandbox verdict, the administrator is notified to take action and defenses are updated to protect against similar ads in future. However, though sandbox technology can mitigate risk, it is unable to remove it entirely as new attacks to evade detection are constantly being designed and advanced threats may still be able to penetrate networks.
After an attack: It is key to have retrospective security, which continues to track files and analyse their behavior against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can determine the scope of the attack so that defenders can quickly contain the threat and remediate. The various security layers are then updated with the latest intelligence so as to defend against similar malvertising attacks in future.
Malvertising affects all Internet users and is a disruptor for the Internet economy. It underscores the sophistication of the modern cybercriminal economy in terms of the division of labour, cooperation, and specialisation across the attack chain. It also emphasises the need for a security approach that addresses the full attack continuum. With ongoing visibility and control, as well as intelligent and continuous updates, security professionals can take action to stop the inevitable outbreak.
Sign up for CIO Asia eNewsletters.