I could have titled this article in many ways such as perimeter disintegration, endpoint security visibility still a problem or even exploit kit.

The reality is that all of them are part of a bigger problem and it is how criminals are bypassing the security perimeter and getting inside the networks where organization´s most precious information is stored. For some time now the industry has been speaking out loud and acknowledging what it is a real fact.

http://www.marketwatch.com/story/attackers-are-bypassing-perimeter-detection-methods-with-relative-ease-according-to-sans-it-security-survey-2015-04-15

Criminals are bypassing todays advanced front door cyber defenses attacking one of the most vulnerable parts of the equation, the client. Client side attacks are being the main protagonist of this article. Before I can provide you with more details I would like to define some of the terminology I am going to be using in the rest of the article.

The first is client side attacks,

http://www.honeynet.org/node/157

The second is Exploit kit,

https://zeltser.com/what-are-exploit-kits/

So as explained before, criminals are not knocking on your front door anymore, it is obvious they will find a lot of resistance to penetrate a remote network with the vast amount of cyber defenses deployed in the perimeter. Instead criminals are taking the path of less resistance and they are attacking the endpoint where they will find less resistance to their penetration attempts.

In the image above you can see an example of perimeter network with firewall and IDS. In order to penetrate any of those networks an attacker may have to go through at least a firewall, IDS and web proxy before he can reach any of the networks. What would happen if we attack any of those machines when they are ‘out of the perimeter’? I quote out of the perimeter because whilst inside the perimeter they are vulnerable to client side attacks. One of the most common client side attacks today are perpetrated by exploit kits. Any website we visit today can be compromised and it can be performing drive-by download attacks redirecting the browser to a landing page where an EK awaits to push malware into the endpoint.

https://blogs.microsoft.com/cybertrust/2011/12/08/what-you-should-know-about-drive-by-download-attacks-part-1/

If the EK has successfully exploited the endpoint the machine will get infected with malware and we can consider that the attacker is inside our perimeter and has bypassed our cyber defenses. This is only the first ‘impact’ of the attack called infection, from now on the attacker will follow a set of strategies to extend the footprint within the network and assure attack persistance over time.

Now, I want to show how this process works in the real world following a simple network traffic analysis of a pcap file with a drive by download attack.

Bypassing Perimeter Security and Malware Evasion (2)