Data Talks: Download Attacks Ignite While Attachments Cool Their Heels
- Bromium customers see a significant increase in attacks via downloads as compared to email attachments
- “Compound attacks” are increasingly common, with cybercriminals employing multiple attack vectors in tandem
- No matter how the threats arrive, it’s critical to secure their ultimate targets, the vulnerable applications
Welcome to the third edition of the Bromium Threat Labs Data Talks blog series, highlighting trends and developments from Bromium’s unique vantage point of providing application isolation and control as the last line of defense on the endpoint. Last week, we regaled you with insights into the dramatic shift we’ve seen over the past 18 months from web-based to file-based attacks. This week, we’re focused on the ubiquitous top-3 attack vectors—links, attachments, and downloads—and the complicated interrelationships between them.
Browser File Downloads vs. Email Attachments
First, some level-setting: What do we mean by “downloads” and “attachments?” In this space, we’re talking about the mechanism by which the file ultimately arrives at the endpoint PC. A file attachment is a file that opens directly in a single action from an email message in a client-side email application, most oftentimes Microsoft Outlook, without involving a link or a web browser to complete the process. Conversely, a file download is one that arrives at the endpoint by way of a link or a web browser, downloading first over the internet and then opening in a secondary action.
Looking at opt-in Bromium customer data over a 30-month period from January 2016 to June 2018—where file source data exists and the file was run on an actual user endpoint inside a protected Bromium micro-VM—we saw a near-even split between file downloads and email attachments in the aggregate, with just a slight overall edge toward downloads.
To be sure, the Bromium Secure Platform has long provided hardware-enforced isolation for untrusted, possibly malicious files entering the enterprise across all common user attack vectors—including email attachments, web downloads, untrusted cloud services, unauthorized fileshares, chat links, FTP transfers, and USB portable media devices—but today’s column focuses on the first two sources, which are far and away the most prominent.
The generalized, near 50-50 overall figure belies current trends however, as the more granular quarterly data clearly attest:
Our most current data from the first half of 2018 show that nearly 70% of malicious files originated from web browser downloads. Although some of these threats may have first arrived via other channels—such as email or chat messages—they ultimately downloaded one or more files through the browser. This is common when users open their email using webmail systems like Office 365 or Gmail, or in cases where email contains a direct link to a remote file download location. Furthermore, we saw that EXEs were almost always downloaded—after all, users are extremely wary of executable files in email and many precautions are in place to prevent their execution—while Office docs and PDFs were attached 79% of the time. As the stark “cross” in the graph indicates, the proportion of malicious files arriving as email attachments took a steep dive in 2017 before flattening out in first half of 2018, although it’s still too early to say whether the leveling off in the curve precipitates the end of this trend, a further decline, or an eventual reversal. We’ll be sure to revisit this question when the second-half 2018 data roll in.
Why the Shift to Downloads?
Hypothesis #1: Higher ROI – Cybercriminals perhaps have been experiencing a greater return on financial investment—measured by successful penetrations, records stolen, ransoms paid, etc.—using file downloads compared to using email attachments, so they may simply be following the money and focusing their efforts toward more lucrative downloads.
Hypothesis #2: Detection Avoidance – Email attachments are fairly easy to scrutinize for known malware. They can be hashed, sandboxed, and analyzed at length prior to delivery. Detection is by no means perfect, but it does enjoy a measure of success, especially when time is not of the essence. By contrast, file downloads are time-sensitive—users expect them to arrive quickly—and malicious actors can change their download targets daily, hourly, or even more frequently—say, with every website visit—generating completely new file hashes that have never been seen before by any anti-malware security vendor. Network sandboxes and other inline detection processes must render a verdict quickly to avoid user dissatisfaction from an extended time delay, thereby limiting their effectiveness. Plus, the organization must live with the verdict rendered, right or wrong, including both false positives and false negatives.
Shifting Tactics, Same Attack Vectors
Leaving out USB portable media sticks and exotic attack vectors like Bluetooth and NFC, there are only so many ways that cybercriminals can practically get malware onto your users’ PCs, so they overwhelmingly stick to the basics. Bromium data conclusively show the three main attack vectors that introduce malware onto the endpoint are the same ones the detection-focused security industry has been grappling with for the past three decades:
- Malicious phishing links: drive-by in-browser exploits have diminished to near negligibility now, except in legacy browsers like IE, where they’re still effective when combined with reconnaissance and careful target selection. Direct download links are more effective, as they bypass detection filters and can rotate their target payloads frequently, often utilizing automated tools to generate a new polymorph with every visit. Ever-inclusive, phishing attempts might lead to credential-theft via imposter websites, browser exploitation, or malicious file downloads.
- Malicious email attachments: remain popular but are declining to less than one-third of all attacks, as email sandboxing and other tactics in the cloud, on the network, or on the endpoint cut into success rates.
- Malicious file downloads: continue to be popular, often driven by links within emails. These downloads come primarily in the form of Office documents, along with PDFs and a resurgent share of executables. Our data show a negligible risk of attack from image files, media files, or plain-text files, as long as mime-checking is employed to weed out files masquerading as another file type.
I recently returned from Black Hat USA 2018 in Las Vegas and it was like deja vu all over again—vendors touting their 99%+ detection rates and sub-1% false positives—dubious claims, made irrelevant in a world where a single missed detection can lead to a devastating breach. Nothing much ever changes and we’re still fighting the same battles since the first PC virus came on the scene. What Einstein purportedly said about insanity is relevant here, but it seems our industry is reluctant to try something truly new—like application isolation and control—that can radically change the game.
Intersecting and Overlapping Attack Vectors
Why stop at one attack tactic when you can use them in combination and increase your odds of success? People are busy, always online, and not always careful. Some may feel safer clicking a link than opening an attachment. Others may not realize that the link actually leads to a direct download. While it makes no sense for a physical attacker to shoot you, stab you, and run you over with a car just to steal your wallet, a single email message can deftly utilize all 3 attack vectors in tandem—attachments, links, and downloads—to accomplish the same purpose, as in this clever example:
What does it mean for security vendors and defenders?
Perhaps email attachments will see a resurgence one day soon, but for now, file downloads appear to have the momentum on their side. It’s just so much easier to change up the download sites and payload contents to avoid site classification and malware detection over the web than via email. There will always be new exploits across all viable attack vectors, so now is not the time for complacency. If current trends continue, however, the implications for security vendors and defenders may bear out as follows:
- Enterprise and government security defenders should focus less on the specific entry point of the malware and more on its ultimate targets: vulnerable applications. Whether a malicious file arrived via email attachment, web download, or direct link in email or chat, it’s destination is the same: Word, Excel, PowerPoint, Adobe Reader, or a malicious executable program. Consider application isolation and control on the endpoint to automatically protect all untrusted inbound files with ironclad, hardware-enforced virtualization-based security.
- Vendors of detection-based solutions could face increased scrutiny as they appear to have “topped out” at around 99% effectiveness, stubbornly unable to solve the persistent 1% gap that’s costing their customers millions. When free solutions are just as good as the paid versions, the traditional model may finally be reaching the breaking point. Some detection solution providers are adding their own “isolation” capabilities—through sandboxing, traditional VMs, and software-defined rulesets that govern the specific behaviors that applications they will permit or restrict—but it’s all “detection” in one way or another since they don’t have the backing of hardware-enforced isolation.
So, we’re seeing lots of downloads in the attack space today. The pendulum may shift back again tomorrow, but we’re ready for it here at Bromium, as our virtualization-based security protects your enterprise endpoints at the applications across all user attack vectors, on any network and even while disconnected. Next time, we’ll dive deeply into a particularly diabolical threat curated by our Bromium threat researchers—one that sailed past a formidable defensive stack at a customer site, only to be captured “live” while it ran on a real Bromium-isolated endpoint during an actual user workflow. Now I don’t know which specimen they’ve culled from our malware zoo, but it’s sure to be an exotic one!