What is a blended threat?

Hollywood action movie heroes are formidable adversaries: adept in martial arts, experts with weapons and explosives, brilliant hit-and-run tacticians. A blend of samurai, ninja, and Native American, the action hero is an irresistible force. Imagine if Chuck, Arnold, Jean-Claude, and the rest were drawn to The Dark Side. Now imagine that they are executable code on your computer. It's not your imagination; it's a blended threat.

Threat_advisory
Image by Truthout.org

A multi-pronged attack

Blended threat is a popular term for a multi-pronged attack against networked computers. Symantec describes a blended threat as an attack that combines "viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack." Blended threats are designed to propagate quickly, like worms, but instead of relying on a single attack vector (such as email), blended threats are designed to use whatever propagation path exists.

In movies, the action hero contrives a way into a secure compound. He neutralizes guards, disarms alarms, booby-traps vehicles, destroys heavy munitions with explosives, mows down countless armed ground forces throughout the compound with all sorts of devastating weapons. He incapacitates or destroys anything in his path, as quickly as possible. He attacks many locations simultaneously, to confuse the enemy and confound countermeasures. Many blended threats follow the same script.

On the Internet, a blended threat engineers its way into computers and networks as an email attachment. It takes over the "command center" by compromising and assuming administrative control of the compromised computer. With administrative privileges, it may try to disable the computer's guards and alarm systems, by erasing event logs, and disabling antivirus and personal firewall software. It may install malicious code, "booby traps" for unwitting users that damage or erase critical system and information files. Blended threats almost always try to attack many locations, simultaneously. Having penetrated an organizations' defenses through one computer, a blended threat typically tries to expand its attack. Blended threats will try to exploit common network services, such as file sharing, ftp, telnet and even VPN connections, to proliferate damage throughout an organization's network and to other networks as well.

Worm or blended threat?

Many of the most nefarious worms - nimbda, CodeRed, BugBear, Klez and slammer - are more accurately categorized as blended threats. Nimbda variants used email attachments; file downloads from a compromised web server; and Microsoft file sharing (e.g., anonymous shares) as propagation methods. Some Nimbda variants modified user (guest) accounts to provide the attacker or maliciously installed executable code with administrative privileges. The more recent Conficker and ZeuS/LICAT worms are also blended threats. Conficker employed all the traditional distribution methods. Both use domain generation algorithms to contact C&C hosts and download malware; LICAT file infector amplifies ZeuS' formidable man-in-th-browser trojan.

Escalating privileges

Escalating privileges is the ultimate end game for a blended threat attack. If provided with administrative privileges, executable code incorporated into a Nimbda variant, Conficker or any blended threat payload can in theory perform any operation available, thus enabling keystroke logging; file copying, removal or modification; communications monitoring and modification; and unauthorized service operation: imagine someone operating a kiddie porn file server or underground chat room from your web server.

5133667858_c11a390e2d_m
Photo by Mrs. Gemstone

There's a (marketing) tendency to claim that blended threats are a new worry. McAfee, at least, doesn't feed this F.U.D., describing blended threat as "a relatively new term for a type of malicious code attack that has been around for the past few years". This is indeed the more accurate representation. Amphibious assaults were not "new" in 1944, nor were parachute and glider attacks, strategic long-range bombing, and bombings by French resistance forces. Coordinating all these attacks to coincide with a massive assault across multiple beachheads during suspect weather on June 6th, (D-Day) was unexpected, and Fortress Europe was unprepared to respond.

Countermeasures

The risk of a blended threat attack can be mitigated using a combination of countermeasures. Client security measures considered appropriate for preventing blended threat attacks include antivirus, personal firewall, and spyware detection software. If you are the type who is reluctant to rely entirely on 3rd party software, implement a desktop security policy to maintain patch currency, eliminate configuration vulnerabilities at operating system (e.g., Windows registry), services, and file system levels (e.g., NTFS permissions). Network admission control (e.g., Cisco NAC), IEEE 802.1x Port-based access control, and "browser" integrity (a.k.a., endpoint control) are relatively new features for switches, Wireless LANs, and (SSL) VPNs. These protect an organization by denying network connections to client devices that are not properly configured or are not running client security software your organization considers "mandatory". Server security, in the form of antivirus, antispam, and antispyware, provides an additional layer of defense for organizations against blended threat vectors. Here again, complement 3rd party software by securely configuring, maintaining and operating servers. Complement the sum of these measures with an incident response plan that isolates compromised systems quickly, and prevents blended threat attacks from propagating through your network and beyond.

The last, but perhaps most important, security measure is education and common sense. Users must be educated so they understand and appreciate the dangers blended threats pose. They should be taught to recognize and not fall prey to social engineering and phishing techniques that worm and blended threat creators rely on. Users should also understand that antivirus and antimalware measures are not failproof.

Organizations must establish acceptable use and compliance policies. Users must agree to comply with security measures organizations employ to combat blended threats, and understand how they will be held accountable for incidents where they have failed to comply. Some organizations may conclude that stringent client and mobile user security policies are necessary to combat blended threats. These organizations often implement local/OS security policies that prohibit non-administrator users from performing tasks requiring administrative privileges, and may even block the use of unauthorized removable media. Some organizations conclude that the most secure IPsec remote access policy is one which forces mobile users to connect first to the organization's IPsec security gateway before accessing Internet sites. While this strategy may introduce some latency, the organization can impose the same security policy and measures (e.g., antivirus gateways, antispam measures, and content inspection services such as WebBlocker) to all users, mobile or stationary.

By using multiple methods and techniques, blended threats hope to rapidly spread and cause widespread damage before security measures respond. This makes a blended threat hard to stop, but not unstoppable.

If there is a silver lining to blended threat attacks, it is that they force organizations to appreciate the need for security in depth.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle study reveals that phishing attacks have tripled since May 2020, situation worsening each year
    My colleagues at Interisle Consulting Group and I today announced the publication of an industry report, Phishing Landscape 2023, A Study of the Scope and Distribution of Phishing. We analyzed more than 11 million phishing reports collected from 1 May 2020 to 30 April 2023 to provide annual and triennial measurements of phishing. Our study identifies distinct, persistent exploitation and abuse of Internet resources, reveals that criminals can trivially acquire everything they need to phish. Among the major findings in the study, Interisle reports that: The number of phishing attacks has tripled since May 2020, and has increased 65% over...
  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.

Search

My Photo

Categories