Criminal groups use many methods to spread malware, and some criminals make use of exploit kits. Exploit kits are well known by many security professionals, but the full sequence of events is often misunderstood. In most cases, a potential victim visits a compromised website as the first step in an infection chain. Behind the scenes, the victim is usually redirected through one or more additional servers before reaching the exploit kit. Once the victim's host connects to an exploit kit server, that server gathers information on the victim's system to determine an appropriate exploit to send. Most infected victims use computers running Microsoft Windows. In this talk, Brad Duncan reviews different examples of successful malware infections by exploit kits. He will trace the sequence of events for an infected Windows host, starting with a compromised website and ending with the exploit kit delivering its malware payload. Different exploit kits generate different traffic patterns, and experienced analysts can often identify the specific kit through these patterns. Different steps of an exploit kit's kill chain are sometimes identified through an organization's intrusion detection system (IDS). These IDS alerts provide indicators of compromise (IOCs). However, in many cases the kill chain is incomplete, and no infection has occurred. Brad discusses examples of exploit kits detected in a security operations center (SOC) environment, how analysts investigate this activity, and the overall impact to an organization.
Brad Duncan is a Security Researcher at Rackspace specializing in network traffic analysis and intrusion detection. After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010 when he left the military. He is a handler for the Internet Storm Center (ISC) and has posted more than 50 diaries at isc.sans.edu. Brad routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net.