Monday, February 25, 2013

Life Cycle and Detection of an Exploit Kit

Exploit kits may not be as hot a topic as the recently released Mandiant Report, but they're still an important part of today's threat landscape. As the success of the Cool Exploit Kit lets its author buy vulnerabilities, for example, these kits are not only one of the more prevalent ways of dropping malware on end-users, they're actually pushing defenders towards a time with more and more 0-days to worry about.

Those of you who would like to understand more about how these kits work, check out my recent presentation on the subject. The presentation assumes no prior knowledge, so it's a perfect starting point even for management types who might not quite understand the threat landscape.

For those of you running Sourcefire/Snort boxes who are looking for exploit kit coverage, be sure to review how many rules from our new Exploit-Kit category you have enabled - while 200 of the 222 in that category are in the balanced policy by default, if you're not running a current SEU, you're missing a lot of powerful detection.

No comments:

Post a Comment