Understanding and stopping 5 popular cybersecurity exploitation techniques

With more than 550,000 new malware samples being discovered every day, closing the security gaps that enable these cyberthreats to access systems should be a priority for organizations. Unfortunately, many are leaving themselves needlessly exposed to risk.

Exploits are often associated with zero-day attacks that take advantage of vulnerabilities not yet known to the software provider, which means there are no patches yet available. A study by Google revealed there were 24 zero-days vulnerabilities exploited by attackers in 2020.

At the same time, 80% of attacks exploit a vulnerability that was reported at least three years ago.

Part of the challenge is that many software exploits manipulate memory in sophisticated ways, making them difficult to detect if you rely on average cybersecurity solutions. Effectively detecting exploits requires deep system knowledge and constant monitoring of all applications. Advanced, next-generation cyber protection solutions that include exploit prevention capabilities are needed.

Exploit prevention explained

While hundreds to thousands of new malware samples appear every day, a criminal can only use a limited number of techniques to exploit a software vulnerability and most of these are related to some type of random access memory (RAM) manipulation. Quite often, a criminal will chain a handful of exploit techniques together to deliver malware. This means that your cybersecurity solution must detect and stop various techniques.

Advanced, next-generation cyber protection solutions can protect your systems and data from five common exploitation techniques.

1. Return-oriented programming protection

Data execution prevention (DEP) is a system-level memory protection feature that was built into the Windows operating system starting with Windows XP. It enables the system to mark one or more pages of memory as non-executable. From the start, criminals worked to bypass DEP and they have been successfully doing so for some time using different techniques, one of which is return-oriented programming (ROP).

Cybercriminals use ROP chains – small pieces of existing legitimate code from the code sections – to build a working code. These small pieces are called via return instructions and at some point, the criminal calls a WinAPI function. The stack of an application is a memory area that contains a list of memory address locations (return addresses). If the WinAPI function is not called with a call instruction, the return address on the stack will be wrong.

Advanced cyber protection solutions will terminate a ROP attack when the system cannot find a call instruction.

2. Memory manipulation

Criminals use stack pivoting to bypass protections like DEP by chaining ROP gadgets in a return-oriented programming attack. With stack pivoting, attacks can pivot from the real stack to a new fake stack, which can be an attacker-controlled buffer such as the heap. The future flow of program execution can be controlled from the heap.

While Windows provides export address filtering (EAF), a next-gen cybersecurity solution can provide an access filter that prevents the reading of Windows executables (PE) headers and export/import tables by code, using a special protection flag to protect memory areas. An access filter should also support allowlist so heuristics can be tweaked as needed.

3. Code injection protection

There are several code injection techniques which are popular among cybercriminals.

Process hollowing is a technique where a trusted application, such as explorer.exe or svchost.exe is loaded on the system in a suspended state to act as a container for hostile code. Since a hollow process is created in a suspended state, its memory is unmapped and replaced with malicious code. Execution of the malicious code is masked under a legitimate process and often evades defenses and detection analysis of less advanced security products.

Another technique, called reflective dynamic link library (DLL) loading, happens when a DLL is loaded from memory rather than from disk. Windows does not have a LoadLibrary function that supports this, so if you suspect malicious use, you can check and block it as well.

The Early Bird code injection technique takes advantage of the application threading process that happens when a program executes on a computer. It loads the malicious code in an early stage of thread initialization before many security products place their hooks. This allows the malware to perform its malicious actions without being detected. Windows’ early launch anti-malware (ELAM) technology can be used to help detect and prevent attacks that take this approach.

Asynchronous procedure call (APC) is a Windows functionality that can divert a thread from its regular execution path and direct it to execute something else. The most important thing about an APC is that when one is scheduled, it is targeted to a specific thread. Attackers can inject into that call and use it to run their malicious code.

Advanced, next-gen cybersecurity solutions can detect the injection in a process in suspended mode, which hollows out the original memory and blocks the affected process.

4. Privilege escalation protection

Processes in Windows have a so-called security identifier (SID). The SID is a unique value of variable length that is used to identify a security principal (such as a security group).

When a parent process creates a child process, the latter one inherits the SID. This needs to be checked during application loading, as it can allow you to spot malicious activity. SIDs cannot be changed during process execution. For sensitive functions, exploit prevention software checks if the SID stays the same during execution as well.

For example, if an attacker wants to use CreateProcessWithToken function with a security token from another process (which could be stolen beforehand), the SID will be extracted and checked against the current process. If there is no match, it will raise an alert and block the process.

5. Defense evasion protection

Many advanced, next-gen cybersecurity solutions place hooks on sensitive API functions to intercept and perform checks, such as antivirus scanning, before allowing the kernel to service the request. Criminals can take advantage of the fact that only sensitive functions are monitored. By calling an unmonitored, non-sensitive function at an offset (to intentionally address an important kernel service instead), cybercriminals can often evade security software. That is why an advanced, next-gen cybersecurity solution prevents attackers from addressing sensitive kernel functions via unprotected API functions.

Exploit prevention – an important part of multilayered protection

While exploit prevention represents a set of techniques and heuristics that rarely come into play, they are a critical part of any multilayered security plan — especially against sophisticated cyberattacks that rely on zero-day vulnerabilities.

But whether it is a recently discovered exploit or existing, unpatched vulnerability, it only takes one attack to cause catastrophic data loss and possibly close down your business.

Advanced, next-generation cyber protection solutions include exploit prevention functionality to deal with sophisticated attacks more effectively.