A blended attack is one of the most powerful weapons in the arsenal of a bad actor intending harm to digital assets and computing systems. A blended attack is a sophisticated cyber attack that utilizes a mix of malicious code, computer viruses, worms or Trojan horses and exploits multiple software or hardware vulnerabilities known to the attacker.
This dangerous attack method can also take the form of a complex campaign in which an initial attack on organization’s systems works as a decoy for exploiting a second attack vector or vulnerability at the time the security team deals with the first type of attack.
A specific kind of a blended attack is when bad actors are targeting digital assets such as sensors or connected locks to penetrate an organization’s physical protection system with the goal of the attack being to intrude the protected physical perimeter.
In all of these scenarios, security systems and security teams face the challenge of dealing with a very sophisticated kind of a cyber-attack in which you cannot easily identify which is the primary attack vector or what is the ultimate target of the attacker.
What Is a Blended Attack in Practical Terms
Real-life examples of a tool for launching a blended attack include malware and viruses such as Nimda, CodeRed, Bugbear or Conficker, which combine capabilities intrinsic to different types of malicious code.
Such a combination of malware capabilities enable blended threats to perform complex attacks, spreading rapidly and infecting multiple endpoints quickly. Nimda, for instance, employs a mass mailing worm component that can infect thousands of computers within minutes – obtaining the same user privileges as the currently logged user – from there it can start a massive Distributed Denial of Service (DDoS) attack.
Viruses such as Bugbear and Conficker operate in a similar fashion, exercising their mass mailing capabilities but also opening a specific communications port on a victim’s computer from where an attacker gets access to the machine or utilizes the acquired computing power to build a botnet.
The first such a blended attack to successfully hit enterprise networks was back in 2001, when the Code Red virus penetrated hundreds of thousands of computers in a single day. Code Red was able to self-propagate and start DDoS attacks against a number of specific website IP addresses and was the first occurrence of a mass-spreading worm that was able to both infect computers within a sub-net of IP addresses and launch coordinated attacks against a third-party network address.
Modern-day blended threats are even more sophisticated compared to relatively harmless worms like Nimda or Code Red. For instance, a modern blended attack might involve the launch of a DDoS attack against an organization’s web server first while in the meantime the attackers install a rootkit malware by utilizing a custom version of a Trojan horse.
How A Blended Attack Operates
Blended attacks use a combination of multiple attack vectors and malware capabilities to achieve their ultimate goal. If a bad actor wants to launch a DDoS attack on an organization and infect them with a server rootkit during the attack, they will not use their own server for the purpose.
Instead, a possible scenario for a blended attack might be as follows:
- An attacker launches a phishing campaign against your organization or successfully compromises one of your collaboration apps
- The attack involves the submission of infected links that redirect your employees to a malicious website
- From there, those who are tricked to click on the link will download a virus or a Trojan worm that spreads across multiple endpoints within your IT ecosystem
- The Trojan virus opens a backdoor to your systems, which in turn allows the attacker to create a botnet
- The attacker launches a DDoS attack against a third party using your organization’s IT resources as well as other endpoints the attacker controls
- While the security team of the organization under attack deals with the DDoS attack, the bad actor manages to install a rootkit on their web server, which gives unrestricted access to sensitive data and resources to further penetrate their network
A novice hacker cannot materialize such a scenario, but it represents a feasible blended attack if you face a state-backed hacking group or a resourceful team of cyber criminals. The growing use of personal mobile, desktop devices, and IoT technology to connect to corporate networks and cloud-based applications only make things worse as multiple new attack vectors emerge.
Blended Attack Vectors on Mobile Devices
A blended attack can be very effective against signature-based intrusion detection systems (IDS), using polymorphic techniques to generate attack patterns that do not demonstrate a fixed signature. Polymorphic code changes itself each time it runs, making it difficult to trace and identify.
A new class of polymorphic blending attacks can circumvent byte frequency-based network anomaly by matching the attack instances to the normal profiles in use by the IDS. This way, a blended attack will mimic normal code activity that perfectly fits the profile of approved programming code, which in turn will not be detected as abnormal behavior by the IDS.
Past polymorphic techniques were able to make attack instances look different from each other but they were not able to make them look like normal instances of incoming traffic or software activity.
How to Counter Blended Attacks
An organization cannot prevent blended attacks from occurring, but security teams can make it harder for an attacker to penetrate their corporate network.
As blended attacks use multiple attack vectors and employ mimicry tactics, organizations must adopt a mix of cybersecurity measures and strategies to match the complexity of a blended attack.
A typical combination of tools to stop blended attacks include next-generation firewalls and a mix of next-generation antivirus and spyware detection software that are able to detect both known and unknown threats in real-time. A blended attack does not give teams much time to respond, so intrusion prevention systems should detect unknown threats as they materialize.
Additionally, organizations that implement packet capture through SIEM products are able to perform deeper forensic analysis and reduce false positives to combat blended attacks. Proactive investment in SIEM and Managed Detection and Response provide the most advanced cybersecurity protection against sophisticated and advanced persistent threats, adding a human management element that can actively hunt for malicious activity and indicators of compromise.
Securing incoming and outgoing network traffic by denying connections to devices that do not have IDS solutions an organization requires as a security protection provides a further layer of defense against blended threats.
Security teams should bear in mind that blended attacks can often involve social engineering techniques and phishing methods to avoid cyber-defenses and lure users into opening an infected link or file that has already passed through the first line of defense.
Many data leaks and ransomware attacks happen to succeed because of human error. Training your employees to recognize suspicious messages, links and attachments should be a top priority because these are major attack vectors for a blended attack.
To prevent blended attacks from happening and spreading across a corporate network, organizations should also implement a strict policy for user access control that addresses elevation of privileges and abuse of login credentials. A cyber threat is as dangerous as the access privileges it gets – infecting an endpoint such as a workstation might be acceptable damage, infecting a server or a computer in use by a system administrator is not.
Blended attacks require adoption of hybrid cybersecurity measures that reflect the very nature of a blended threat. Implementation of security tools and measures that scan for viruses based on a database containing signatures of known malicious code simply does not work with blended attacks. These are mutating threats and in addition they attack systems through a number of attack vectors simultaneously.
Malware involved in blended attacks has evolved to a stage where the malicious code is able to identify the characteristics of the defenses it faces on a target machine and adapt its behavior to pass through or even download an additional script to deal with the specific intrusion detection system in place.
Blended attacks require a holistic approach toward organization’s cyber security where a combination of security tools work to detect and eliminate a blend of mutating cyber threats.