BSides Knoxville 2017

Exploit kits (EKs) first appeared in 2006 but their initial growth was limited by the high level of technical expertise required to use them. Over time, however, EKs have steadily evolved into easy to use (and important) tools in the growing Crimeware-as-a-Service (CaaS) industry. Due to their effectiveness in delivering many different kinds of malware, Blue Teams should understand them. This presentation will begin by differentiating an exploit from a payload. It will then define the term exploit kit and discuss their most common characteristics, including their management consoles and delivery techniques. To give attendees some perspective, the presentation will examine several famous EKs to explain what makes them so successful. Attendees will then be led through an example EK Infection Chain, including a discussion of the crucial role that DNS plays in EK effectiveness. The session will close with a discussion of current best practices for protecting against EKs and predictions of what Blue Teams can expect to see from EKs in the future.

At the end of this presentation participants will be able to:
•Explain what exploits kits are and what they are most commonly used for
•Describe the relationship between exploit kits and Crimeware-as-a-Service (CaaS)
•Describe the difference between an exploit and a payload
•Name exploit kit components and architecture
•Discuss exploit kit delivery methods
•List the prerequisites required for an exploit kit to successfully compromise a device
•Deploy those best practices that will most protect against exploit kits
•Explain why exploit kits will continue to threaten all types of organizations for the foreseeable future