Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

Forecasting the exploit kit landscape

admin 15 September 2016

Cybercrime and Dark Web Research

We’ve previously written on the most popular vulnerabilities that exploit kits are using. But how might the exploit kit market develop over the next year?

There are five identifiable of factors that may impact the status of the exploit kit marketplace.

The resources held by exploit kit developers
The amount of custom they received
The duration for which an exploit kit has been active
How frequently they are developed
The disruption caused by law enforcement and security researchers.

Using these factors, we have outlined three plausible scenarios that encompass varying threat levels: Neutrino dominates, no more Neutrino, and new players.

Scenario 1: September 2017 – Neutrino dominates (same threat level)

Neutrino, Magnitude, RIG, Sundown and the Hunter exploit kit remain active and continue to compromise end users, continue to be developed incorporating new exploits and continue to be profitable. The Nuclear and Angler exploit kits have remained inactive since June 2016, therefore two of the previously most prominent exploit kits are not competing for the exploit kit market share. This has increased the amount of revenue for the remaining exploit kits, in turn providing their developers with more resources.

With more resources, the active exploit kits are developed at a higher rate than observed in 2016, incorporating more recent exploits and at a higher rate. However, RIG, Hunter and Sundown are not established enough to capitalize the most from the increased revenue, therefore Magnitude and Neutrino become the two most prominent. Despite this, Sundown developers have made continued attempts to compete in the market since June 2016, therefore this exploit kit is considered the third most prominent. The Neutrino exploit kit, having seemingly replaced Angler following its demise in June 2016, remains the most widely used and frequently developed exploit kit.

While the prominence of each of the active exploit kit has shifted in 12 months, the threat level posed by exploit kits overall has not changed. Any attempts by law enforcement and security vendors to disrupt exploit kit operations are circumvented by the exploit kit developers, and the number of detections of exploit kit activity has remained largely unchanged.

Neutrino exploit kit payloads

Figure 1 – Neutrino exploit kit payloads

Scenario 2: September 2017 – No more Neutrino (lower threat)

Following the arrest of 50 individuals associated with the Lurk banking trojan and Angler exploit kit, as well as the reported disruption to the Nuclear exploit kit in June 2016, no activity from these kits has been detected. Because of this, law enforcement and security researcher attention has been focused on the Neutrino exploit kit, given it had become the most prominent following the demise of Angler. The fact Neutrino is offered to rent has presented opportunities for law enforcement and researchers to uncover more about Neutrino’s infrastructure, set up and its developers. Ultimately, this has allowed for an international law enforcement operation to be carried out against threat actors associated with it. The result of this is a cessation of Neutrino rental activity, as the developers feel it too high risk a project to continue. While Neutrino remains active, it is on a much smaller scale.

The cessation of activity from another most prominent exploit kit caused by law enforcement disruption, one year after the demise of Angler, has impacted the threat level posed by exploit kits as a whole. While other exploit kits including RIG, Magnitude and Sundown remain active, its developers are less inclined to rent the kits due to fears of security.

The result of law enforcement and security researcher scrutiny against exploit kits has brought a further exploit kit’s operations to an end. In turn, this has made other exploit kit developers more cautious in their operations, impeding their ability to be as active as they were and generate as much revenue. Less widespread use has lowered the threat level posed by exploit kits in future.

Scenario 3: September 2017 – New players (higher threat)

The demise of Angler and the stoppage of Nuclear has encouraged developers to create their own exploit kits to capitalize on gaps in the marketplace. Following a trend of lowering the barriers to entry for cybercrime, the developers attempt to make these exploit kits as user-friendly as possible.

These new exploit kits are advertised publicly and are designed to be scalable, encouraging lower capability cybercriminals to use them with well-developed user interfaces and support features. These methods are largely copied from successful ransomware-as-a-service platforms, such as Cerber. Despite the entry of new players to the marketplace, the Neutrino, Magnitude, RIG, Sundown and Hunter exploit kits have all remained active and developed, and have benefited from the demise of Angler and Nuclear in that they have been acquiring more revenue than they had prior to June 2016.

Summary

Based on the drivers we included as part of our forecasting, it was assessed that the most likely scenario in 12 months’ time will be that exploit kits will continue to pose the same threat level as they have done in recent years. We have already detected demonstrable evidence of Neutrino exploit kit activity increasing since the demise of Angler and stoppage of Nuclear activity in June 2016. This, combined with the fact it has been active since 2013, will likely make it the most prominent exploit kit in future – closely followed by Magnitude.