While the majority of the traditional cybersecurity solutions are focused on stopping malware, the threat landscape has moved on. In fact, 40% of all attacks in 2018 were non-malware intrusions indicating malicious activity that would typically go undetected by legacy anti-virus.
Even in cases where malware is used today, non-malware, such as fileless techniques, is sometimes used in conjunction. As a result, current solutions are ineffective in battling these advanced techniques.
In our recent Global Threat Report, we discussed how malware-free attacks had increased in recent years as a powerful tool in the cyber-criminal’s armory. Yet, the majority of security teams seem somewhat unprepared to properly deal with them.
In today’s landscape, it’s essential that organizations have the knowledge and understanding to not only prevent an attack, but also be able to correctly investigate and respond.
The rise of malware-free
Non-malware attacks come in many shapes and sizes. Typically, such compromises involve taking a legitimate system process, hijacking it in some way and causing it to perform nefarious tasks at the bidding of the threat actor. This is usually done via harnessing tools already available to the attacker on the operating system, such as PowerShell or other scripting tools. The attacker is then free to take a variety of actions, such as reconnaissance, establish persistence – and then focus on their core mission objective, whether it is destruction or the exfiltration of sensitive data at their leisure.
As such, these attacks are particularly challenging to detect and remediate in time before they become breaches.
Traditional AV doesn’t work… but what does?
The rise in malware-free attacks is particularly troubling because fossilized cybersecurity solutions have proven ineffective against them. We can begin by examining how some legacy technologies attempt to deal with malware-free intrusions.
Anti-virus
Anti-virus solutions were originally designed to look for signatures of known malware - they tick the compliance box. Of course, given today’s threat landscape, there’s often no malware to look for. There is nothing for AV to pick up on and most organizations would agree that standard AV solutions can dramatically reduce performance and yet still fail to detect an intrusion of many threat types.
Whitelisting & Application Control
Whitelisting is another approach that works by making a list of all the good processes on a machine and preventing unknown processes from executing. Application control is another option for ensuring that only authorized versions of applications are running in your environment. As malware-free techniques focus on harnessing legitimate or compromising legitimate programs, application control or whitelisting tools do very little to prevent these types of attacks. Furthermore, if you have thousands of applications running, whitelisting and application control prove difficult to manage and update.
Indicators of Compromise (IOCs)
Relying on IOCs alone is inadequate, because like conventional signature-based AV solutions, they look for known malicious artifacts left behind by an attacker. Typically IOCs are shared once an incident has been discovered. However, attackers frequently change their infrastructure and tooling, causing IOCs to become outdated quickly and preventing organizations from detecting new attacks.
Unlike IOCs, indicators of attacks (IOAs) focus on detecting the intent of an attacker, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-gen security solutions are increasingly moving towards an IOA-based approach.
Sandboxing
Another approach involves sandboxing, which can take many forms, including network-based detonation and micro virtualization. Because you are usually dealing with hijacked legitimate processes, most sandboxes will ignore attacker actions. However, this approach takes time - when time is not an option. As a result, some vendors now offer combined capabilities that include sandboxing and other features such as threat intelligence and IOC detection to allow teams to understand sophisticated attacks and save time through automation.
How does this affect your security strategy?
Organizations need to think about what measures they can put in place to protect themselves against malware-free attacks, and what will provide them with a comprehensive view of the entire spectrum of attack tactics, techniques and procedures (also known as ‘TTPs’).
Implementing next-gen cybersecurity solutions that focus on stopping the breach, not just viruses and malware-like legacy and traditional solutions, are much easier to integrate, deploy and maintain in today’s sophisticated threat environment.
The opportunity to keep an attacker from doing reconnaissance on your network, stealing credentials, and moving laterally occurs when you can actually detect the breach and stop it before any theft of IP or actual destruction of your network takes place. Unless you have what it takes, in terms of technology and people, to identify breaches within seconds of them occurring – regardless of whether malware is used in the attack -- you will ultimately lose. Defending against malware-free intrusions requires you to enable next-gen endpoint protection built on three core principles: 100% cloud-based architecture, indicator of attack approach, and 24/7 visibility monitoring and response.
Today’s best techniques for detecting modern threats depend on collecting massive amounts of telemetry from endpoints, enriching it with context, and mining this data for signs of attack. By focusing on the TTPs of an attacker, you can determine who the adversary is, what they are trying to achieve, and why.
Through the recording and gathering of indicators of attack, you should enable your team to view activity in real time and react in the present. This heightened degree of automation and ease-of-use enables businesses to constantly review their security postures so they know where the gaps might be and the risks they are creating that an attacker could exploit. Going forwards, they need to look to implement a strategy that is more proactive than reactive.