The Issue of Overreliance on Detection Solutions in the Security Stack

Written by

Detection has always been a key component of cybersecurity strategies.

Typically, organizations take a layered approach to detection, using a variety of solutions, including antivirus software, sandbox engines, big data analysis, anomaly detection and more. These technologies are used to find and spot any malware or malicious code that can reach the endpoint and eliminate it.

In the case of detection solutions, seeing is believing. If you can’t detect a threat, how do you know if it’s really a threat? This is the core principle upon which such technologies are built, searching for, and acting upon only those threats detected on the network and moving to isolate and neutralize them once a threat is confirmed.

Unfortunately, this approach creates several problems. 

Detection solutions are focused on determining what’s malicious and what’s benign, leading them to suffer from similar limitations. Indeed, they’re prone to creating false positives and negatives, and it can be costly to layer these technologies on top of each other.

Not only that but relying solely on detection puts you on the back foot, forcing you to react to threat actors once they’re already on the network – by that point, it’s often too late, and the damage is already done.

Attackers Are Overcoming Legacy Security Solutions

With the continued belief that an array of detection solutions is adequate, many firms have failed to add capabilities to their network security technology stack, relying on the same solutions and strategies that are simply no longer fit for purpose.

While many organizations have stood still, threat actors have continued to tweak and adapt their methods, now leveraging attack techniques capable of bypassing legacy network security defenses.

The use of Highly Evasive Adaptive Threats (HEAT) is becoming increasingly common, for example, with criminals leveraging one of four evasive techniques to deliver malicious payloads to endpoints:

  1. HTML smuggling and/or JavaScript trickery within browser environments.
  2. Sending malicious links to users through communication mediums outside of email, such as social media SMS and shared documents.
  3. Tampering with benign websites to create ‘Good2Bad’ websites for brief periods to dodge web categorization.
  4. Using malicious content, such as images impersonating known brand logos that can be generated using JavaScript in the browser by its rendering engine to avoid detection from static signatures that examine web page source code and HTTP traffic.

Indeed, the success of these methods has been proven in several notorious attacks that have taken place in recent years. 

The Astaroth banking Trojan that has been an issue since 2017 uses HTML smuggling to sneak malicious payloads past network-based detection solutions, for example. Meanwhile, the Gootloader campaign that the Menlo Labs team tracked in the early phase of 2022 leveraged SEO poisoning to generate high-level page rankings for compromised websites.

Embracing a Multi-Faceted Approach to Security

From file inspections performed by SWGs and sandboxes to network and HTTP-level inspections, indicator of compromise (IOC) feeds and malicious link analysis, many typical defense mechanisms that form central pillars of many organizations’ security strategies are rendered almost useless when confronted with HEAT.

To be properly protected against modern threats, organizations must shift to a multi-faceted approach to security that moves beyond a sole reliance upon detection solutions. While these solutions still serve a purpose, they must be combined with an emphasis on prevention to ensure that attackers are blocked from reaching networks in the first instance.

Unlike detection solutions, prevention solutions do not work to determine whether traffic is good or bad. Instead, they take a zero trust approach in assuming that all traffic has at least some risk attached to it and therefore treat all traffic as guilty until proven innocent.

This is the case with remote browser isolation (RBI) – an innovative method focused on preventing code from reaching the users without determining whether that code is infected or not.

With RBI, the point of execution for active content is moved to a disposable, cloud-based container, preventing any malicious content from successfully reaching its target, creating something of a digital air gap that allows users to browse the internet safely.

When all traffic is executed in the cloud, it doesn’t come anywhere near the endpoint, drastically reducing the issues in dealing with costly and time-consuming alerts hitting your SOC which need to constantly be analyzed and remediated. 

Simply put, it doesn’t matter if there is a vulnerability on the endpoint for attackers to exploit or bypass with HEAT techniques. By ensuring no content can reach the network, no payloads can execute. 

What’s hot on Infosecurity Magazine?