Education and Training: The Downfall of File-Less Attacks

Whilst we are all aware of the file-less or zero-footprint attack, the growth in their use has been alarming. With regular anti-virus tools less likely to detect them, how can the ‘savvy’ CIO ward against them?
The answer lies squarely in the need for the education and training of employees, ensuring they fully understand exactly what an advanced volatile threat (AVT) is and what to do should one be suspected.
AVTs live in memory; they never touch the disk and can only steal information when the computer is running. The exposure ends when the user shuts down the machine.
From a technical point of view, the only way to deal with AVTs is with anomaly-based detection tools, which live on each individual computer/server. These tools look at all system activity, even down to keystroke patterns and analyze normal from abnormal behavior.

In the case of an AVT, detection is likely because it will probably open a service, to enable an external connection. It is through this service that data, is sent. Hence, the behavior would be deemed abnormal, detected and shut down.
The Business Continuity Institute’s (BCI) Cyber Resilience Report called for improved user education after revealing that nearly two thirds (64%) of global firms have experienced at least one cyber ‘disruption’ in the past year. The report comprised of interviews with 734 respondents from 69 countries, showing that user education is a global issue.
Phishing and social engineering were found to be the primary cause of more than half (57%) of disruptions, highlighting the urgent need for improved user education.

If users can be educated to recognize an unusual email content or, a strange link to a YouTube page, then the majority of the file-less attacks could be stopped. Saying that is easier than making it happen. Users react in different ways to data stimulus: some are so busy that they click before they have even thought about a threat and that is where education fails. 

When we consider how to train our users to be more security savvy, we need to remember that people are largely consistent in the sense that we are all easily bored, easily confused by vague language and often resent being lectured, when we don’t first understand why the content is important.

Louise Pendry, senior lecturer in Psychology at Exeter University said: “Whenever individual training programs fail to get the job done, it’s usually for the same reasons. They lack variety, do not challenge [people] physically or mentally, are poorly planned, prepared and presented, or do not put [people] in a scenario that reinforces the skill. People need to understand and experience the purpose for their training.”
This approach is built on the principles that training must be interactive, guided, meaningful, and directly relevant to the employee’s operational environment. Being hypothetical is fine for teaching general principles, proficiency requires orienting a threat to the actual places they might end up in.

Make instructions positive, challenging and grounded in real world arenas, real examples, and real threat indicators. Optimal instruction incorporates successful attacks or incidents from your organization’s history.

Second best is instruction based upon incidents that happened recently, preferably to a similar organization. Least effective, are theoretical or fantastic threats, for example attacks against equipment or facilities that you don’t have, are not only likely to be valueless – they are probably going to be counter-productive as well.
By adding threat detection to an environment, it can quickly assess normal user behavior and build on this, providing the user with direct information on why the action they are taking could be a threat, as well as gaining user input to explain actions. In this way the user is trained to look at threats in a different way and will spot them, without system intervention. This allows for deeper threat investigation by the system, as the percentage of common threats is being handled by the user.

Obviously, should the user miss an attack, the threat will be handled and the incident stopped, either by direct action, such as taking a device off the network, or, sending the attack to a ‘honeypot’, buying time for the organization to further investigate the attack, possibly using forensic evidence to learn the nature of the attack and its ultimate goal.
The deployment, across the business, of quality encryption, two-factor authentication, active directory management and on-going monitoring will, of course, help. But, key to keeping an organization safe is the understanding of what the threats are and how to deal with them. Keeping the ears and eyes of all staff tuned to the outside threats that exist, on a daily basis, becomes essential.

What’s Hot on Infosecurity Magazine?