These days, infecting a target is just a matter of resources, but how long the hackers get to stay inside the network is a matter of good detection.
Most organizations have employed traditional (and legacy) perimeter defenses against modern attacks, but what about those silent attacks – which are harder to detect – that make it past the gateway and pose the greatest risk to an organization?
Malware infection methods will always evolve as security technologies advance and force attackers to change their techniques in order to successfully infiltrate a system. New encryption techniques, payment methods and delivery mechanisms mean that traditional security solutions – which have relied on a file coming into contact with the system – are no longer enough to protect an organization. Today’s attackers are looking to reduce the number of files available for security controls to assess and pass judgement on, which means we can no longer solely rely on the old guard of antivirus.
The silent threat
According to a recent report, there has been a rise in ‘file-less’ cyber-attacks which leave no trace. The Prudential regulation authority have called these attacks the ‘silent risk’. They offer much higher levels of risk than typical payloads such as ransomware. Silent threats have different goals. Attackers are generally looking for intellectual property, personally identifiable information (PII) or anything related to strategic intelligence.
They are termed ‘silent’ as they leave very little evidence of their attacks and rely on being stealthy and in-situ for long periods of time. Unfortunately, many organizations believe that an absence of evidence is equal to evidence of absence, allowing these silent attacks long term, unauthorized access.
Given the knowledge that the attackers have about the methods used by existing anti-virus vendors and their techniques, it’s no surprise that they have developed methods for evading detection. By creating attacks that avoid using conventional executable files that hit the filesystem, they can start from a good platform. Similar results can be achieved by embedding their malicious code in what appear to be benign files, such as PDF or Word documents.
It is inevitable that the silent threat techniques will be part of the growing arsenal of the e-criminals as the techniques, example code and vulnerabilities are traded on the dark web. As the threat actors are humans, they can be expected to adapt to new defenses and to apply ever more inventive ways of bypassing the detection systems arrayed against them.
For example, one such attack infiltrated the payload as the transparency bits of a PNG format image displayed on a web page. The malware payload – a banking Trojan – was then extracted by interactive code on the web page itself and injected into memory for execution.
With this level of sophistication in creating control bypasses, we need to view the current controls as ineffective. Perhaps even worse than that, the existing controls are creating a false sense of security. When an obvious incident like ransomware occurs, the lack of effective security is palpable, but the silent threat could and does go undetected for very long periods of time.
Defending against the future
Laws and regulations will drive organizations to become more adept at managing malware attacks and the rise of silent threats. As a rule, we must develop best practice, signature dependent antivirus is dead. When an attack is file-based, static detection has a chance to block the attack. However, history has shown that antivirus doesn’t always provide protection when we need.
The recent NotPetya attack, for example, highlighted that only 10 out of 61 anti-virus programs were able to tackle it. Nevertheless, as part of an advanced endpoint security strategy which is both file- and behavior-based, anti-virus does have a role to play in filtering out what it can, allowing the remaining threats to be scrutinized in a manner that is not limited by file size, file type or those silent threats with no visible files or payloads.
Organizations will need to accept they can’t prevent everything and, instead, invest in security solutions that can identify behaviors of an attack where little other evidence is seen. There is little point spending money on multiple layers of protection all using similar techniques. Instead, more budget should be invested where it is really needed – on the endpoint.