Expert Comments

Expert On Report: ‘Malware-free’ Attacks Now Most Popular Tactic Amongst Cybercriminals

Expert(s): Security Experts
Expert(s): Security Experts

In response to reports that indicate more than half of attacks last year leveraged fileless or “malware-free” techniques, as hackers turn to stolen credentials in their efforts to breach corporate networks, experts from two cybersecurity firms offer perspective.

Full report for more details: https://www.zdnet.com/article/malware-free-attacks-now-most-popular-tactic-amongst-cybercriminals/

Experts Comments

Dot Your Expert Comments
Elad Shapira
March 04, 2020
Head of Research
Panorays

Indeed, we continue to see many supply chain attacks across all industries.
The 2020 CrowdStrike Global Threat Report is just the latest evidence that supply chain attacks are alive, well—and highly effective. The report notes that China’s state actors continue to focus on supply chain compromises to “infect multiple victims.” Indeed, we continue to see many supply chain attacks across all industries, underscoring the very real need for organizations to put robust security processes in place to prevent them. These processes include thorough assessment and.....Read More
The 2020 CrowdStrike Global Threat Report is just the latest evidence that supply chain attacks are alive, well—and highly effective. The report notes that China’s state actors continue to focus on supply chain compromises to “infect multiple victims.” Indeed, we continue to see many supply chain attacks across all industries, underscoring the very real need for organizations to put robust security processes in place to prevent them. These processes include thorough assessment and continuous monitoring of supply chain partners’ security posture, remediation of security gaps, and minimizing risk based on the business relationship.  Read Less
Tal Zamir
March 04, 2020
Founder and CTO
Hysolate

Organizations should consider isolation solutions that take sensitive apps and systems and put them in a completely separate zone.
Using endpoint security agents or EDR engines can help detect known malicious behavior, but cannot really protect against advanced persistent threats that leverage fileless malware or malware-free techniques, such as using legitimate software and legitimate user actions to do harm. For example: a malicious actor that leverages legitimate video conferencing and remote control software (e.g. Webex/TeamViewer/Zoom) to spy on users and impersonate their actions would not use any malware and.....Read More
Using endpoint security agents or EDR engines can help detect known malicious behavior, but cannot really protect against advanced persistent threats that leverage fileless malware or malware-free techniques, such as using legitimate software and legitimate user actions to do harm. For example: a malicious actor that leverages legitimate video conferencing and remote control software (e.g. Webex/TeamViewer/Zoom) to spy on users and impersonate their actions would not use any malware and wouldn't do any malicious action that triggers an alert in such systems. To comprehensively protect against such threats organizations should consider isolation solutions that take sensitive apps and systems and put them in a completely separate zone out of reach of external or internal attack actors.  Read Less
Chris Clements
March 04, 2020
VP
Cerberus Sentinel

To do this, we make sure that our tools are downloaded and executed only in the computer’s memory.
Malware-free and fileless attacks are two different concepts I would be hesitant to conflate. Malware-free implies the absence of any sort of malicious code, whereas fileless attacks do employ malicious code, but do so only in computer memory never writing itself as a file to the local hard drive. I’ve been brought in to more than one breach where the attacker used “malware-free” approaches like password guessing against remote desktop to first gain access to the environment. The.....Read More
Malware-free and fileless attacks are two different concepts I would be hesitant to conflate. Malware-free implies the absence of any sort of malicious code, whereas fileless attacks do employ malicious code, but do so only in computer memory never writing itself as a file to the local hard drive. I’ve been brought in to more than one breach where the attacker used “malware-free” approaches like password guessing against remote desktop to first gain access to the environment. The attackers then used built-in system functions to escalate their privileges and give them complete control over all systems and data on the network. These attacks can be devastating as the attackers are mimicking the same activities as legitimate IT administrators that anti-virus isn’t designed to stop. Unfortunately, this is not a problem that a product can solve. It takes a proactive culture of security including appropriate system hardening and controls, regular testing to identify any gaps, and ongoing monitoring to identify suspicious behaviors. From my experience in ethical hacking and penetration testing most anti-virus products are trivial to bypass by encoding our hacking tool files in various ways, but by far the most effective way to bypass anti-virus is to ensure that our hacking tools never touch the local disk as a file at all. To do this, we make sure that our tools are downloaded and executed only in the computer’s memory and not written on the target computer as a file. Because anti-virus programs traditionally only triggered scanning when I file was written to disk, this was an almost guaranteed way to avoid detection. In the past few years anti-virus manufacturers have been adding the capacity to detect such fileless attacks, but attackers have evolved their techniques to avoid detection as well.  Read Less
Andre Gironda
March 04, 2020
VP
Cerberus Sentinel

CrowdStrike's report is both useful and timely.
the places where fileless malware can hide are so numerous, it is nearly pointless to attempt to enumerate them. With every environment as unique, with its own third-party apps, and configurations for each -- we find ourselves in situations where protecting from malicious logic would mean banning persistent registry keys and the loading of DLLs. Both of these options would require a complete rearchitecture of the Windows operating system. Other systems such as Linux and macOS are additionally.....Read More
the places where fileless malware can hide are so numerous, it is nearly pointless to attempt to enumerate them. With every environment as unique, with its own third-party apps, and configurations for each -- we find ourselves in situations where protecting from malicious logic would mean banning persistent registry keys and the loading of DLLs. Both of these options would require a complete rearchitecture of the Windows operating system. Other systems such as Linux and macOS are additionally weak, lacking similar protections and with similarly stale architectures. CrowdStrike's report is both useful and timely. The methods that CrowdStrike uses to understand and rank customer data (such as third-party apps), in order to help all customers simultaneously -- both during and before a breach occurs -- is only one of their secret weapons in their arsenal. Developing these in-memory and cataloguing solutions is important not just for endpoint protection, detection, and response -- but is the foundation of cloud security and automation principles. Whether working on cloud migrations with devops code, or constructing a platform for traditional infrastructure, building these hooks in will always be better than bolting them on later.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

15 Schools Hit By Cyberattack In Nottinghamshire

Qualys Hit With Ransomware And Customer Invoices Leaked

Experts Reaction On PrismHR Hit By Ransomware Attack

Expert Insight On Ryuk’s Revenge: Infamous Ransomware Is Back And...

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords