In response to reports that indicate more than half of attacks last year leveraged fileless or “malware-free” techniques, as hackers turn to stolen credentials in their efforts to breach corporate networks, experts from two cybersecurity firms offer perspective.
Full report for more details: https://www.zdnet.
The 2020 CrowdStrike Global Threat Report is just the latest evidence that supply chain attacks are alive, well—and highly effective. The report notes that China’s state actors continue to focus on supply chain compromises to “infect multiple victims.” Indeed, we continue to see many supply chain attacks across all industries, underscoring the very real need for organizations to put robust security processes in place to prevent them. These processes include thorough assessment and continuous monitoring of supply chain partners’ security posture, remediation of security gaps, and minimizing risk based on the business relationship.
Using endpoint security agents or EDR engines can help detect known malicious behavior, but cannot really protect against advanced persistent threats that leverage fileless malware or malware-free techniques, such as using legitimate software and legitimate user actions to do harm. For example: a malicious actor that leverages legitimate video conferencing and remote control software (e.g. Webex/TeamViewer/Zoom) to spy on users and impersonate their actions would not use any malware and wouldn\’t do any malicious action that triggers an alert in such systems. To comprehensively protect against such threats organizations should consider isolation solutions that take sensitive apps and systems and put them in a completely separate zone out of reach of external or internal attack actors.
Malware-free and fileless attacks are two different concepts I would be hesitant to conflate. Malware-free implies the absence of any sort of malicious code, whereas fileless attacks do employ malicious code, but do so only in computer memory never writing itself as a file to the local hard drive. I’ve been brought in to more than one breach where the attacker used “malware-free” approaches like password guessing against remote desktop to first gain access to the environment. The attackers then used built-in system functions to escalate their privileges and give them complete control over all systems and data on the network. These attacks can be devastating as the attackers are mimicking the same activities as legitimate IT administrators that anti-virus isn’t designed to stop. Unfortunately, this is not a problem that a product can solve. It takes a proactive culture of security including appropriate system hardening and controls, regular testing to identify any gaps, and ongoing monitoring to identify suspicious behaviors.
From my experience in ethical hacking and penetration testing most anti-virus products are trivial to bypass by encoding our hacking tool files in various ways, but by far the most effective way to bypass anti-virus is to ensure that our hacking tools never touch the local disk as a file at all. To do this, we make sure that our tools are downloaded and executed only in the computer’s memory and not written on the target computer as a file. Because anti-virus programs traditionally only triggered scanning when I file was written to disk, this was an almost guaranteed way to avoid detection. In the past few years anti-virus manufacturers have been adding the capacity to detect such fileless attacks, but attackers have evolved their techniques to avoid detection as well.
the places where fileless malware can hide are so numerous, it is nearly pointless to attempt to enumerate them. With every environment as unique, with its own third-party apps, and configurations for each — we find ourselves in situations where protecting from malicious logic would mean banning persistent registry keys and the loading of DLLs. Both of these options would require a complete rearchitecture of the Windows operating system. Other systems such as Linux and macOS are additionally weak, lacking similar protections and with similarly stale architectures.
CrowdStrike\’s report is both useful and timely. The methods that CrowdStrike uses to understand and rank customer data (such as third-party apps), in order to help all customers simultaneously — both during and before a breach occurs — is only one of their secret weapons in their arsenal. Developing these in-memory and cataloguing solutions is important not just for endpoint protection, detection, and response — but is the foundation of cloud security and automation principles. Whether working on cloud migrations with devops code, or constructing a platform for traditional infrastructure, building these hooks in will always be better than bolting them on later.