Our current cybersecurity model is outdated.
While the majority of the traditional cybersecurity solutions are focused on stopping malware, the threat landscape has moved on. In fact, around 40 percent of all attacks are non-malware intrusions indicating malicious activity that would typically go undetected by legacy antivirus. As a result, current solutions are ineffective in battling these advanced techniques.
The rise of malware-free
Non-malware attacks come in many shapes and sizes. Typically, such compromises involve taking a legitimate system process, hijacking it in some way and causing it to perform nefarious tasks at the bidding of the threat actor.
As such, these attacks are particularly challenging to detect and remediate in time before they become breaches.
Traditional AV doesn’t work… but what does?
The rise in malware-free attacks is particularly troubling because fossilized cybersecurity solutions have proven ineffective against them.
Anti-virus solutions were originally designed to look for signatures of known malware – they tick the compliance box. Of course, given today’s threat landscape, there’s often no malware to look for. There is nothing for AV to pick up on and most organisations would agree that standard AV solutions can dramatically reduce performance and yet still fail to detect an intrusion of many threat types.
● Whitelisting & Application Control
Whitelisting is another approach that works by making a list of all the good processes on a machine and preventing unknown processes from executing. Application control is another option for ensuring that only authorised versions of applications are running in your environment. As malware-free techniques focus on harnessing legitimate or compromising legitimate programs, application control or whitelisting tools do very little to prevent these types of attacks.
● Indicators of Compromise (IOCs)
Relying on IOCs alone is inadequate, because like conventional signature-based AV solutions, they look for known malicious artifacts left behind by an attacker.
Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-gen security solutions are increasingly moving towards an IOA-based approach.
Another approach involves sandboxing, which can take many forms, including network-based detonation and micro virtualisation. Because you are usually dealing with hijacked legitimate processes, most sandboxes will ignore attacker actions. However, this approach takes time – when time is not an option.
How does this affect your security strategy?
Organisations need to think about what measures they can put in place to protect themselves against malware-free attacks, and what will provide them with a comprehensive view of the entire spectrum of attack tactics, techniques and procedures (also known as ‘TTPs’).
Implementing next-gen cybersecurity solutions that focus on stopping the breach, not just viruses and malware-like legacy and traditional solutions, are much easier to integrate, deploy and maintain in today’s sophisticated threat environment.
Today’s best techniques for detecting modern threats depend on collecting massive amounts of telemetry from endpoints, enriching it with context, and mining this data for signs of attack. By focusing on the TTPs of an attacker, you can determine who the adversary is, what they are trying to achieve, and why.
Through the recording and gathering of indicators of attack, you enable your team to view activity in real time and react in the present.
This heightened degree of automation and ease-of-use enables businesses to constantly review their security postures so they know where the gaps might be and the risks they are creating that an attacker could exploit. Going forwards, they need to look to implement a strategy that is more proactive than reactive.