Malware is no longer the attack vector of choice for hackers. Instead, adversaries are employing tactics that allow them to silently slip past traditional cyber defenses and infiltrate an enterprise.
For companies, this means rethinking the notion that searching and identifying malware will keep them safe.
“You need to go beyond the signature itself and even look beyond the malware,” said Forrester principal analyst Rick Holland.
"Business should be looking at the behavior that’s occurring across their IT environment to determine if hackers have breached a company rather than searching for signature-based attacks," he said.
“We really need to be able to see what they’re doing in the environment. They’re going to get in and they’re using tools that appear to be legitimate to do this,” he said.
Attacking with malware is out, using legitimate methods is in
Hackers are shunning tactics that would be flagged by firewalls, antivirus software and other standard security programs, Holland said during a webinar on selecting a next-generation endpoint system Forrester co-hosted with Cybereason. In some cases, hackers are abandoning malware completely, he added.
“IOCs [indicators of compromise] may not help if you’re looking for certain signatures that the adversary may not trigger,” Holland said.
Perpetrators are more interested in using legitimate means to compromise corporate perimeters, he said.
For example, hackers are turning to credential theft to access corporate networks. They’re using phishing emails to gather user names and passwords, assuming some people also use these credentials to sign in to corporate networks. Attackers then try to use this log-in information to remotely access a company’s IT environment.
In those types of attacks, “there’s no signature being used there,” Holland said.
Once inside a network, attackers are continuing to use legitimate tools to perform lateral movement and avoid detection, he added. Windows tools are especially popular, including scheduled tasks, RDP (Remote Desktop Protocol), PowerShell, PSExec and Windows Management Instrumentation.
Cybereason Labs has seen an uptick in these news types of attacks, which have been dubbed fileless malware attacks. In these campaigns, hackers evade signature-based detection methods by using legitimate Windows features to exploit a company’s network.
Businesses need a way to detect malicious use of legitimate tools
Most companies assume these tools are benevolent and lack a method that tracks anomalies in how they’re used and flags malicious behavior, Holland said.
“There are lots of ways that the adversary is going to use legitimate tools,” he said. “Do you have a way to detect new scheduled tasks? If someone is using RDP in a way that’s perhaps malicious, how can you view that?”
Enterprises need to ask how long it would take them to detect an attack in addition to how they would find a hack when the attackers aren’t using a signature-based vector, Holland said.
Answering those questions becomes even more critical considering that major threat actors that launch APT (advanced persistent threat) attacks are no longer the only groups using legitimate tools for malicious purposes. Over the past five years, more mainstream attacks have been carried out using authentic means, Holland said.
This is the fourth blog post in a series that looks at the five points a company should consider when evaluating next-generation endpoint security products. Earlier posts gave an overview of each point, talked about the importance of using a product with a small footprint and how prevention must be done in tandem with detection.
