Aaron Tan, Computer Weekly Senior Editor, APAC
Traditional antivirus is no longer good enough for fileless malware attacks that don’t leave a trace
For decades, enterprises and consumers alike have been relying on antivirus software to fend off pesky hackers who use malware to wreak havoc on corporate and personal computing devices.
The problem is, for traditional antivirus software to work, it needs to know the malware that it is guarding against.
As such, it is rarely successful in detecting unknown and so-called fileless malware that remains in the memory of computers without leaving a footprint on the hard drive to escape detection. Ditto for malware-free attacks that make use of scripting tools like PowerShell to access and control victim computers.
“There’s a whole category of attacks that make use of macros and PowerShell that organisations don’t have protection from today,” said Kane Lightowler, managing director at Carbon Black in Asia-Pacific and Japan.
One such attack took place last year. In August 2016, Brazilian cyber criminals reportedly developed a banking Trojan that invokes PowerShell to redirect victims to phishing websites hosted in the Netherlands.
In a SecureList post, threat intelligence analyst Thiago Marques noted that more “attackers are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection”.
That does not mean, however, that antivirus is dead, as market researchers have been claiming since at least 2007, according to Sans Institute, a cybersecurity research and education organisation.
In fact, based on an end-point security survey conducted by Sans last year, antivirus remains effective in capturing 57% of impactful events that took place at respondents’ organisations.
“Rather than dying, antivirus is growing up,” said Sans. “Today, organisations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks, not just known malware”.
Uncovering tactics, techniques and procedures
Instead of relying on virus signatures, indicators of compromise, file hashes and URLs to detect malware, NGAV solutions leverage data science and cloud-based analytics to detect a perpetrator’s tactics, techniques and procedures (TTPs) used to compromise a machine.
From the TTPs, NGAV solutions can identify patterns of malicious activity, through analysis and correlation of files and behaviour. These can be used to reconstruct a chain of events, visualising what the actual attacker might be up to, as opposed to looking at individual, discrete events, Sans noted in its guide on evaluating NGAV platforms.
“TTPs can be saved and re-used to block future, similar attacks. Matched to endpoint activity, these patterns help set the activity into context and support policies at the endpoint for protection, detection or response,” it said.
Enter streaming prevention
In fraud detection and day trading, banks and financial institutions have been using what is known as event stream processing (ESP), which analyses streams of data to assess risks.
Specifically in detecting fraud, banks can use ESP to identify credit card transactions that take place a second apart from each other and in separate geographies, as highly likely to be fraudulent.
This same technology is now being applied in NGAV solutions by emerging cyber security vendors such as Carbon Black, which recently launched its streaming prevention technology as part of its cloud-based Cb Defense NGAV platform.
Carbon Black’s Lightowler said that instead of focusing on single, point-in-time events such as the use of PowerShell to execute a script, the company’s streaming protection technology looks for and tags events that build up over time.
For example, in a typical attack, a user may visit a webpage, which loads a Flash object to invoke PowerShell using a loophole. A remote access tool is then downloaded to pull in zero-day malware or conduct a non-malware attack.
In such cases, Lightowler said Cb Defense can continuously record the entire attack sequence and capture all the relationships, even as the attack traverses different processes. And through its tagging system, Cb Defense can read each step of the attack, giving it enough information to shut down the attack with certainty, before any damage is caused.
Glen Lim, an IT security professional, told Computer Weekly that ESP technology from firms like Carbon Black is the industry’s response to sophisticated threats that have evolved quickly in recent years, particularly distributed denial of service (DDoS) attacks that exploit internet of things (IoT) devices.
“We can expect high-bandwidth DDoS attacks in the range of 10TB in the next year or two. These are likely to make use of fileless malware and unknown threats not listed in threat intelligence feeds, which traditional antivirus can no longer detect,” said Lim.
To understand the biggest challenges in cyber security over the next decade and prepare your organisation well enough to survive a cyber-attack, download our “Cautionary tales: Cyber security and the Internet of Things” guide today.
*This article was originally published on Computer Weekly.