grandeduc - Fotolia

Breaking the cyber kill chain

Traditional antivirus is no longer good enough for fileless malware attacks that don’t leave a trace

For decades, enterprises and consumers alike have been relying on antivirus software to fend off pesky hackers who use malware to wreak havoc on corporate and personal computing devices.

The problem is, for traditional antivirus software to work, it needs to know the malware that it is guarding against.

As such, it is rarely successful in detecting unknown and so-called fileless malware that remains in the memory of computers without leaving a footprint on the hard drive to escape detection. Ditto for malware-free attacks that make use of scripting tools like PowerShell to access and control victim computers.

“There’s a whole category of attacks that make use of macros and PowerShell that organisations don’t have protection from today,” said Kane Lightowler, managing director at Carbon Black in Asia-Pacific and Japan.

One such attack took place last year. In August 2016, Brazilian cyber criminals reportedly developed a banking Trojan that invokes PowerShell to redirect victims to phishing websites hosted in the Netherlands.

In a SecureList post, threat intelligence analyst Thiago Marques noted that more “attackers are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection”.

That does not mean, however, that antivirus is dead, as market researchers have been claiming since at least 2007, according to Sans Institute, a cybersecurity research and education organisation.

In fact, based on an end-point security survey conducted by Sans last year, antivirus remains effective in capturing 57% of impactful events that took place at respondents’ organisations.

“Rather than dying, antivirus is growing up,” said Sans. “Today, organisations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks, not just known malware”.

Uncovering tactics, techniques and procedures

Instead of relying on virus signatures, indicators of compromise, file hashes and URLs to detect malware, NGAV solutions leverage data science and cloud-based analytics to detect a perpetrator’s tactics, techniques and procedures (TTPs) used to compromise a machine.

From the TTPs, NGAV solutions can identify patterns of malicious activity, through analysis and correlation of files and behaviour. These can be used to reconstruct a chain of events, visualising what the actual attacker might be up to, as opposed to looking at individual, discrete events, Sans noted in its guide on evaluating NGAV platforms.

“TTPs can be saved and re-used to block future, similar attacks. Matched to endpoint activity, these patterns help set the activity into context and support policies at the endpoint for protection, detection or response,” it said.

Enter streaming prevention

In fraud detection and day trading, banks and financial institutions have been using what is known as event stream processing (ESP), which analyses streams of data to assess risks.

Specifically in detecting fraud, banks can use ESP to identify credit card transactions that take place a second apart from each other and in separate geographies, as highly likely to be fraudulent.

This same technology is now being applied in NGAV solutions by emerging cyber security vendors such as Carbon Black, which recently launched its streaming prevention technology as part of its cloud-based Cb Defense NGAV platform.

Carbon Black’s Lightowler said that instead of focusing on single, point-in-time events such as the use of PowerShell to execute a script, the company’s streaming protection technology looks for and tags events that build up over time.

Read more about cyber security in ASEAN

  • Governments in Southeast Asia are considering setting up a regional equivalent of Europol to help fight cyber crime.
  • Singapore government will table a new cyber security bill in 2017 to strengthen its online defences.
  • Banks in Singapore are rolling out biometric technology to improve customer services by speeding up the authentication process.
  • Security is a rising concern in the Asean region, with fears fuelled by incidents such as the recent hacking in Manila.

For example, in a typical attack, a user may visit a webpage, which loads a Flash object to invoke PowerShell using a loophole. A remote access tool is then downloaded to pull in zero-day malware or conduct a non-malware attack.

In such cases, Lightowler said Cb Defense can continuously record the entire attack sequence and capture all the relationships, even as the attack traverses different processes. And through its tagging system, Cb Defense can read each step of the attack, giving it enough information to shut down the attack with certainty, before any damage is caused.

Glen Lim, an IT security professional, told Computer Weekly that ESP technology from firms like Carbon Black is the industry’s response to sophisticated threats that have evolved quickly in recent years, particularly distributed denial of service (DDoS) attacks that exploit internet of things (IoT) devices.

“We can expect high-bandwidth DDoS attacks in the range of 10TB in the next year or two. These are likely to make use of fileless malware and unknown threats not listed in threat intelligence feeds, which traditional antivirus can no longer detect,” said Lim.

Read more on Information technology (IT) in Australia & New Zealand