Getting good answers and outcomes often depends on asking the right question. The following question recently crossed my desk: “What is the best tool for detecting advanced cyberattacks, including fileless attacks?”
Asked like this, the question suggests the only way to protect yourself from advanced attacks is to detect them. But detection has more than its fair share of shortcomings, from false positives and missed attacks to the operational burden of analyzing and investigating alerts and, in the event of a breach, time-consuming remediation or worse.
What if the question was framed differently, something like: “Is there a way to prevent advanced attacks on the endpoint pre-emptively, without prior knowledge of the attack form or type?”
In this model, prevention would come first and detection second. After all, preventing attacks is the real aim of cyber professionals. The reason the question isn’t asked this way is because no practical answer existed for so many years. But technology advances in quantum leaps and questions shouldn’t be limited by past assumptions.
To answer the prevention question, we need to understand the problem. Hackers head for the most vulnerable spots in the company – the endpoints. Up to 80% of attacks happen there, exploiting flaws in applications, browsers and operating systems. The most dangerous cyberattacks are memory-based attacks, accounting for approximately 40% of today’s total.
Cyber criminals understand that antivirus and other solutions are blind to advanced attacks that execute in memory, and tools like memory mitigation and whitelisting are impractically complex and burdensome. As a result, they’ve turned the development of in-memory attacks into a core competency and the foundation of their business.
In-memory attacks work by exploiting a memory resource at some point in the attack cycle. A DLL like kernel32.DLL is but one example. Cyber criminals specialize in designing attacks that exploit in-memory resources in this way because they evade detection tools like AV, static code analysis, and file reputation.
So, if these attacks are evasive and undetectable, how can they be prevented? The most effective approaches disrupt the accepted attacker-defender paradigm. Moving Target Defense, for example, breaks completely away from the malware detection model and reliance on prior knowledge of the malware. It morphs the system runtime environment, making it impossible for the attack to find and exploit the memory resource it is targeting. It turns the attack’s greatest strength, the exploitation of a memory resource, into its greatest weakness.
There are several advantages to this model of prevention.
First, it is immune to the attack technique. All attacks must attack a resource and if they can’t find it, they can’t complete the attack.
Analysis of several advanced attacks illustrate this:
Second, it is impervious to future attacks. Attackers know how detection tools work and design attacks to evade them. But if the means of preventing the attack don’t involve detection, their new attacks are impotent.
Third, it is simple in execution. There are no signatures, configurations, or rules and no exposure to errors of detection (false positives and negatives).
In fact, the issue of simplicity in cybersecurity warrants its own discussion. There is much talk from experts about baking security into a business, but what about baking business objectives into security models?
Another good question with good answers…more about that, and some case studies on deck for next month!