Skip to main content

Detecting and dealing with the stealthiest cyberattacks

Cyberattacks are getting smarter and stealthier as criminals and nation states use a combination of complex techniques to evade detection. The accepted reality now is that traditional protection techniques that rely on static signatures – such as Anti-Virus (AV) – or take a narrow view and ignore vectors like fileless based attacks, are simply no match for today’s threat landscape. So where does this leave organisations trying to protect against new, ever evolving variants of malware or exploits?

Cyberattacks: Targeting the endpoint

The endpoint remains one of the prime targets in any attack – which comprises a host of corporate devices from laptops to tablets, smartphones, servers or even a printer. Recent evidence points to the fact that these continue to be an organisation’s Achilles heel when it comes to security.

The endpoint acts as a gateway for hackers on their journey within the network. Once malware has executed within an endpoint, attackers can move freely within it. So the detection and protection has to occur on endpoints themselves. This is more important than ever in the era of BYOD, as users can easily connect their own devices to the corporate network. If they then connect an unsanctioned and infected device, the malware can move freely within the enterprise.

Threat evolution

It is a well-known fact that techniques used by cybercriminals are always evolving to stay one step ahead and, as the sophistication of malware grows so, too, do the challenges for organisations. Malware at its core hasn’t changed, however what is changing are the evasion techniques used by new forms of malware in order to steal valuable data from endpoints. A ‘Binder’ is a prime example of this; Binders are small software tools that merge two different .exe files into a single file. The execution of one .exe will simultaneously start the second executable in the background as well. These tools trick victims into opening a popular file that looks legitimate on the outside but is actually malicious inside.

Today, malware can be designed to be ‘context-aware’ and has the ability to detect whether it is moving through either a natural or a virtualised - sandbox - environment. Once this malware detects an abnormal environment, it actively evades detection by acting benign or sleeping for a defined period of time. From there, it lies dormant and attempts to interpret movements and decipher if the actions are from a human or an automated code scanner. This allows the malware to easily bypass traditional defences such as network sandboxes, sitting dormant until the coast is clear, then executing its payload.

Regaining control

On a positive note, as attacks have become more sophisticated in nature, so has endpoint protection and it may herald the death of AV. As AV is based on static analysis which looks at the fingerprint of a file, attackers can quickly adapt files to create something completely new and unknown, and these new variations can easily bypass the AV solution. It’s been estimated that AV can only flag approximately 45 per cent of cyber attacks, which means it is fast becoming an obsolete solution to today’s security challenges.

In its place, a new generation of endpoint security solutions is emerging through which organisations are reaping the benefits of innovative approaches such as behavioural analysis techniques. This new era of protection focuses on a real-time, proactive approach to endpoint security that is powered by machine learning and intelligent automation in order to effectively detect and protect all devices against the smartest of attacks. This new generation of endpoint protection presumes it knows nothing about the malware, rather, it observes its behaviour in order to flag activities that are seen as abnormalities and steps in the line of execution to deflect it completely.

Moreover, this new generation of solutions has remediation capabilities to reverse any modifications made by malware. This means that when files are modified or deleted, or where changes are made to configuration settings or systems files, the software has the ability to restore an endpoint to its pre-malware execution state.

In the fight back against the new age of ever adapting cyberattacks, this more dynamic and robust approach to endpoint protection is putting organisations firmly back in the driving seat in terms of their security.

Tomer Weingarten, CEO SentinelOne