Ransomware has been thrust into the global spotlight, with attacks such as WannaCrypt dominating the headlines over the last few months. Now, ransomware is using ever more elusive methods to make its way past the traditional defence methods and infect machines.
We speak to Tony Rowan, chief security consultant for endpoint protection company SentinelOne, about the latest developments in malware and ransomware attacks, understanding that more than just legacy antivirus solutions are needed to protect an organisation.
In what ways are malware methods changing or becoming more sophisticated?
To some extent, malware infection methods are always evolving as advancements in security control techniques necessitate that attackers change in order to successfully continue infecting their victims. Traditional security methods have relied on examining a new file coming into contact with a system and making a decision on whether that file is good or bad at a single point in time. However, today’s attackers are looking to reduce the number of files available for security controls to assess and pass judgement on.
A report has outlined that there’s been a rise in ‘file-less’ cyber attacks, which leave no trace. Can you explain what these are and why this matters?
The Prudential regulation authority has called these file-less attacks the ‘silent risk’. They potentially offer much higher levels of risk than typical attack payloads such as ransomware. Ransomware is an attack on operational capability; it takes systems offline until a backup procedure has been successfully deployed. In the NHS we have seen this cause significant impact on patient care service levels however, generally speaking, this type of attack is measured in inconvenience levels.
Silent threats have different goals, looking for intellectual property, Personally Identifiable Information (PII) and strategic intelligence. They are silent because they leave very little evidence of their attacks which could be used to detect an alert. They rely on being stealthy and resident for long periods of time to extract as much valuable information as possible. Unfortunately, an absence of evidence equals evidence of absence to many information security practitioners, allowing the perpetrators of these silent attacks long term unauthorised access to organisations.
Does the fact that these types of attacks are going mainstream mean that cyber criminals are getting better resourced or smarter in their methods?
There has always been a ‘hand-me-down’ of exploitation techniques used by the more sophisticated actors to those with less technical expertise. More recently, entrepreneurial criminals have been adopting the latest attack vectors and selling them on to criminal gangs who are closer to the physical end of the attack pattern. WannaCry is just one example of well-established criminal payloads taking advantage of nation state developed exploits.
What trends are you noticing with regard to new ransomware variants being developed?
There is a constant evolution in ransomware activity: new encryption techniques, new payment methods, new delivery mechanisms, different file types to encrypt, different payment values based on user profiling and so on. We will also see targets outside of Windows become more popular, and an uptake in different crypto currencies other than bitcoin as a payment option.
What about hybrid (or trident) attacks - can you explain what these are and the particular challenges they pose for cyber detection?
This behaviour can be explained as a hacker utilising file-less based attacks to get a foothold in a system before installing the file-based payload of other criminal groups. This is known as installs-as-a-service. The challenge here is that security controls may detect and block the file-based element of the attack and, think they have stopped the attack. They may not realise there remains an ongoing infection in the form of a hidden payload.
How does understanding the nature of these attacks help organisations to defend against them?
To understand the nature of these attacks is to understand the best practises in information security. For many years ISO 27000 (amongst others) has recommended methods for being vigilant. Now, we have the GDPR and the NIS directives driving an approach that calls for continuous monitoring by state of the art technologies. This requires not just file-based security controls but also system-based behavioural inspection which will identify attacks regardless of the threat method in use, not just highly visible payloads like WannaCry or invisible silent threats.
What does this trend mean for static, signature-based methods of detection: does it support claims that AV is dead?
When the attack is file-based, static detection has a chance to block the attack. However, history tells us that AV does not necessarily provide protection when we need it. Signatures are just the tip of the iceberg of dependencies that static-based security has in being fit for purpose.
As a best practise and risk diligent endpoint defence, signature dependant AV is dead. However, as a function of an advanced endpoint security strategy, it does have a role to play in continuing to filter out what it can and allowing the remaining threats to be scrutinised in a manner that is not limited by the type of file, the size of file or those silent threats which have no files or visible payload.
How can organisations get better at protecting against these evolving threats?
Laws and regulatory recommendations will drive organisations to get better at managing these silent risks. Organisations will have to mature, and accept that they can´t prevent everything, instead they should invest in those controls that find the behaviours of an attack where little evidence was previously seen. This change in emphasis will restructure budgets and resources. Less will be spent on multiple network layers of similar prevention techniques and alerting tools, whilst more will be spent on the actual resource that needs protecting. Triage and escalation investigations will then be initiated by the actual displayed behaviour of the endpoint, not some vague indicator from an unrelated third party.
Tony Rowan, Chief Security Consultant, SentinelOne
Photo Credit: Andriano.cz/Shutterstock