According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions. For example, attackers can use stolen administrator credentials to roam virtually unchecked if the victim does not have a method of detecting that the authorized person the account is really assigned to isn’t the one behind the activity. More complex techniques like macro-based scripting attacks or attacks where code only executes in memory may go undetected as well, as they require a much more sophisticated approach to identify and contain than traditional attacks that can be intercepted by detecting the execution of malicious software or the use of malicious files.
While organizations with sufficient resources may pivot fairly quickly to combat malware-free attacks, it’s not easy for organizations with limited budgets and no security staff. Even if you’ve invested in a reputable anti-malware solution and have restricted users from installing software – even if you’ve employed white-listing – you could still be at risk.
Below are three recommendations organizations should consider adding to their arsenal to help combat this rise in malware-free attacks:
- Subscribe to robust “next-generation” endpoint cybersecurity solutions that are capable of analyzing behavior patterns in real time. Good solutions are anchored in the cloud, run 24/7, and are rapidly scalable. They are usually managed by the solution provider, are relatively affordable, and are designed to be easily deployed in any environment – even without skilled IT staff.
- Collect and monitor as much network and application traffic as possible. Unless you’re a large organization that can afford to maintain a Security Operations Centers (SOC) to analyze the data in real time, you will likely be looking at outsourcing this workload to a Managed Security Service Provider (“MSSP”) who collects it in a SIEM. Collecting and monitoring log data in as close to real-time as possible is critical to detecting adversarial behavior on your network. While 24/7 continuous monitoring is not an inexpensive service, outsourcing this will likely be less expensive than managing it yourself. The value of having this level visibility in your environment cannot be understated.
- Control the use of scripting, and secure the scripts you need to use as much as possible. For example, sophisticated attackers may send you documents embedded with malicious macros that, when enabled, leverage allowed command-line shells such as PowerShell to execute the attack using only scripts. PowerShell can be made more secure, but these measures alone will not be enough to prevent a script-based attack; this is merely another layer in the onion. While PowerShell is limited to Microsoft systems, that doesn’t mean Mac users aren’t at risk; AppleScript and Python can be used in malware-free attacks as well.
As the cyber threat landscape evolves, so must our security plans. The risks we remediate today may end up being risks again tomorrow!