So far this year, IT security headlines have been dominated by two words: Meltdown and Spectre. Disclosure of the two massive CPU vulnerabilities has coincided with chip makers and OS providers scramblingemo to provide updates that fix the issues without causing other problems (with mixed results so far).
Of course, adding pressure to the situation is the fact that attackers are already testing malware samples that exploit these vulnerabilities. It’s a high-stakes race to the finish, and without stable patches, organizations are being reduced to the role of passive spectators with the potential for these attacks simply hanging over them.
While this “main event,” is getting more than its share of attention, the rest of the malware world isn’t standing by, holding its breath. Exploiting Meltdown and Spectre is just one priority that some attackers are working on. Others have plenty of additional initiatives that may not be as high profile, but are certainly just as dangerous.
As we’ve culled through attack data from the last 12 months we’ve identified three trends that are on the rise. The attack landscape is in the midst of a major shift towards the adoption of advanced, fileless techniques. The trends below provide a good indication of how that shift is playing out and where we see things headed in 2018:
1. More attacks are going “clickless,” bypassing user interaction altogether
For years, end-users have been considered the “weakest link” in IT security, and organizations have invested heavily in security awareness training to reduce the likelihood that employees would be lured into clicking a malicious link or attachment. Seeing that users are getting more wary and that success rates are decreasing for those older attack types, attackers have begun to take end-users out of the equation, launching an increasing number of clickless attacks.
Last year’s WannaCry and NotPetya outbreaks are two prominent examples, both of which avoided end-user interaction completely in favor of exploiting shared access points like Microsoft’s SMB and RDP ports that had been left open and vulnerable. EternalBlue and other ransomware tapped into these vulnerabilities, and we expect this trend to continue.
To prepare, security teams should start with the oldest security advice in the industry, ensuring that they are keeping up with patches, particularly for exposed services. Beyond that identify and limit access to open ports and implement tools that can spot malicious activity both on the network and the host.
2. Attackers are increasingly evading detection by “living off the land”
It’s one of the most aggravating forms of attack: using your own tools and processes as weapons. Known as “living off the land,” attackers are increasingly leveraging programs that are already on their targets to evade detection and actively spread infections.
NotPetya favored this method, using PSExec and Windows Management Instrumentation (WMI) to propagate. Other malware is increasingly hijacking PowerShell, Windows Credentials Editor (WCE), and Group Policy Objects (GPOs) among others. These tools don’t typically raise red flags because they are legitimate programs and won’t be caught by scanners, and because they are so useful in managing large networks. As a result, when they are the vector for infection or spread, they move quickly and go largely undetected. This ups the complexity for IT security teams because the line is blurring between malware and administrative tool. They are forced to re-evaluate the distribution and permissions on tools that they’ve always trusted.
To mitigate the risk of attacks from within, IT teams should disable unused tools and components, while deploying endpoint protection that doesn’t rely solely on file scanning or whitelisting, since those can easily be bypassed by hijacked system tools.
3. “Plug-and-play” worming components are on the rise
Malware campaigns are also leveraging more worm capabilities to spread laterally, making them a more formidable threat and extending their reach beyond the original infected network. WannaCry’s worm component, for example, spread ransomware to external victims, racking up some 400,000 infected machines in 150 countries in a very short time. And, it’s not just ransomware: other campaigns like Emotet, QakBot, and TrickBot have also leveraged these capabilities, harvesting or cracking credentials for remote use and to simplify propagation through network shares.
Removing this kind of malware can be extremely difficult because of its persistence capabilities. These campaigns leave behind back doors and scheduled tasks that reinstall themselves, disrupting the business all over again, like some recurring security nightmare.
This demands that IT teams shift their approach, looking beyond infection of a single endpoint. Now, that single machine can be turned into a malware slave, spreading itself automatically, quickly crippling entire networks—both internal and external. To reduce the risk of propagation, IT teams must invest in protection that can block infection at the outset. Waiting for evidence that a system has been compromised, either by watching the system or the network, creates the likelihood that the campaign has already metastasized across the network.
The bottom line is this: As the threat landscape shifts, so too must protections. The only truly effective means of defending against rapidly evolving attacks is to deploy solutions that can recognize common behaviors and elements that continue to be reused, and that will evolve along with them. Protection needs to automatically learn about new threats, and must enhance the protection they provide in real-time. By adopting tools that leverage machine learning and prioritizing prevention over recovery, we can get — and stay — one step ahead.