Information security will continue to be a growing problem for many enterprises and organizations throughout 2018, a fact that’s been well documented by trusted industry sources like the Information Security Forum. This is partially because enterprise networks are expanding outside the confines of the office which makes them harder for security teams to defend. It’s also due to the relentless ingenuity and sophistication of endpoint security cyber criminals, who have devised a range of new and evolved attacks methods to exploit these expanding, often poorly protected networks. There are a number of important features of the new threat landscape that warrant particular concern and attention.
First is the increasing number and complexity of malware threats. Though ransomware attacks captured the public imagination in 2017, it’s just one piece of a now commodified approach to malware dissemination that will continue to vex defenders through 2018 and beyond. Take for example the rising popularity of “exploit kits” on the dark web. These exploit kits can be purchased for as little as $85 dollars a day and make it possible for even amateur hackers to utilize repacked malware code that’s invisible by legacy endpoint protection platform (EPP).
These kits, part of a broader trend referred to “Crime-as-a-Service” (CaaS), offer a highly-accessible, highly-configurable means of launching targeted cyberattacks. Rich in user-friendly features, including the ability to automatically identify suitable targets and filter those targets by IP address or location, they require very little experience to use successfully. This new model of spreading malware, in which experienced coders devise new variants for less experienced hackers to launch attacks, has contributed to an explosion in the number of new malware threats — approximately 285,000 in a single day — according to certain industry statistics. It’s not just the number of these variants that makes detection with legacy EPP solutions so difficult, but the speed at which they’re produced. According to Verizon’s Data Breach Investigation, up to 99% of these variants are used for 58 seconds or less before being cycled out for a new one.
Malware polymorphism is another key challenge. Polymorphism refers to viruses, worms, bots, and other types of malware that can change identifiable characteristics like their filename and encryption keys to evade detection. Though polymorphic malware design has existed since the early 1990s, new and aggressive strains have emerged in recent years that pose a greater challenge to traditional endpoint protection platform. The Virlock virus is particularly successful example of this new breed of polymorphic malware. A ransomware/parasitic virus hybrid, Virlock is able to decrypt specific pieces of its own code as needed, and then re-encrypt those parts using a unique encryption key in order to remain undetectable as it infects files and locks up systems for ransom. These polymorphic threats are extremely adept at avoiding detection by signature-based EPPs, and are invisible by up to three quarters of traditional AV scanners.
Another critical aspect of the new threat landscape is the growing threat from the fileless attack, also known as zero-footprint attacks, or non-malware attacks. These attacks exploit vulnerabilities in otherwise trusted applications, like Flash, PowerShell, or Windows Management Instrumentation to run act as a cover for malicious code. Because fileless attacks disguise themselves in legitimate process, they have a ten times higher chance of succeeding than file-based attacks.
The new threat landscape requires an endpoint security solution with capabilities that go far beyond what traditional EPPs can provide. This new security paradigm, called active threat management, combines predictive analytics, in-memory behavior analysis, and machine learning algorithms to detect and predict threats no matter where they’re located — on disks, in memory, or hidden within in operating system process. Active threat management solutions like Countertack’s Digital DNA proactively monitor each aspect of the system, reverse engineer suspicious code to gather information, and then map the results of that analysis against a database of malware and non-malware software to determine its threat level — all in real time.
Active threat management solutions are not only capable of providing protection against the 90% of endpoint security threats that have never been seen or studied before, they can also do so quickly and reliably. By providing a high degree of endpoint visibility and insight, they can almost eliminate the lengthy process of quarantining affected systems and performing digital forensics analysis, helping reduce the time that a threat actor has undetected access to your system from months down to minutes. Active threat management systems are perfectly suited to identifying and countering the next-generation of endpoint security attacks, like the ones explored above, making them the next logical step in the escalating war with cyber criminals.