author photo
By SecureWorld News Team
Tue | Mar 28, 2017 | 2:49 PM PDT

When 64% of security researchers say they've seen an increase in non-malware attacks in the past year, it's something to pay attention to.

According to Carbon Black's Beyond the Hype report, 93% of respondents agreed that non-malware attacks are posing a greater risk to their companies than traditional malware attacks.

Why? Because "fileless" malware is able to use programs already running in your system to do its bidding, these attacks can remain undetected and persist for longer periods of time.

Mike Viscuso, Co-founder and CTO of Carbon Black, told SecureWorld:

"Organizations should be concerned about stopping malicious behaviors exhibited on an enterprise, rather than just malicious files. To see and stop these behaviors, organizations should have the ability to see all activity of applications and services, communications among processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels. When a cluster of malicious activity is seen, it’s usually indicative of a larger attack. If security tools are looking for just malware, they are missing an entire class of attacks.”

What are these non-malware attacks composed of? Fifty-five percent are remote logins, 41% WMI-based attacks, and 39% in-memory attacks, among others.

Non-malware attacks can also be categorized as social engineering attacks using authorized protocols or applications, and can bypass traditional AV-protection that look out for suspicious files, rather than behaviors. 

In fact, two-thirds of security researchers in the study felt that legacy AV wouldn't be sufficient in protecting organizations from non-malware exploits.

One security researcher mentioned in the report gives insight to combating fileless attacks:

“Do more than just monitor files. It is critical that processes are also monitored. If you look at the command line and see what PowerShell is being used for, if the context doesn’t make sense, then investigate. Moreover, if you look at the command line and see text that looks like it is unrecognizable or random instead of just English, that also is a red flag. You can also look at the execution of the script. If a PowerShell script starts to run, it could be a red flag if it is exhibiting unusual behavior. For instance, if it is trying to access an inordinate amount of files very quickly or trying to communicate outside of your network then these are some telltale signs of an attack.”

While it sounds appealing, the report also points out that AI might not be a good solution either.

Seventy-four percent of respondents said that AI-driven security solutions are flawed, with high false positive rates. And 87% say that it will be at least three years before they would trust AI to have control in making decisions. 

In that case, we have a long way to go before AI can be of any benefit in thwarting behavior-based malware attacks.

“Cybersecurity researchers expect non-malware attacks to continue proliferating in 2017," Viscuso said. "These attacks are working, especially at organizations relying on legacy antivirus as the main line of defense. Attackers are quickly evolving. So should our defenses.”

Comments