That’s right, it’s not as good as it should be, but let’s redirect blame to the bad actors and the ingenious methods they use to evade your endpoint security. Hackers have been wedged into a corner with current technologies preventing attacks, forcing them to adapt to the current state of technology in security, and sometimes this means using your own good tools against you.
Wolf in Sheep’s Clothing
Conventional endpoint protection can use things like malware/virus signatures or how files are executed to observe, warn, report, and quarantine these threats. If there is a match between a docx file that was downloaded to a virus signature in your endpoint protection software, the software will quickly pick up the file and notify you that it’s been quarantined.
What happens when there is no match to anything in the software’s repository or if software is behaving as it should be? There is no quarantine, no warning, nothing to tell you that someone has taken access of your system by running an application as it was intended. I’m looking at you, Office Macros.
Here are a handful of methods that malicious actors presently use to waltz right by your endpoint detection software.
- Rootkits: These are advanced persistent threat tactics (APTs). The vector can vary, but most commonly it’s presented via phishing that directs a user to a site where they download and install a malicious file. These are dangerous in the extreme because they alter the systems root level kernel, and because the rootkit has altered the OS, your antivirus will think the activity is directed from the operating system and not a bad actor. Some rootkits can go so far as to create a clone of your current OS on top of the real OS but with the maliciously altered files.
- Reverse Powershell: If a bad actor manages to get his or her hands-on local admin credentials, Powershell can be invoked to wreak havoc on a compromised machine. Powershell was developed for Windows administrators as a legitimate application, much like command prompt. The sky is the limit for what an attacker can do with admin credentials and Powershell. Recently our Managed Detection & Response team witnessed a phishing email that contained a macro-enabled Word document that opened command prompt, launched Powershell, then commanded the PC to download a malicious file from the bad actor’s web site.
- Cryptomining Malware:18 years ago a computing project for sharing CPU cycles for the simulation of protein folding, computational drug design, and other molecular computations was developed to aid science. You lent your machine’s idle time to science to crunch numbers for a great cause (Folding at Home); and this was done with your permission and knowledge. Cryptomining malware is very similar. This malware siphons CPU cycles from an unsuspecting victim, i.e. without your knowledge or permission. This can be stolen from AWS resources, malware born from phishing campaigns, or even visiting malicious websites. Your antivirus isn’t going to let you know your machine performance is bad if legitimate processes are being used to steal resource time.
- Remote Desktop Vulnerabilities: RDP sessions normally require user credentials to connect to machines in your network. If your organization has a publicly accessible remote desktop service, an attacker could take advantage of an exploit to call the RDP session by running ‘tscon.exe’. This will launch the RDP session as the SYSTEM and does not require credentials. In this case, it’s a legitimate user product and your antivirus application is not going to detect varying use from a bad actor or a legitimate user.
- Ransomware: If you could give credit for ingenuity of malware during this decade, ransomware would finish in the top ten. Ransomware utilizes the encryption methods in your organization’s endpoints against you. Again, your antivirus is allowing native OS processes to run, so it’s hard-pressed to pick this up as malicious. These types of attacks can be kicked off via social engineering, phishing, or just web site visits with scripting to attack the victim. The machine is locked down and the user is presented with information on paying a ransom for his or her data or it will be destroyed.
Flying Under the Radar
Good malware will try its best to go undetected, and the longer the better as more victims fall prey. The bad actors, who create malware, are going to add bits of scripting so it stays undiscovered for as long as possible. Generally speaking this is done in four varying methods.
- Delivery Methods: Just like the old prison break movies where the mother of a crook delivers her kid a cake with a crowbar baked into it, malicious code can be delivered in the same camouflaged method. Attackers can employ tactics like phishing or emailing non-viral attachments with bad macros to gain an unsuspecting upper hand.
- Covering Tracks/Evidence: Some of the tricks to keep admins and users from knowing anything has happened to an account or a system is altering log files or just outright deleting them; albeit the latter being incredibly noisy. In email hijacking, bad actors write mail rules to delete mails sent and mails incoming to obfuscate the traffic they’ve created, thus eliminating a user to tip off IT that something might be wrong.
- Evasive Tactic: The use of applications and resources native to the OS can hide the attacker. As mentioned earlier, the use of legitimate system applications can aid a bad actor in pushing a user’s session to a site where a malicious payload can be delivered. This can also be run direct from macro-enabled Office documents, or anything that does not exhibit conventional malware use case.
- Lateral Movement: If an attacker can leverage credentials, whatever that user had access to, the attacker will as well; and some of the first steps an attacker will take, will be to move laterally in an environment. Once malware has done its job, a bad actor will try to pivot to as many machines as possible to maintain persistence in the environment. The bigger the account type, the worse things can be. Someone holding the keys to the kingdom, a domain admin, that falls for a phish can lead to a very persistent foothold because the account can move anywhere in the environment, or it could spawn additional accounts with similar access rights.
Traditional antivirus is no longer effective as bad actors have found a myriad of methods to circumvent its defenses. It is incredibly important to leverage technology such as Artificial Intelligence (AI) and behavior modeling to identify the misuse of “trusted” applications and prevent the execution of attacks via threat vectors such as operating system and application feature misuse (scripting, macros) or when a fileless attack is launched in memory.
But the battle doesn’t stop there. Monitoring just your endpoints isn’t good enough; your organization needs to monitor its network activity, firewall access/denies, web site visits, etc. With the addition of a SIEM platform into your security enviroment, the logs, events, and alerts that your defenses throw will coalesce in one location, making the identification of incidents over events more plausible. By further trimming expected behavior out of the equation, identification of abnormal events and possibly incidents becomes easier and faster. Once you get to that stage, you truly have an effective endpoint strategy in place to keep your data – and your reputation – safe.