Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/4/2020
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Most Cyberattacks in 2019 Were Waged Without Malware

If the "malware-free" attack trajectory continues, it could mean major trouble for defenders, according to experts from CrowdStrike and other security companies.

A modern spin on the old-school hacker-behind-the-keyboard attack exceeded malware-borne ones worldwide last year, new incident report data from CrowdStrike shows.

Seasoned cybercriminals and nation-state attackers for some time now have been upping their game with new methods to mask their activities from security tools by blending in and posing as real users in the targeted organization's network - using stolen credentials and running legitimate tools to dig through victim systems and data, for instance. And for the first time in CrowdStrike's research and incident response engagement reporting, so-called "malware-free" attacks edged ahead of malware-based ones, at 51% to 49% in 2019. In 2018 and 2017, malware accounted for around 60% of all attacks globally, and malware-free attacks around 40%, according to CrowdStrike's data.

A malware-free attack in CrowdStrike's parlance is one where the method to gain entry into a victim organization doesn't employ a malicious file or file fragment to a computer disk. In addition to stolen credentials or legitimate tools, this type of attack also can execute code from memory and can only be detected with higher-level tools and techniques that spot unusual behavior, or via threat hunting.

Like the bad old days of hacking, much of the attack is driven by "hands-on keyboard" methods like command line interface, PowerShell, and hiding files and directories, according to CrowdStrike. "These techniques feature prominently in many sophisticated attacks, where a human adversary is engaged in the intrusion and is actively working toward an objective," according to the report

Security experts worry that if attackers double down on malware-free attacks, security tools - and ultimately, targeted organizations - will be overwhelmed and unable to thwart them.

Michael Sentonas, CTO of CrowdStrike, says these malware-free attacks have gradually increased as attackers have found ways to bypass traditional security tools. But the attackers aren't stopping at commodity antivirus software. "Now they're starting to bypass next-generation AV products as well. That's driving a big escalation in malware-free attacks," he says. "If that hits 60% and above, it's going to be a big problem. "

The problem is that most organizations don't have the technology to discern between a legitimate user or an attacker who has stolen his or her credentials, Sentonas notes. "I want to track over the next 12 months the malware-free piece to see if that's a real interesting [longer term] trend there," he says.

Rapid7 also has seen attackers forgo malware when infiltrating their targets. "They are using valid credentials or reusing credentials from other breaches. That's hard [to defend against]," says Tod Beardsley, director of research at Rapid7. "It's not something you can easily automate defense on."

To help combat these threats, he says, organization needs to empower end users to be part of a security culture. "You have to build trust between IT security and the user base. In that vein you are building a culture of vigilance," he says, where if you see something that looks suspicious, there's a clear step on what to do about it, whether confirming it out-of-band or reporting it to the right people.

Most malware-free attacks last year occurred in North America, where three-fourths of attacks didn't deploy malware to get inside the victim organization, according to CrowdStrike. "It will be interesting as we go through this year: Will malware-free attacks continue to rise, and will that correlate in dwell time [of attackers]?" says Sentonas. "If we see that as a two- to four-year trend, we have a problem. There are more and more ways to evade security controls."

That requires a defense that accounts for the human element. "Now more attackers are human," says Chester Wisniewski, a principal research scientist with security vendor Sophos. "That's why setting tripwires" to detect legitimate tools being used for nefarious purposes is key, he says. For example, if the Nmap network monitoring tool is spotted running on a Web server in the DMZ, that should be a red flag, he says. "No one should be running it ... in the server in the DMZ," he says.

If a legitimate security tool is running at a time other than when it should be used, that constitutes an incident, he says. "You're not the only one using these tools," he says, noting that the bad guys are as well.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27314
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
CVE-2019-18630
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
CVE-2021-25344
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
CVE-2021-25345
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
CVE-2021-25346
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.