John Shier, senior security adviser at Sophos, answers questions about the cyber security and cyber threat landscape in 2020
1 What kind security incidents are today’s detection systems designed to spot?
Most modern endpoint security software is designed to block both known and unknown threats using different technologies. Generally, blocking known threats is the job of traditional security software (e.g. antivirus). If we’ve seen the malware (or malware family) before, we can quickly convict a file with a very high degree of confidence and low false positive rate.
Unknown threats today are most often caught by using machine learning (ML). ML engines are trained to recognize threats based on millions of examples of good and bad files and the engine will make its decision based on examining millions of features (e.g. file type, size, compression etc.) to determine the probability of it being benign or malicious. ML is also incredibly powerful against threats at scale – some malware families routinely send out hundreds of unique variants daily and ML is very effective at large volume detection.
Finally, behavioural characteristics are examined and assessed. If neither traditional nor ML-enhanced engines find enough reason to convict a threat based on how it looks, the behavioural engine can convict a threat based on how it acts. When combined with networklevel detection and visibility, these systems are very effective against today’s complex threats.
2.What tools and techniques are cyber attackers using to circumvent security detection systems? What kind of attack vectors are they using?
A couple of ways in which cybercriminals attempt to bypass endpoint technologies are by using obfuscation or misdirection. Obfuscation aims to hide the true nature of the file from the detection engine by encrypting or encoding the program, with some malware using multiple layers of obfuscation to frustrate analysis.
Misdirection is used to fool the system into thinking it’s running a benign program, which it does initially, instead of something overtly malicious. This is frequently done by leveraging legitimate, installed applications (e.g. PowerShell) to launch additional processes and fetch malicious payloads from the internet.
We have some capability in deobfuscating malicious programs, and where it’s not possible behavioural detection can be used.
The most common way to circumvent a security system is to attack vulnerable software or the user. Attacking the user is usually done via phishing campaigns and/ or malicious documents. It’s worth noting that while most malicious documents come from phishing campaigns, not all phishing campaigns contain malicious documents.
A typical phishing campaign’s objective is credential theft and malicious documents can be the vector for all sorts of malware including, but not limited to, key loggers, credentials stealers, downloaders/droppers and ransomware.
Attacking vulnerable (i.e. unpatched) software is also a common tactic used by cybercriminals. They can use search tools to scan the internet for potential victims and then launch automated attacks against the vulnerable targets. Once inside, the criminals often switch to manual mode where they use different tools to move laterally, elevate privilege and establish persistence.
3.How do cyber atta3ckers manage to remain undetected inside victim networks for extended periods of time?
There are many reasons why an attacker may remain undetected inside a network, but for the most part lack of visibility is to blame. This can manifest itself in different ways.
One way is to deliberately leave systems unprotected. We see this all too often and without any detection software installed, you will likely never see the intruder in your network.
Another way is to have so much noise in your network that you don’t know what good looks like and can’t filter it out. We see this in large, open networks where everything can talk to everything else on any protocol.
Somewhere in the middle are the more advanced attackers who use knowledge of your environment to move around undetected. They will use your credentials, existing applications and approved systems to infiltrate your network and exfiltrate your data. To all intents and purposes, they are you.
4 So, what are defenders to do?
As always, prevention is key. Think of prevention not only in technological terms but also organisational processes. Some criminals like to infiltrate organisations by using malicious documents (maldocs). The human resources department, for one, needs to open unsolicited documents daily. How do you protect them while still allowing business to continue?
One way is to use a dedicated system (physical or virtual) to receive and open these documents – a process change. Another is to deploy sandboxing to your email gateway to prevent maldocs arriving in the inbox in the first place – a technological change. In the case of business email compromise (BEC), a simple phone call – a process change – can be the difference between catching a scammer and going out of business.
Part of prevention is to reduce your attack surface area. This means reducing the amount of exposed services (e.g. Remote Desktop), unprotected or unpatched systems and applications, and weak authentication (e.g. simple passwords, no multi-factor authentication). Many organisations get attacked by ransomware groups because they fall short in one or more of these areas and are vulnerable. Think of it as a criminal pentest. If you make it harder for the criminals, they will often move on to the next target.
After prevention comes detection and remediation. These two go together, as you will want to remediate any threat you discover lurking in your network. Endpoint Detection and Response (EDR) products simplify the task of hunting for existing threats and either advise you on how to clean up the threat or proactively remediate it for you.
Tools like EDR, however, are part of a more mature security organisation’s toolbox. If you haven’t addressed prevention, then EDR by itself won’t be nearly as effective. If you don’t have the in-house capabilities for managing an EDR system, there are managed EDR services (i.e. Sophos MTR) that can do it for you.
So far, I’ve focused on the endpoint, but you will want to ensure your network is protected as well. Many endpoint protection technologies are also implemented in next-gen firewalls, in addition to bespoke network protections. Better yet, if you integrate your network protection with your endpoint protection (i.e. with Sophos Synchronized Security), you will be able to prevent, detect and remediate threats no matter where they occur in your environment.
This advice is by no means exhaustive, as I haven’t touched on things like DevOps, creating a security culture or supply chain integrity. Think of this as a journey and not a destination. You will continually need to test your defences and make adjustments along the way, both technological and process-based. If you don’t, criminals will do it for you and you won’t get a friendly report when they’re done.