20 Feb Study on Fileless Attacks Underscores Risk of Over-Reliance on Endpoint Security
The fileless attack is a prime example of security threat evolution and the ability of adversaries to identify new and vulnerable paths of attack.
“Rather than using downloadable files, such as malicious executables, fileless attacks use exploits, macros, scripts, or legitimate system tools, instead,” according to a new study by the Poneman Institute, titled, The 2017 State of Endpoint Security Risk.
Such attacks are designed to be launched from system memory, never touching the local file system and therefore bypassing many malware identification solutions. Once a machine is compromised, it can be used to gain access to “legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network.”
The findings stem from a survey of 665 leaders from across IT and security with several key findings. Below are some of the results that stood out for us.
1) As attacks evolve, so too should protection
Most respondents (68%) indicated that “new and unknown threats” have increased significantly. About one-third noted traditional solutions that rely solely on signature analysis or file scanning are not enough to provide adequate protection.
This is why we advocate multiple methods of detection – as part of a layered security posture –to identify known, unknown, and new and emerging threats.
No one is advocating a total departure from signatures, as signatures are still the most effective method for rapid identification of known threats. For example, a signature was published for the exploit at the heart of the Equifax incident, which could have potentially warded off the threat even as the organization worked through its patch and change management process. The best strategy is to employ multiple detection techniques to ensure protection against known and emerging threats.
2) Fileless attacks are a dangerous evolution
Fileless attacks appear to be gaining traction as a means of attack because they are effective in evading many popular forms of detection. More than half (54%) of respondents said adversaries had “successfully compromised” endpoints within their organization over the last year or so. Of those that had faced such attacks, about three-quarters (77%) said the attack or exploit was fileless.
“When you look at the two bodies of technology, the older and the newer endpoint protection products, there’s a common factor – they are all file-based. They both still need a file to look at. This is what led to the development of fileless attacks,” he wrote.
This is in part, why we believe an additional method of detection focused on network behavior can make a real impact. If the point of a cyber attack is to steal data, for example, it’s harder to mask that action as normal. Once a baseline is determined for normal network behavior, anomalies tend to stand out.
If two machines that never previously communicated suddenly start talking to each other and trading sizable volumes of data, that’s going to leave network traces whether the attack was launched from a downloaded executable or fileless vector.
Also see these related posts:
5 Creative Ways to Solve the Cybersecurity Talent Shortage
The Bricata Solution for Financial Services [data sheet]
5 Ways Bricata Helps Defend Against Laterally-Spreading Ransomware [case study]
3) Reducing cybersecurity complexity is crucial
The findings suggest cybersecurity professionals have crucial need to reduce the complexity of management and deluge of alerts. The survey found organizations have “an average of seven different software agents installed on endpoints.”
These agents tend to initiate “noisy” alerts that are time-consuming to sort through and investigate whether or not the alert is a real threat or a false positive. Nearly half of all security alerts (48%) are false positives according to the study which noted these are the most significant “hidden cost” in protecting endpoints.
This means security is becoming “more difficult and costly” and placing an “untenable strain on staff.” Seventy-three percent said, “it has become more difficult for their organization to effectively manage endpoint risk.”
From the Bricata perspective, this is why a defense in depth is so important. Enterprises should consider methods of detection to examine threats inside the network because they can and do slip past the endpoint. Further, all these tools should be sharing data.
To that end, integration is rapidly becoming paramount in cybersecurity, especially as security professionals realize the SEIMs haven’t been able to provide the level of data correlation for which the industry had hoped. The quality of an analysis is limited by the quality of the data.
It high time for the industry to recognize that alert data is the intellectual property of the enterprise. As such, cybersecurity solutions must be designed with the inherent flexibility for security operations to use it as they deem fit.
4) The million price of a successful attack
The survey put the price tag of a successful attack at more than $5 million. The study was precise in saying on average such attacks accounted for total costs of $5,010,600. It breaks out the attribution of such costs across the following six categories:
- 30% to loss of productivity
- 25% to system downtime
- 23% to theft of information
- 10% to damage to the IT infrastructure
- 8% to brand damage or loss of reputation
- 5% to lawsuits, fines and regulatory actions
This cost estimate is fairly consistent with a previous survey also conducted by Poneman in 2017. That study put the cost of a breach at between $3.62 million globally and $7.35 for U.S.-based organizations.
* * *
If you enjoyed this post, you might also like:
4 Considerations for Evaluation an Intrusion Detection System