In light of recent cyberattacks, including the Bad Rabbit malware, most IT and security professionals are asking themselves, “What can be done to reduce our potential risk exposure?” and, “How can we deal with a breach after it has occurred?” Other questions linger, too, such as, “Why are traditional protections like antivirus software, firewalls or HIPS failing to identify or block such threats?” Endpoint detection and response tools can help lead organizations to better answers.

Legacy Solutions Can’t Keep Up

Legacy solutions, such as older antivirus software, struggle to identify or block the latest sophisticated threats. At the time these solutions were built, malware was installed when a payload was dropped into a file system to execute its actions. These legacy security solutions, such as signature-based antivirus software, use file creation or access events as primary triggers for file scans to check for well-known code patterns.

But a significant percentage of today’s malware is designed with a combination of techniques to avoid detection and analysis. Fileless malware infection is increasingly the primary attack vehicle. A fileless attack is one that takes advantage of legitimate process vulnerabilities, such as making a browser run malicious code, leveraging Microsoft Word macros or using Microsoft’s PowerShell utility. Fileless malware is uniquely capable of escaping traditional radars by writing directly in a computer’s RAM via carefully crafted PowerShell scripts.

How Today’s Malware Infiltrates

As many companies have discovered the hard way, legitimate operating system processes and applications have a number of vulnerabilities that attackers can exploit to infect a machine and then perform malicious activity, such as asking for a ransom or extracting sensitive information. Sadly, those gaps are evident only after the damage has been done.

An example of such a common malware infection mechanism is known as process impersonation, in which an attacker injects malicious code into a well-known application created by the operating system vendor or a third-party software company. This technique evades antiviruses and firewalls, which see a legitimate, white-listed application accessing the local file system or establishing an outbound connection.

In response to the recent malware evolution, modern endpoint protection technology should not rely on just one trigger event, but on sophisticated logic that detects patterns of related events. They may not appear malicious alone but can be indicative of malicious intent when occurring simultaneously.

The Benefits of Adding Endpoint Detection and Response Capabilities

A new technology stream that aims to tackle the fundamental legacy mechanism issue at its root has recently emerged. Instead of pretending to be able to spot any possible current and future exploit, endpoint detection and response tools assist before and after the breach.

Endpoint detection and response systems complement existing technology with mechanisms to detect, and in some cases prevent, malicious activity by monitoring techniques used by malware creators in recent attacks. They fill the gap using pattern-recognition technology powered by machine learning. Most importantly, they assume a breach can happen and provide robust forensics capability to help investigate attacks and their root causes.

Act Now!

The question on IT and security professionals’ minds is no longer if a breach will happen, but when. Some go to a more extreme conclusion: The unknown element is when you will discover that you have already been hacked. The latter opinion is based on lessons from recent breaches that were detected months after malware infiltrated a corporate network, essentially when most of the damage was already done.

Because the impact at the corporate and personal level can be very serious, IT leaders should strongly consider immediately adopting these technologies in their defense arsenals. These technologies assist in the detection, investigation and remediation phases of breaches. The remediation aspect is of extreme importance, since it allows for dealing immediately with a breach right after it is discovered, drastically reducing the possibility for further expansion of the malware and supporting continued business operations.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read