Cybersecurity is an ever-shifting, attack and counterattack landscape. Cyber criminals explore new ways to launch attacks, which security solution providers counter with protective measures, only for cyber threat actors to find new and more sophisticated attack vectors to counter those protective measures.
Leading cybersecurity firm F-Secure, based in Finland, identified three trending threats that represent some recent iterations of this process in the 2020 edition of their “Attack Landscape Update.” Those threats are:
- Ransomware 2.0
- Infostealers and automated recon
- Dodging detection
As we reported in a previous post, one of strongest trends seen in 2020 was the evolution of ransomware to include a “double extortion” feature that allows the hackers to steal the victim’s data before encrypting it, providing cybercriminals with an added level of extortion: Threatening to reveal or sell the stolen data if the victim doesn’t pay up. F-Secure reports that 40% of the ransomware families / unique variants that they tracked in 2020 included exfiltration capabilities that allow data to be stolen before access to it is locked. Some attackers have further upped the extortion quotient by demanding additional payment after the first round of ransom was paid, in return for promises to delete the exfiltrated data.
Of course, even if the victim pays, they have no guarantee that the bad guys have actually deleted the data – promises notwithstanding, they may very well keep copies for other uses.
Infostealers and Automated Recon
An increasingly popular kind of malware is the “info stealer,” a trojan that allows the attacker to gather many different kinds of information for the target. They often steal login credentials, which may allow them access to other servers that can help both with downloading more data and with mapping network topology. One of the top malware threats in 2020, Lokibot, is an infostealer that is able to steal credentials from a wide variety of sources once it has gotten access to a particular system. It also contains a keylogger that further enables credential theft.
The growing popularity of infostealers makes network microsegmentation essential, since it can minimize the damage a hacker can do if they infiltrate the company network.
One of the 2020 trends that is continuing into 2021 is that attackers are finding new ways to evade detection protocols and avoid getting caught in sandboxes. The researchers at F-Secure identified five different ways cyberthieves attempt to avoid detection:
- Mouse and audio settings. Attackers don’t want their trojans to be exposed by trying to operate in a sandbox. Some malware now checks for keyboard or mouse activity before running. If there is no keyboard or mouse activity, the malware “assumes” that it’s in a sandbox, and will not run.
- Checking execution time. Some malware checks the time required for execution. Faster than expected execution times could indicate that it is in a sandbox; slower than expected could indicate the file is being subject to analyst review.
- Password protection. Some malware is now equipped with password protection that keeps it from running automatically in a sandbox.
- Bypassing DNS filtering via Google. Many organizations use DNS filtering to block malicious websites. DNS filtering typically does not block Google, however, so some attackers send DSN requests to Google, including a request to the malicious domain. The reply from Google contains the malware–and avoids the filter because it’s coming from Google.
- Fileless attacks. Most antivirus software is set up to inspect files and find and neutralize those that are suspicious. Some malware has successfully evaded such detection by being stored as split registry keys.
These examples show how clever cybercriminals are at defeating conventional malware defense perimeters. All of this points to the need for a different approach to cybersecurity: Zero Trust.
Foiling Ransomware and Detection Evasion
The more clever cybercriminals become at deploying techniques to evade detection, the more important it becomes to have cybersecurity defenses that do not rely solely on detection. A Zero Trust approach treats all traffic, internal or external, as suspicious and potentially dangerous. Microsegmentation, mentioned above, can help minimize damage by putting strict, least-privilege limits on the things that internal traffic can do, the data it can access and the resources it can use.
Remote Browser Isolation (RBI) is a technique that minimizes the need for detection, since it prevents threats from getting into your network at all. RBI routes browser traffic through an isolated container in the cloud. Website content never reaches the user device: It is opened by a virtual browser in the container, and only safe rendering reaches the endpoint browser, where the user experiences exactly as they would with actual site content–-only risk-free. After each session the container is destroyed, along with any malware that was hidden in the site code. Ericom’s RBI solution also intercepts webmail attachments and downloads from sites, and sanitizes them and removes malicious components, before passing them on to the end user with desired native functionality intact.
The unfortunate reality is that legacy cybersecurity defenses are inadequate to protect you against newly emerging threats. Moving to a Zero Trust approach will help you get ahead—and stay ahead–of the frustrating, never-ending and costly cybersecurity “cat and mouse” game that a detection-only approach to cyber defense forces users to play.