By Dr Darren Williams, CEO and Founder Of Cyber-Security Firm, BlackFog
Antivirus software was born over 30 years ago when computers were still relatively new. At that time, antivirus software was king as it defended against one of the only existing threats – viruses. However, 30 years on much has changed – and in the world of technological advancements, three decades might as well be a lifetime.
The threat landscape we see today is vastly different and infinitely more sophisticated. Organisations must protect their devices not only from viruses and malware such as ransomware, but also malicious activities carried out by cybercriminals, including infecting Internet of Things (IoT) devices to perform DDoS attacks. That’s why the days of protecting yourself from bad actors using a single antivirus solution are now behind us. Fileless network protection is a key element to device security and an important part of the layered security strategy which is vital to protecting organisations today.
Signature Based Detection
Sophisticated (and not so sophisticated) attackers can today easily avoid detection from this signature-based software. As protection through an antivirus software is based upon prior knowledge of the attacker, naturally, cyber criminals are aware of this and attacks are now specifically designed to avoid this entire process. They now use fileless techniques to download random payloads and signatures to completely avoid detection. In fact, fileless based attacks are increasingly on the rise with 77% of successful attacks now using fileless exploits. And worryingly, fileless attacks are ten times more likely to succeed.
Traditional antivirus security products rely on signatures to detect and remove threats. This fingerprinting technology looks at every file on your device and generates a unique identification number, or signature. This signature is then compared to a database of known bad actors. When a match is found the offending file is removed.
These products scan an organisation’s filesystem and current processes looking for bad signatures. However, it is important to understand the limitations of this technique in terms of device and data protection.
Firstly, the bad actor needs to be identified. Just like in the real world, after a break-in the police have to arrive at the scene, investigate and take fingerprints and then compare them to a list of known criminals. This is no different in the digital world. It takes teams of people to identify, analyse and classify the problem.
Secondly, after it has been verified it can be added to a database and made available to clients. This takes time. Typically, the best-case scenario is around 4 hours however it is usually significantly longer taking up to 24 hours or more.
The problem is that the majority of cyber-attacks do the most damage within the first few hours, spreading across the globe rapidly. Recent examples include WannaCry and Petya. In fact, the WannaCry ransomware attack was, at the time, one of the most devastating and widespread cybersecurity incidents recorded. It took just four hours to spread across the NHS, ultimately affecting 34% of NHS trusts, as well as more than 600 primary care organisations in the UK. Total global losses resulting from the attack placed at anywhere between hundreds of millions to an eye-watering $4 billion. With devastating cost and reputational impact organisations simply can’t hesitate when it comes to stopping an attack in its tracks.
Rather than focus on identifying attackers by their fingerprints, organisations need to take a different approach and instead look at the characteristics of what makes an attacker different than a normal application. For example, analysing network traffic to detect unusual behaviour.
Typically, attackers use fileless techniques to avoid detection and either download or execute remote payloads with the purpose of stealing data. To do this it is necessary to connect to a remote server. Since this needs to remain anonymous to avoid detection, it is usually performed over the dark web. However, new solutions are available that can stop the attacker at each stage of the cycle.
Fileless malware will only become smarter and more common. Increasingly, attacks will leave little to no tracks in the file system and in the network and will force organisations to start detecting attacks based on their behaviour.
With government data released in 2017 showing that almost half of UK firms were hit by cyber breach or attack in 2016, the rise in major security incidents has certainly urged organisations to reassess their cybersecurity strategies in the past 12 months. However, companies still have a long way to go in bolstering their cybersecurity defences in the long term. The challenge for businesses is to drive cybersecurity change now and not wait for the next big attack before they bring their security processes up to date.