December 8, 2022
When it comes to cybercriminals, defense evasion remains the top tactic globally. In fact, it was the most employed tactic by malware developers in the past six months – and they’re often using system binary proxy execution to do so. Hiding malicious intentions is one of the most important actions for adversaries. Therefore, they are…

When it comes to cybercriminals, defense evasion remains the top tactic globally. In fact, it was the most employed tactic by malware developers in the past six months – and they’re often using system binary proxy execution to do so. Hiding malicious intentions is one of the most important actions for adversaries. Therefore, they are attempting to evade defenses by masking malicious intention and attempting to hide commands using a legitimate certificate.

Let’s look at this popular tactic, its prevalence and how enterprises can combat it.

Defense evasion enjoys worldwide popularity

Examining adversarial strategies reveals takeaways about how attack techniques and tactics are evolving. In the first six months of 2022, FortiGuard Labs researchers discovered (PDF) that of the top eight tactics and techniques focused on the endpoint, defense evasion was the most-employed tactic by malware developers. This was true across the globe. Research from the Sightings Report (PDF), a project of Fortinet and the Center for Threat-Informed Defense, found that of the six tactics that account for 90% of all MITRE attacks, five involve defensive evasion.

Defense evasion involves exploiting security gaps to prevent detection; attackers try to get in through security holes. They frequently pull this off using system binary proxy execution. Because hiding nefarious intent is one of the key skills they need to master, it stands to reason that malware creators would try to camouflage their creation by using a legitimate certificate to hide commands so they can get past a company’s security.

The second most common occurrence we’ve observed over the last six months is a sub-technique known as process injection, in which the bad actor tries to inject code into a process to circumvent defenses. They may also use this sub-technique to escalate privileges. In fact, there was a period of time when defense evasion with process injection was the most prevalent sub-technique in all regions. 

Understanding the implications

You might compare managing tactics, threats and strategies, as well as emerging vulnerabilities, to treading water in the sea, since you never know when the next ship will come by, and the water is too deep for you to touch the bottom. But the more we understand the environment, the better equipped we will be as the next storm begins to form.

With this actionable intelligence, organizations will have greater ability to secure against adversaries’ broad toolkits. Armed with this knowledge, defenders can begin to identify similar weaknesses in their defenses and effectively close those gaps. 

AI-powered, integrated security solutions are a must 

Organizations now face greater cyber risk due to the scope and frequency of attacks, so security personnel must be just as quick and systematic as their foes. The rise of complex and advanced attacks requires integrated security solutions because outmoded point-product security strategies are unable to stop them. Enterprise must-haves includes tools that can take in real-time threat intelligence, use AI to spot threat trends, correlate enormous volumes of data to find anomalies across the network even the endpoint, and immediately launch an automated, coordinated response across networks are essential for organizations.

Organizations may better align their defenses to adapt and react proactively to rapidly changing attack approaches when they have a better grasp of the objectives and strategies employed by their adversaries – thanks to actionable threat intelligence. To help prioritize patching efforts and create more secure networks, threat insights are essential. In order to match pace with the quantity, level of sophistication and speed of modern threats, organizations require security operations that can run at machine speed. 

When based on a cybersecurity mesh architecture, AI and ML-powered prevention, detection and response tactics provide far more automation, tighter integration. This approach also creates a quicker, more coordinated and more efficient response to threats throughout the extended network.

Defeating defense invasion

Cybercriminals won’t let a chance to gain from their dark arts pass them by. Attackers are always looking for the opportunity to use technology for financial gain or other motives, whether it’s through a vulnerability, an exploit or even an armed conflict. Defense evasion has become a favorite weapon in this cyber war. 

Malicious actors are developing their playbooks in order to circumvent defenses and expand their networks of criminal affiliates. To maximize the return on their investment, they are employing aggressive execution strategies like extortion or data wiping while concentrating on reconnaissance techniques prior to an attack.

Organizations require security solutions that are integrated, can find threat patterns and correlate huge volumes of data to identify anomalies and automatically launch a coordinated response across hybrid networks. Protecting all edges of hybrid networks requires integrated, AI- and ML-driven cybersecurity platforms with superior detection and response capabilities supported by actionable threat intelligence. This is how they will combat today’s advanced, sophisticated attacks.

Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.Previous Columns by Derek Manky:Tags:
Source