There have been several articles in the last few months addressing the topic of “malware-less” or “malware-free” attacks. As a result of articles on this topic, I had a number of people ask me if I had heard of these attacks and what could be done about them.  In almost every modern cyber intrusion that I have defended against, investigated, or analyzed, over the last decade, the intruders quickly sought ways to obtain privileged credentials and remote access to the victim’s IT resources. To avoid detection by antivirus, IDS, next-gen firewalls, etc., the intruders need to look like a typical IT admin or users going about their daily activities. This means they avoid exploiting vulnerabilities or installing malware unless it’s absolutely necessary. If they can move through the network as an IT admin, they can use tools commonly used by IT admins including batch files, scheduled tasks, Windows APIs, etc. to broaden their access and control as well as orchestrate data theft. It should therefore not be a surprise that much of their attack methodology is “malware-less”. This is not a new tactic. It’s a fundamental component to any infiltration strategy: blend into the crowd as quickly and thoroughly as possible! 

It probably should not come as a surprise that many of the articles covering this topic were authored by bloggers at various security vendors. Security vendors that sell antivirus software tend to see threats almost exclusively in terms of detectable malware or exploits occurring on an endpoint; this is what their product is designed around. Similarly, the various IDS vendors have products that look for exploit behavior and malware as it crosses a particular point on a network, which reflects their notion of how to detect intrusions. The central premise around both views is that the bad guys are the sum of the malware and exploits they use. This is a dangerous and myopic view of cyber threats. Let me be clear that I am not saying antivirus or IDS are bad or useless products – that couldn’t be further from the truth. Both are valuable components to mounting an effective network defense. The danger comes from how these technologies are marketed by vendors and used by customers. The marketing campaigns tell you to implement vendor XYZ’s security product and the network will be somehow able to defend itself against all security threats. The customers buy the product and implement it so they can stop worrying about security.  The belief is that this product will automatically take care of security for them. 

Instead of worrying about modern cyber threats, we worry about maintaining the health of our security products because it’s security products that protect us from bad stuff right? Wrong. The greatest cyber threats we face today aren’t self-propagating malware (worms, viruses, etc.).  Modern cyber threats are people. These people have a variety of tactics and tools they use to try to infiltrate our networks and steal our data. Vulnerabilities, malware, and exploits are only a few components of how a successful network intrusion is executed. 

Modern cyber threat actors know that pretty much all of the security products on the market are looking for malware and exploit activity, so it behooves them to architect tactics and tools that minimize the use of malware and exploits. Modern cyber intrusions are diverse and constantly changing and evolving in many ways. Detecting these modern cyber threats can be very complex. This is why intelligence-driven network defense is key to combating today’s cyber threats. Intelligence-driven network defense does not mean amassing large lists of IP addresses, domain names, and MD5 hashes associated with malware from a vendor or an industry security association. Intelligence-driven defense means analyzing and researching how a cyber threat (the people, not the malware) actually conduct an intrusion from beginning to end. Analytical models like Lockheed Martin’s Cyber Kill Chain™ help us to organize what we know about a given intrusion, but also aid us in determining what we DON’T KNOW and need to find out. We need to remember that the end goal of an intruder isn’t to exploit a vulnerability on your network or install malware; their end goal is to get your data. A successful defense against such threats requires actively participating in that defense. If your time spent “doing security” can be largely described as performing installation and maintenance of the security products you have purchased, you are not actively participating in the defense of your network. Active participation in network defense means:

1. Continuously working to understand who is trying to breach your network by analyzing all aspects of their intrusion tactics (not just what malware, exploits, or domains they use)
2. Spending at least as much time, money, and talent on monitoring and analyzing your network and systems as you do on implementing “preventative” security controls
3. Constantly changing and enhancing your network defenses and detection strategies 

Actively participating in your network defense allows you to detect and defeat cyber intrusions. When you understand how an intrusion plays out in its entirety, even in a general sense, terms like malware versus “malware-less” attacks become irrelevant. Your team of network defenders who actively participate in the fight know that every intrusion attempt will have multiple components and phases and will continually learn from intrusions and morph defenses. However, developing and sustaining a security program that actively participates in network defense is difficult. Few companies today will stomach a budget to staff even a bare-bones team of network defenders. Too often organizations presume that the same person who pushes their firewall rules or deploys their patches has both the skills and bandwidth to also serve as their detection analyst, their intelligence analyst, and their incident handler. And even if you do realize that these are very different skill sets, finding and retaining the talent in each of these skills is extremely challenging. 

If you don’t happen to be one of the few organizations that can maintain a team of network defenders who can be actively engaged in a fight, there is an alternative for you: Morphick. We are a team that actively engages in the defense of our client’s networks every single day. We bring to bear a broad range of technologies and approaches to detecting modern cyber threats informed by our world-class threat intelligence analysts. The team at Morphick is dedicated to detecting the modern cyber threats to your network, and yes, even the ‘malware-less’ ones.