Morphisec Cybersecurity Blog

Advanced Threat Defense Needs a Multi-pronged Approach

Written by Mitchell Hall | October 26, 2022 at 1:15 PM

 

The evidence is clear that despite expanding cybersecurity investment, sophisticated cyberthreats are increasingly successful. Household brands like Uber and Apple, essential service providers like Colonial Pipeline, and even entire nation states are falling victim to cyberattacks that evade best-of-breed controls. Beyond the headlines, attacks are spiraling too. More than once a minute, talented and well-funded security teams are left picking up the pieces after their supposedly advanced threat defense is breached.

One common thread linking today's cyberattacks is how incredibly disruptive they are. Threats now linger in victim networks longer than ever before. Attacker dwell time increased 36 percent between 2020 and 2021. And breaches have a much bigger blast radius than they used to. 

As a result, having an effective strategy in place to stop advanced threats has never been more important. 

How Advanced Threats Work

Long ago, even the most basic computer viruses were advanced threats. With little to stop them, malware like the ILOVEYOU worm could compromise tens of millions of computers in the early 2000s. In response, antivirus (AV) programs were built to protect against these threats. They worked on the premise of spotting and isolating dangerous-looking files, behaviors, and attachments within a protected network environment.

Threat actors evolved in response, with attacks like WANNACRY, Petya, and NotPetya considered advanced, self-spreading threats. In response, next-generation anti-virus (NGAV) evolved. So threats responded. Advanced ransomware is now offered as a service (RaaS). Open source malware is exploited by the hacking community. And supply chain attacks like SolarWinds and Kaseya are proving particularly devastating.

Modern security stacks based on technologies like endpoint protection platforms (EPP), and endpoint detection and response (EDR) work in a similar way to early antivirus programs. These technologies are better at finding and stopping threats than their early counterparts. But they operate under the same "search and destroy" concept. So a typical enterprise-level security posture almost exclusively relies on finding and isolating known threats across disk and network environments. 

These fundamental security controls and signature-, pattern-, and AI-based solutions are still essential. But they are no longer enough to create real security. Today, the most dangerous threats are designed to bypass and evade cybersecurity tools.

Advanced threats don't appear on most security solutions' radars until it's too late, if at all. They use the same applications legitimate system admins do to probe networks and move laterally.

Cracked versions of red team tools like Cobalt Strike allow threat actors to target legitimate processes in device memory. These tools allow attackers to search for passwords and exploitable bugs that exist in memory when a legitimate application is being used. And they hide where defenders can’t effectively scan—in memory during application runtime. 

As a result, advanced threats bypass both scanning-based security solutions, which can't look at memory during run time, and controls like allowlisting. According to a recent Picus report, 91 percent of DarkSide ransomware incidents used legitimate tools and processes. 

Living "off the land" in-memory during run time, advanced threats can also survive reboots, disk reformats, and attempts to reinstall device OS. 

These sophisticated attacks used to be something only state-backed threat actors could do. Today, however, they are common. Hacked distributions of Cobalt Strike allow threat actors to cheaply and easily target their victims' memory. Last year, three of the top five attack techniques involved device memory. 

How to Stop Advanced Threats

Advanced threats are exploiting a glaring security gap in the typical enterprise security posture—device memory. But they can be stopped. 

Long term, the best way to prevent threats from compromising memory would be to build better defenses into applications and devices. Software developers can do more to build in mitigations to memory exploits. They can make it more difficult for threat actors to exploit the same tools legitimate network admins use. 

But as long as applications build and integrate new features (and invariably create bugs), memory corruption will be possible. This is especially true for the millions of legacy devices and applications that will continue operating within IT environments far into the future. 

Right now, the best thing security teams can do to stop advanced threats is to add controls that prevent access to device memory in the first place:

  • Build Defense-in-Depth. No one control or solution can keep an organization safe from advanced threats. Security teams must create redundancy across each layer from the endpoint to business-critical servers. 
  • Implement zero trust. The concept of zero trust is over 47 years old. Yet it remains an elusive goal for most enterprises. According to a recent Forrester study, organizations that implement zero trust reduce the chance of a data breach by 50 percent. 
  • Protect device memory with Moving Target Defense (MTD) technology. You can't effectively scan device memory during run time. But you can make memory assets such as passwords effectively invisible to threat actors. Use a solution that uses MTD to morph (randomize) memory, making it impossible for threats to find their targets. 

Build Advanced Threat Defense with MTD

Solutions like NGAV, EPP, and EDR remain a vital part of any organization's security strategy. They are essential for stopping the majority of attack chains that show recognizable signatures and behavioral patterns. 

However, with increasing zero-day attacks, in-memory threats, and fileless attack methods, these tools leave defenders with a critical security gap. A different solution is urgently needed to effectively defend the attack vectors these advanced threats target. One that prevents memory compromise and stops previously unseen threats.

Enter Moving Target Defense (MTD). Cited by Gartner as one of the most impactful emerging technologies, MTD creates an unpredictable in-memory attack surface. This makes it impossible for threats to find the resources they seek, no matter how sophisticated they are. Just as important, MTD technology seamlessly integrates with other cybersecurity solutions, is easy to implement, and scalable. To learn more about this revolutionary technology, read the white paper—Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy