What techniques should enterprises use to counter evasive cyber threats?
Today, cybercriminals employ increasingly sophisticated attack techniques and evasive cyber threats in order to infiltrate security systems. According to a Morphisec whitepaper, "deception techniques play a key role in attackers' success."
Evasive attacks become more advanced
Attackers now use numerous techniques to enable recurring modifications of cyberattacks. As Morphisec observes, these include altering the source, static signatures, and behavioural signatures.
Among these methods, however, the most effective exhibit benign behaviour in order to conceal malicious intent from defence systems. For example, malware authors commonly use polymorphism to evade AV detection.
This technique renders the signature-based anti-malware tools ineffective, as new instances generate a new and unknown static signature. In addition to this, metamorphism techniques "complicates the detection further by changing the in-memory code at every execution."
Obfuscation is also an effective way of hiding malicious activities despite manual inspection of the code. In this instance, the malware's author generates code that is incredibly difficult for a human analyst to comprehend.
Anti-VM and anti-sandbox also evade "automated forensic analysis" by altering their behaviour. If a VM or sandbox is detected, the malware appears as benign which enables it to execute malicious activities undetected.
Malware can also employ anti-debugging, which avoids automated and manual investigation by altering its behaviour in these forensic environments. Finally, encrypted exploits change parameters and signatures in order to sidestep investigation.
Countering evasive techniques
Notably, defenders can also employ these deception techniques in order to fight threats. Moving Target Defence (MTD) is particularly effective as it aims to create "asymmetric uncertainty on the attacker's side by changing the attack surface."
Morphisec notes that there is "no such thing as absolute security" in these circumstances. Rather, there is "asymmetry between the attackers' and the defenders' costs and efforts."
Organisations therefore require a "new paradigm" that both increases the complexity and cost for attackers, while decreasing their own. The three main categories of MTD security are network level, host level, and application level.
Network level MTD entails several mechanisms, including IP-hopping that changes the host's IP address and increases the complexity of the network. In fact, this method has advanced to allow "maintaining the hosts IP mutation in a transparent manner."
Other techniques involve deceiving the attacker using random port numbers, extra open or closed ports, alongside fake listening hosts and obfuscated port traffic. In effect, this provides the attacker with "fake information about the host and OS type and version."
Host level MTD changes the hosts and OS level resources using naming and configurations to deceive the attacker. Finally, application level MTD focuses on "changing the application environment in order to trick the attacker."
Looking to enhance your cybersecurity? Take a look at the Top 10 SIEM Tools