Security Experts:

Intrusions Without Malware: Don't Forget the Other Sixty Percent

The time has come to start paying attention to the other sixty percent.  No, this isn’t a political piece.  Rather, I am trying to call attention to something that, in my opinion, is not high enough on the priority list of many people in the information security profession.  Although it is difficult to measure with certainty, some studies estimate that sixty percent of all intrusions involve no malware at all.

How do attackers manage to be so successful without using any malware at all?  That is a great question, and it is one that would take quite a bit of detail to answer in depth and properly.  At a high level though, the answer is related to a trend we’ve been seeing in information security over the last few years.  Although attackers still use malicious code quite often, they have been relying less and less on it.  While certainly not the only way to intrude, attackers seem to be having a field day stealing credentials, using legitimate tools, and masquerading as legitimate users.  It turns out that it is fairly easy for them to do so using a variety of different techniques.

I first touched on this topic in 2014 in a SecurityWeek piece entitled “Not All Intrusions Involve Malware”, and I took the discussion a step further in a piece last year entitled “The Increasing Importance of Security Analytics”.  Now I’d like to take a look at what I see in the information security community, both on the technology side as well as on the operational side.  I’d also like to discuss how taking a layered approach to detection can help organizations keep pace with this evolving attacker behavior.

Credential AttacksOn the technology side, I am increasingly confused by how many companies focus solely on building a better malware mousetrap.  That isn’t to say that we can’t continually improve our detection and prevention capabilities around malicious code.  Rather, my point is that even if a given technology is 100% effective at preventing and/or detecting malware (which is never going to be the case of course), it is still only solving 40% of the problem.

Simply put, detection and prevention technologies that don’t also have the ability to grapple with intrusions that involve no malware at all are partially effective technologies at best.  Even more so if they are stovepiped and operate in a vacuum.

On the operational side, I am also increasingly confused by how many organizations continue to focus exclusively on chasing malware.  Of course, I understand the need to prevent ransomware and to deal with various different types of malware, but security operations cannot end there.  At best, a security operations team focused solely on malware catches 40% of the malicious activity occurring.  At worst, it is a team that is turning a blind eye to significant risk that has been introduced into the organization it is charged with defending.

Of course, it’s easy to lament the short sightedness of focusing exclusively on malware.  But how can organizations pivot to a more holistic focus, particularly when it comes to detection?  I believe this is where it is helpful to take a three-layered approach to detection.  I’ll explain.

Way back, when information security was a relatively new profession, we were primarily focused on signature-based detection.  When we learned of different attacks, we would write signatures for those attacks, and use those signatures to detect future instances of the same type of attack.  This was indeed a great beginning, but we quickly learned that it fell short in a number of ways.  Firstly, and perhaps most obviously, signature-based detection only detects known knowns.  That which is known bad.  But what happens when a new attack comes along that we haven’t seen before?  Secondly, signatures lack context. That means that activity matching a signature, but in a different context, often results in false positives. And with signature-based detection, we have never experienced a shortage of false positives, unfortunately.

Signature-based detection does provide good value for detecting certain types of attacks, so there is no reason to throw it away.  Rather, what we soon realized is that we needed to supplement our signature-based detection with another detection approach.  Enter detonation-based (sandbox-based) detection.  The concept here is quite logical -- the best way to understand the true intentions of a binary is to detonate it.  To literally see what it does.  From there a conclusion can be drawn about the true nature of that binary.

Indeed, detonation-based detection has been a resounding success within the information security community.  The only issue with it is that it has caused a somewhat myopic focus on malware at the expense of other types of intrusions.  Sandboxes have been a catastrophic success in the sense that they have greatly improved our detection capabilities, and as a result, have drawn us to focus almost exclusively on the types of intrusions they are ideally positioned to detect -- those involving malicious code.

This is why I believe that the time has come to add a third layer to our detection approach: analytics-based detection.  In my experience, analytics is the best way to detect intrusions that involve no malware at all.  In order to do this, we need to look at behaviors on the network, across user and system accounts, and elsewhere.  For example, the difference between an employee using a given account legitimately and an attacker using that same account for nefarious purpose is the intent.  The bits and bytes look the same.  Unfortunately, there is no intent bit in the TCP/IP header, so we need to be a bit more resourceful here in order to identify departures from expected behavior.

Granted, analytics means many different things to many different people.  But to me, analytics means taking a deep understanding of attacker behavior and producing accurate models to identify when activity matching those behaviors occurs.  In other words, analytics shouldn’t just be a bunch of fancy math looking for a problem to solve.  It should be focused on attacker behavior and oriented towards detecting it.

We shouldn’t let the present success of detonation-based detection distract us from the future need to look beyond it.  The percentage of intrusions that involve no malware at all is only going to increase with each passing year.  It’s time to weave analytics-based detection into our security programs to ensure we keep pace with the evolving threat landscape.

Related Reading: Privileged Credentials Remain Security Weak Point

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.