Antivirus software was born over 30 years ago when computers were still relatively new. At that time, antivirus software was king as it defended against one of the only existing threats – viruses. However, 30 years on much has changed – and in the world of technological advancements, three decades might as well be a lifetime. We delve into cybersecurity anatomy to help make sense of the new threat landscape we find ourselves in.
The threat landscape we see today is vastly different and infinitely more sophisticated. Organizations must protect their devices not only from viruses and malware such as ransomware, but also malicious activities carried out by cybercriminals, including infecting Internet of Things (IoT) devices to perform DDoS attacks. That’s why the days of protecting yourself from bad actors using a single antivirus solution are now behind us. Fileless network protection is a key element to device security and an important part of the layered security strategy which is vital to protecting organizations today.
Signature Based Detection
Sophisticated (and not so sophisticated) attackers can today easily avoid detection from this signature-based software. As protection through an antivirus software is based upon prior knowledge of the attacker, naturally, cyber criminals are aware of this and attacks are now specifically designed to avoid this entire process. They now use fileless techniques to download random payloads and signatures to completely avoid detection. In fact, fileless based attacks are increasingly on the rise with 77% of successful attacks now using fileless exploits. And worryingly, fileless attacks are ten times more likely to succeed.
Traditional antivirus security products rely on signatures to detect and remove threats. This fingerprinting technology looks at every file on your device and generates a unique identification number, or signature. This signature is then compared to a database of known bad actors. When a match is found the offending file is removed.
These products scan an organization’s filesystem and current processes looking for bad signatures. However, it is important to understand the limitations of this technique in terms of device and data protection.
Firstly, the bad actor needs to be identified. Just like in the real world, after a break-in the police have to arrive at the scene, investigate and take fingerprints and then compare them to a list of known criminals. This is no different in the digital world. It takes teams of people to identify, analyse and classify the problem.
Secondly, after it has been verified it can be added to a database and made available to clients. This takes time. Typically, the best-case scenario is around 4 hours however it is usually significantly longer taking up to 24 hours or more.
The problem is that the majority of cyber-attacks do the most damage within the first few hours, spreading across the globe rapidly. Recent examples include WannaCry and Petya. In fact, the WannaCry ransomware attack was, at the time, one of the most devastating and widespread cybersecurity incidents recorded. It took just four hours to spread across the NHS, ultimately affecting 34% of NHS trusts, as well as more than 600 primary care organisations in the UK. Total global losses resulting from the attack placed at anywhere between hundreds of millions to an eye-watering $4 billion. With devastating cost and reputational impact organisations simply can’t hesitate when it comes to stopping an attack in its tracks.
Behavioral Profiling
Rather than focus on identifying attackers by their fingerprints, organisations need to take a different approach and instead look at the characteristics of what makes an attacker different than a normal application. For example, analyzing network traffic to detect unusual behavior.
Typically, attackers use fileless techniques to avoid detection and either download or execute remote payloads with the purpose of stealing data. To do this it is necessary to connect to a remote server. Since this needs to remain anonymous to avoid detection, it is usually performed over the dark web. However, new solutions are available that can stop the attacker at each stage of the cycle.
Fileless malware will only become smarter and more common. Increasingly, attacks will leave little to no tracks in the file system and in the network and will force organizations to start detecting attacks based on their behavior.
With government data released in 2017 showing that almost half of UK firms were hit by cyber breach or attack in 2016, the rise in major security incidents has certainly urged organisations to reassess their cybersecurity strategies in the past 12 months. However, companies still have a long way to go in bolstering their cybersecurity defences in the long term. The challenge for businesses is to drive cybersecurity change now and not wait for the next big attack before they bring their security processes up to date.
Related Posts
Healthcare Ransomware Attacks: How to Prevent and Respond Effectively
Learn how to protect yourself from healthcare ransomware attacks. We discuss the main security weaknesses, suggest security steps, and offer possible means of protecting patient information.
Everything That You Need to Know About the Dark Web and Cybercrime
Learn about the dark web, including who uses it, how it operates, and what tools cybercriminals obtain on it. Find out how BlackFog monitors networks, forums, and ransomware leak sites in order to stay ahead of new threats.
Ongoing: New Ransomware Gangs in 2024
Ransomware gangs continue to break records and BlackFog will track all new ransomware gangs in 2024.
BlackFog unveils AI based anti data exfiltration (ADX) platform for ransomware and data loss prevention
BlackFog unveils the latest version of its AI based anti data exfiltration (ADX) platform for even more powerful ransomware and data loss prevention. Version 5 introduces new features including air gap protection, real-time geofencing, and baseline activity monitoring to ensure the highest level of cybersecurity protection.
EDR Kill Shifter: Why a Layered Cybersecurity Approach is Required
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.