Hunting the threats that fuel invisible attacks

February 22, 2017 | Cyber Incidents | By Brian Dulany |
Rather than waiting for threats to materialize, successful InfoSec teams go out hunting for the ones that may already be hiding within the network.

They say the biggest threats are the ones we don't see coming - and that's certainly true when it comes to information security. Even worse than the threats we don't see coming? The ones we can't see coming.

Last week, Kaspersky Labs discovered a new kind of fileless malware that carried out invisible attacks on over 140 financial, government and telecom organizations across 40 countries. Given how hard it is to detect, it's possible that the number of those impacted is even higher than currently believed.

This latest series of stealthy attacks adds to the growing concern of undetectable cyberthreats and highlights the urgency for InfoSec teams to proactively hunt emerging threats rather than wait around until they fall victim to one.

How fileless malware works

Security programs can't detect fileless malware because it doesn't drop any malicious files onto the hard drive. It uses unknown domains and open-source exploit code to infiltrate networks via legitimate and common administrative security tools, such as penetration testing software Meterpreter and Windows PowerShell. The malware hides in RAM where hard drive files aren't needed and entirely disappears every time the compromised system is reset. Fileless malware does, however, stay long enough to gather sensitive data, such as system administration passwords. Even once it is found, it leaves behind little forensic evidence or malware samples to be analyzed after an attack.

"Fileless malware is virtually impossible to detect."

If security researchers are having trouble detecting this threat, imagine the difficulty it presents to business professionals and IT administrators who are already struggling to mitigate the risks they already know about and can detect.

Whereas traditional forms of malware require you instigate an attack - click on a malicious link or download an infected file, for example - this breed succeeds without you having to do anything out of the ordinary. The trend of hackers weaponizing normal operating security tools against the very organizations using them is a testament to why relying solely on technology and software is not a sufficient approach to InfoSec. 

All of this can help explain why threat hunting is becoming a must for organizations.

The threats fuel invisible attacks

According to a survey conducted by the Information Security Community on LinkedIn, almost 80 percent of security execs agree that threat hunting must be a top-level priority. Unfortunately, many organizations lack confidence in their ability to detect unknown threats. Seventy percent of those surveyed said detecting threats is a top challenge, and nearly 50 percent attribute it to limited threat mitigation skills.

Threat hunting refers to the practice of aggressively and continuously searching for threats on the network, not just responding to them once they've materialized into an attack or breach. Taking this kind of proactive initiative is the most effective way for organizations to detect hidden threats and reduce risk. According to the survey, companies that don't hunt threats take an average of 38 days to find a threat and 26 days to investigate, whereas those that do detect a threat within 15 days and investigate in 14 days. 

To learn more about the InfoSec training programs needed to arm your team with the skills to hunt threats, check out our whitepaper.