This is a summary of an article written for Dark Reading by Fortinet’s Global Security Strategist, Derek Manky. The entire article can be accessed here.
Cybercriminals and security teams have a long adversarial history, each working to outsmart the other. As security software has improved its ability to detect and quash common threats, cybercriminals have developed a different approach: evading detection in the first place.
As security solutions have become more advanced, so too have cybercriminals’ evasion techniques. Two of these techniques are obfuscation and anti-analysis practices, and they have recently become more sophisticated than ever.
Obfuscation and Anti-Analysis Practices
Based on information uncovered in Fortinet’s Q2 Threat Landscape Report, there are several recent examples of how cybercriminals have used evasion tactics to minimize detection.
Anti-analysis techniques were used in a recent campaign in Japan, in which a phishing email was circulated with a weaponized Excel document attachment containing a malicious macro. This macro disabled security tools and executed commands using an undocumented infiltration technique, which meant standard threat detection was useless against it.
Another example of anti-analysis technique was seen in a variant of the Dridex banking Trojan. This Trojan changed file names and hashes each time someone in the affected system logged in, making it virtually impossible to spot the malware with traditional threat detection measures. Another attack focused on the financial space was AndroMut. AndroMut used sandboxing and emulator verification, as well as debuggers to target employees at financial institutions.
Another way cybercriminals are achieving their goals is by developing increasingly stealthy infostealers to gather data from connected devices. One particularly impressive infostealer was Zegost. Zegost’s creators designed it to be low-observable, with functions that enable evasion such as the clearing of application, security, and system event logs.
These few examples are grim reminders that systems need multi-layered defenses and behavior-based threat detection in order to stay on top of cybercriminals’ latest techniques.
Five Best Practices for a Multilayered Defense Strategy
As IT and security teams adapt their security strategies to keep pace with these new sophisticated attack strategies, they must keep these five best practices in mind.
- Take inventory of everything across your network. Pinpoint vulnerable systems, patch or replace older ones that no longer have support, add proximity controls for systems that can’t be upgraded, and upgrade your security tools to include asset tracking and monitoring.
- Stay abreast of anti-analysis and other trends. IT needs to maintain a current risk analysis strategy that covers redundant systems, includes off-site storage of backups, and the ability to cordon off segments of the system once an attack is detected.
- Practice segmentation. Segmenting your networks, especially IoT systems, is sound security practice. Managers should use device authentication and network access control to automatically separate devices from the production network until they are secured. Create checkpoints that assess for anomalous behavior as traffic passes between network segments.
- Automatically correlate threat data. Automation is key for evaluating threat intelligence and conducting event correlation in order to stop an attack before it makes full impact – such as stealing data or delivering a payload.
- Perform deep inspection of encrypted traffic. Encrypted data and unstructured data (like that collected from IoT devices) requires more processing power in order to inspect it. Many security tools aren’t powerful enough to inspect encrypted data without significantly impacting performance. These systems should be upgraded to ensure malware does not sneak through as encrypted traffic.
Final Thoughts
Cyberattacks are evolving, developing advanced capabilities for flying under the radar once they’re in your network. To protect your critical data assets and services, security teams need to start by working to understand these new types of anti-evasion risks. They must then implement best practices and solutions to not only defend against these recent attacks, but select adaptable technologies that can address those that have yet to be discovered as well.
This is a summary of an article written for Dark Reading by Fortinet’s Global Security Strategist, Derek Manky. The entire article can be accessed here.
Learn about how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.