This article is part of the series "Fileless Malware". Check out the rest:
- Adventures in Fileless Malware, Part I
- Adventures in Fileless Malware, Part II: Sneaky VBA Scripts
- Adventures in Fileless Malware, Part III: Obfuscated VBA Scripts for Fun and Profit
- Adventures in Fileless Malware, Part IV: DDE and Word Fields
- Adventures in Fileless Malware, Part V: More DDE and COM Scriplets
- Adventures in Fileless Malware: Closing Thoughts
I think we can all agree that hackers have a lot of tricks and techniques to sneakily enter your IT infrastructure and remain undetected while they steal the digital goodies. The key takeaway from this series is that signature-based detection of malware is easily nullified by even low-tech approaches, some of which I presented.
I’m very aware that prominent security researchers are now calling virus scanners useless, but don’t throw them out just yet! There’s still a lot of mint-condition legacy malware on the Intertoobz used by lazy hackers that would be blocked by these scanners.
Get the Free Pen Testing Active Directory Environments EBook
A better philosophy in dealing with file-less malware and stealthy post-exploitation techniques is to supplement standard perimeter defenses, port scanners, and malware detectors with secondary lines of defense, and have strategies in place when the inevitable happens — including a breach response program.
I’m referring to, wait for it, defense-in-depth (DiD). This is a very practical approach to dealing with smart hackers who sneer at perimeter defenses, and mock signature scanning software.
Does DiD have its own problems? Sure. Those same security pros who have lost faith in traditional security measures are now promoting whitelisting of applications, which can be a very strong inner wall to protect against an initial breach.
But the code-free techniques I showed in this series can be used to even get around whitelisting. This falls under a new hacking trend called “living off the land”, which subverts legitimate tools and software for evil purposes. In the next few weeks, I’ll post a mini-tutorial on lol-ware. For those who want to do their homework ahead of time, start perusing this interesting github resource. Stay tuned.
Get Real About Data Security!
In my view, defense-in-depth is about minimizing liabilities: taking what could be a potential catastrophe and transforming it into something that’s not too terrible or costs too much.
The hacker got in, but because of your company’s excellent and restrictive permission policies, you prevented her from gaining access to sensitive data.
Or the hackers have obtained access to the sensitive data, but your awesome user-behavior analytics technology has spotted the intruders and disabled the accounts before a million credit cards could be exfiltrated.
Or perhaps the hacker has managed to find and exfiltrate a file of email addresses. However, your outstanding breach response program, which includes having near real-time information on abnormal file activities, enables you to contact the appropriate regulators (and customers affected) in near record time with detailed information on the incident, thereby letting you avoid fines and bad publicity.
Common Sense Defense Advice
Defense-in-depth is more of a mind-set and philosophy, but there are, some practical steps to take and, ahem, great solutions available to make it easier to implement.
If I had to take the defense-in-depth approach and turn it into three actionable bullet points, here’s what I would say:
- Assess. Evaluate your data risks by taking an inventory of what you need to protect. Identify PII and other sensitive data, some of which can be under regulations, and is often scattered across huge file system. You need to work out who has access to it and who really should have access to it. Warning: this ain’t easy to do, unless you have some help.
- Defend. Now that you’ve found the data, limit the potential damage of future breaches by locking it down: reduce broad and global access, and simplify permission structures – avoid one-off ACLs and use group objects. Minimize the overall potential risk by retiring stale data or other data that no longer serves its original function.
- Sustain. Maintain a secure state by automating authorization workflows, entitlement reviews, and the retention and disposition of data. And finally, monitor for unusual user and system behaviors.
Need to make your defense in depth dream a reality? Learn how we can help.