Defeating malware-less attacks with deception technology

60% of attacks involve no malware, ensuring that antivirus, sandboxing, IOCs and signature-based solutions have no chance of detecting them. This is the new reality that companies with anti-malware investments will have to adapt to.

 

 

Why have attackers moved away from using malware?

Using malware increases the chance of being detected, so sophisticated adversaries have perfected their attack methodology to avoid dropping binaries that may be flagged.

 

Many attacks involve spear-phishing to harvest credentials which are then used to access the corporate network through legitimate channels such as the VPN, webmail, or SharePoint. This renders perimeter defences such as sandboxing solutions ineffective.

 

Once a foothold is established, the attackers ‘live off the land” — using built-in OS functionality such as PowerShell, WMI and remote desktop, as well as legitimate administration tools like PsExec and Teamviewer to access and control victim hosts.

 

Even where they do use malicious code, it’s executed directly in-memory so as not to leave any footprint on the file-system for antivirus or file integrity monitoring systems to detect.

 

By ensuring the attack looks just like normal activity and by using normal tools, they easily evade traditional protection and monitoring solutions.

 

Malware-less attacks are only going to increase, especially through the use of PowerShell scripts — entire frameworks for post-exploitation and privilege escalation now exist. The fact that penetration testing teams have started relying heavily on these tools is just another indicator of their effectiveness.

How does deception technology detect malware-less attacks?

IllusionBLACK detects the intent of the adversary rather than their tools. Instead of looking for malicious software, deception is injected to control the attacker’s view of the network and lead them away at multiple points in the kill-chain. Here are some examples of deception tripwires that defeat malware-less attacks:

 

  • Spear-phishing decoys detect credential theft
  • Dummy credentials catch privilege escalation
  • Enticing hosts are attacked instead of real assets
  • Data tripwires that alert on unauthorised access

 

See how IllusionBLACK catches malware-less attacks

Your Name (required)

Your Email (required)

Interested In


Want more information on IllusionBLACK’s advanced features?