Preventing the Latest Fileless Attack Endpoint Detection Tools Could Not Stop

July 31, 2017

 |  

Omri Moyal

Throughout the history of combat and military engagement, there are plenty of stories how a smaller force was able to overcome a larger force through the use of trickery and deception. One such scenario is the WWII Battle of Singapore between the defending British troops and assaulting Japanese Army. Prior to the Japanese invasion, Singapore was believed to be an unbreakable stronghold, and was even nicknamed “Gibraltar of the East.” The British deployed heavy weapons and enormous firepower to repel any incoming attack against the island from the sea, the most predictable and known route for enemy attack. However, as history tells us, the Japanese outsmarted the British by attacking from the mainland, thus bypassing the defensive lines facing the sea. This evasive maneuver by the Japanese led to the rapid fall of Singapore and the capture of 80,000 British troops.

You might be asking yourself why you should care about this long introduction and brief lesson on warfare? It is because the current state of enterprise cybersecurity is suffering from the same problem; it is not designed to deal with evasive maneuvers and tactics from adversaries, resulting in failure after failure whenever a new attack tactic is unleashed.

A recent publication by CrowdStrike (Google cache link) demonstrates how a slight change in tactic left their solution unable to detect the attack, leaving customers vulnerable to malicious actors. The adversaries changed from the typical macro and PowerShell attack vectors to using a relatively new approach that involved Outlook Forms. This - attack that was detected and prevented by Minerva. (The technical method of the attack is described extensively in the SensePost Outlook and Shells article.)

When Endpoint Detection & Response (EDR) solutions base their detection on known behaviors and tactics, a minimal deviation in the attacker’s path causes them to fail. In essence, the defenders simply keep “watching the sea while the enemy strikes from behind.”

Today there is an ever-increasing need to tackle the evasive nature of our adversaries, and stopping their attacks by employing a different approach, without the need for signatures, behavioral samples, of finding the exact byte pattern. Minerva is doing just that by using the attacker’s evasive strengths against them. Minerva delivers prevention by utilizing trickery and deception that tells “lies” to evasive malware, so that it identifies and disarms itself. Whichever of the hundreds, if not thousands, of evasive techniques are used by malicious actors, Minerva’s approach is engineered so it only has to be correct once to render the malware ineffective.

See how Minerva prevents the attack that uses the Outlook Forms:

 

Schedule a demo today to view Minerva in action, and to learn more about how we prevent evasive threats that reside in malicious documents, use situation-aware techniques or are used in fileless and in-memory attacks.