Cyber adversaries are creating new ways to evade detection and maintain a persistent presence on enterprise networks faster than we can detect them. A December 2021 study found that “malware has increased its evasive behavior over the years, with more than 40% of the samples collected in 2020 employing at least one technique, in comparison with about 30% in 2016”. Looking into the frequency of new CVEs and MITRE sub-techniques, we find that adversaries have increased their efforts to produce new evasions and new Advanced Persistent Threats, or APTs, since the early 2010s.
In 2022, the evidence that the good guys are falling behind is that four major security vendors are among the top ten largest breaches… LastPass, Cisco, Microsoft, Okta. There should be little doubt that their detection technologies and cybersecurity teams are top-notch. But if these titans of cybersecurity cannot protect their own most valuable assets, should we be confused about why our boards and executive leaders might question how we are securing our own organizations, our people, and our supply/demand chains? And looking into the future, Kaspersky has predicted an “increase in APT intrusions” in 2023.
The purpose of this whitepaper is to build your knowledge of evasion tactics used by adversaries, to provide actionable insights for organizations to better detect these kinds of attacks, and then to take it a step further to prevent attacks.
At the Root of the Problem
Why is defense evasion growing faster than defenders can detect new techniques, and why do we expect it to continue? Well, it’s pretty simple. It makes our adversaries’ jobs easier. From an economic perspective, improved security evasions increase the time, effort, and cost for us to defend against them. By continually developing and sharing new evasion techniques, the bad actor community keeps our Blue Team and incident responders more than busy – chasing down false positives, doing incident reports, and investing in the resources needed to deploy new tools and procedures for an ever-changing threat. Something as simple as disabling anti-malware controls extends the time an adversary can exploit their target victims longer, and create new work to defend the rest of the entire attack vector.
The ability of these attackers to evade detection presents a significant challenge for organizations and requires a comprehensive and proactive approach to security.
Background Before We Dig Deep
Let’s step back and bring everyone up to speed. What is detection (or if you prefer, defense) evasion? Defense evasion comprises various techniques used by adversaries to mask their exploits to avoid being detected by security systems like SIEM, EDR/MDR/XDR, and UEBA. These techniques range from simple methods, such as hiding behind encrypted communication channels, to more sophisticated methods, such as exploiting vulnerabilities in security systems to bypass, disable, and obfuscate defenses.
MITRE ATT&CK Vectors – Defense Evasion
The MITRE ATT&CK framework is widely used by the cybersecurity community to track and analyze adversary tactics, techniques, and procedures. Additionally, the whitepaper provides a comprehensive review of best practices for preventing and detecting detection evasion, drawing on the expertise of notable authorities in the field. The conclusion of this blog provides a summary of key points and recommendations.
As we’ve pointed out, cyber adversaries are constantly developing and sharing new evasion techniques. So constantly finding new detection techniques is a requirement, but you can never keep up with the threat, much less get ahead of the threat.
The MITRE ATT&CK framework’s “Defense Evasion” list has 40 techniques – over 50% more than any other of the 14 attack categories. It holds a long list of sub-techniques that include obfuscation, file deletion, scripting, and masquerading. Below is a summary of techniques related to these:
Malware Obfuscation
-
Confuses the process of detecting and analyzing.
-
Manipulates malware code to make the attack difficult to understand.
-
Packing is the process of compressing and encrypting malware to make it smaller and more difficult to detect.
-
Encryption is used to hide the payload of the malware and make it difficult to detect.
-
Bypasses or disables antimalware protection running in the OS, network intrusion detection systems, and ‘detect-and-respond’ tools.
-
Examples: code obfuscation, packing, and encryption.
Fileless Attacks
-
Do not rely on malware being installed on the target.
-
Typically use legitimate tools and services that are already on the system.
-
Difficult to detect because they do not leave artifacts.
-
Examples: PowerShell & other scripting languages that execute malicious code; Windows Management Instrumentation (WMI) to execute scripts.
Living off the Land
-
Living-off-the-land employs legitimate tools already on a system to carry out attacks.
-
Living-off-the-land attacks can be difficult to detect because they do not involve the use of malicious software.
-
Examples: Using legitimate system utilities to download and execute malware; Using legitimate network protocols to exfiltrate data; Using legitimate cloud services to host C2 infrastructure.
Command and Control (C2 or C&C) Tunneling
-
Establishes a covert channel the attacker controls the compromised system.
-
Evades detection via legitimate protocols and ports.
-
Examples: Traffic padding appends data to make it look like normal traffic; Domain generation algorithms allow C2 traffic to be spread across proxy hosts that redirect to the C2 host
-
Can exfiltrate data, receive commands from a command centre, and update attack sequences.
Encryption and Data Exfiltration
-
Conceals the payload to make it difficult to detect.
-
Disguises data during exfiltration.
-
Example:Exfiltration using HTTP, HTTPS, DNS, etc.
Of course, attackers combine techniques. For example, adversaries combine evasion techniques using the example of obfuscating, encrypting, and compressing malware at multiple levels of attack vectors. It is one of the more common techniques where parts of the initial malware binary are obfuscated and/or encrypted to bypass static analysis so that it is more difficult to understand in the incident and forensics analysis phases.
Malware developers encrypt malware strings and then decrypt them at runtime. So, a malware analyst must understand and identify the blocks of code that decrypt the content and the decryption key.
Two trojans that have been active and evolving in the banking industry - Javali and Dridex - use these techniques to hide their content, including the hardcoded strings, the configuration such as the remote C2 server address, bot commands, what kind of information will be exfiltrated and gathered during the execution, the WinAPI loaded in runtime, etc.
To be continued….
Tomorrow, Part 2 will dig into how to focus your resources - people, processes and technology - on the most important areas of your defenses, so that you are preventing key tactics that threat actors use to do the most damage. Click here to follow this series on LinkedIn so that you are alerted to new articles.
