Font Size: A A A


File-less attacks

The stipulation that companies wishing to meet security standards, such as Cyber Essentials Plus, must have Anti-Virus (AV), has been carefully replaced with ‘anti malware measures’. This is because it is acknowledged that any AV is only as good as the signature library it holds. And, given that libraries may only be updated bi-weekly and updates often cancelled, as they are deemed to ‘get in the way,’ means that a malware attack can spread very quickly around a network, writes Colin Tankard, pictured, of Digital Pathways.

There has been a growth in zero-day attacks where the signature of the malware is not known to traditional AV so has an open period to spread its load, until AV vendors add the new threat to their systems. To counter this, many AV vendors are trying to step up their game, adding intelligence to their systems which try to detect strange actions, report back to base and so speed up the detection and blocking of new attacks. Hence, the term Advance Anti-Virus.

But this is still too slow, as it could be hours before the threat has been recognised, updates applied and the attack blocked. And in the cyber world, hours can bring down hundreds of thousands of machines, crippling businesses. A study, by Verizon, found:

– one minute 40 seconds – is the median time until the first malicious email in a phishing campaign is opened;
– half of users click on a link;
– half of phishing sites last less than 24 hours before they are taken down by the hacker; and
– five million per hour ransomware outbreaks are unique and not seen before.

According to Cyren, the email security company who handle over 25 billion transactions each day and block 300m threats every 24 hours, the time to detect verses the time to protect needs to be seconds not minutes or hours, as the Phishing sites only stay on line for hours. By the time most security vendors are blocking the site it has already disappeared.

In February, systems at Redcar and Cleveland Council were taken down for almost three weeks after a ransomware attack. It took 19 days for the council to admit they were dealing with an attack, and only after they were forced to inform the public that they were being held to ransom. The situation was far more serious as hackers were in control of computer systems and sensitive data.

Forms of malware attacks have been well published, but some of the latest attacks are not based on locking out a company from its machines and demanding a ransom to unlock them. Now attacks are along the lines of getting into the organisation and controlling things from within, often selling the information they find to competitors or even demanding protection money from the company, not to leak data or damage their reputation.

Microsoft was recently granted a court order to take control of a malware botnet that could install malicious software on machines, to be used in attempts to disrupt the US election in November.

Microsoft identified the Trickbot botnet which is said to have infected more than a million companies since 2016 and is used by operators to install more dangerous programmes, including ransomware, but also command and control software which seek out administrator profiles, back up files (even off site) and cloud based systems.

“Adversaries can use attack software to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimised to show chaos and distrust,” said Microsoft Corporate Vice President Tom Burt.

These attacks often go unnoticed by the organisation as the attack vectors look normal. The programmes used are not known to existing AV systems and hide themselves within the network. Possibly the companies auditing and logging system might have seen an unusual alert, but these are frequently over looked by busy IT teams and, after a short period, become lost within all the other ‘noise’ of the network, and go unnoticed. Even when the hacker reveals their intension, often IT teams cannot find where the rogue programmes are, as they have been integrated across many systems and have modified small parts of applications, making detection hard and removal even harder.

This is why Advance Threat Detection (ATD) has evolved, which is free of signatures that shackle detection and start to look at what is normal on a machine or network, stopping in its tracks, what is not. The new file less attacks completely floor AV systems as there are no files or signatures. However, ATD would block an unusual action, such as an outbound connection from an application which does not normally perform such a function, and immediately stop the process. An apparently good web link, but one which takes the user to a hijacked page in order to launch a program that downloads attack software, would be seen by ATD as unusual, and would be blocked.

These solutions are deployed on the end user machine and are totally transparent to the user until a bad process is detected. At this point, the process is stopped, system administrators are alerted and an automated cleansing process starts to remove the attack software, even from back up systems, if the attack has been directed at them.

But nothing stands still and companies now need to think beyond even Advanced Anti-Virus, moving to an intelligence-based process that goes into the unknown. Hackers are moving fast to beat current security systems and are not looking for a short-term gain of a ransom but instead, how they can hold a company hostage for the long term, threatening them with loss of reputation, leaking of intellectual property or sharing sensitive information such as mergers and acquisitions, to interested parties.

In our compliance driven world, organisations can’t afford the fines let alone the bad press it brings. Stopping the bad guys at the door must be the only strategy.

About the author

Colin Tankard is Managing Director of cyber security company, Digital Pathways. Visit


Related News