Attackers shift away from file-based techniques

Cyber attack methods are becoming more sophisticated in order to bypass traditional file-scanning protection systems according to a new study.

Endpoint protection specialist SentinelOne has used filtered data from more than one million SentinelOne Enterprise Platform agents deployed worldwide to carry out behavioral analysis of malware programs that bypassed firewalls and network controls to infect devices.

This data has been used to create the company's first Enterprise Risk Index which focuses on three risk categories. These are, attacks from document-based files, largely associated with Microsoft Word or Adobe PDF, attacks detected from traditional portable executable-based files, and attacks detected only from the memory of the system with no associated new artifacts on the system.

"These days, infecting a target is just a matter of resources; but how long the hackers get to stay inside the network is a matter of good detection," says Andy Norton, EMEA risk officer for SentinelOne and lead researcher for the Enterprise Risk Index. "In our analysis we focused on the attacks that are successful in making their way past traditional defenses to reach endpoint targets because these are the threats that pose the greatest risk to an organization. That's what we should be measuring -- not what's stopped at the gateway."

The report highlights the growing menace of in-memory attacks. Over the period of the study these have doubled in comparison to the infection rates of file based vectors. They're favored by nation-state actors as they trade infection sustainability for stealth, leaving no new artifacts on the file system after a re-boot, even if it means needing to re-infect the target.

Even for file-based attacks, the study shows only 20 percent of threats had corresponding signatures from existing AV engines. Three-pronged infections are becoming the norm as attackers no longer rely solely on .exe files to deliver malware, but instead use hybrid attacks that multiple attack vectors can utilize in one attack chain.

"We wanted to make sure the report was usable for organizations," adds Norton. "It's the beginning of a benchmark that they can take to their board, in the past the real issues haven't been conveyed to the board by the technical guys because they're too scared to tell them. What we're trying to do is introduce a more mature approach where we give people not just good news but bad news as well."

You can find out more and download the full report on the SentinelOne blog.

Photo Credit: ra2studio/Shutterstock