More than 50% of modern cyber-attacks are fileless, non-malware types of attacks, according to the latest CrowdStrike threat report.
They leverage existing tools and legitimate software on the endpoint to sneak under the radar of traditional anti-virus tools, firewalls or sandboxes, said Roland Daccache, sales engineering team leader at CrowdStrike, META region, speaking at the ITWeb Security Summit on Tuesday.
With modern cyber-attacks becoming more sophisticated, traditional security products are quickly becoming obsolete, he said. “We invest so much in security tools and solutions but when we become a victim, very few products prove useful.”
Fileless attacks leave very little in the way of forensic traces that can be investigated, and while they used to be the trademark of the largest threat actors, today they’re becoming increasingly commercialised and evolving on the endpoint.
With these fileless attacks using legitimate processes that load onto a system, traditional signature-based anti-virus tools are blind to 59% of attacks, he said. “What a traditional AV does is no longer enough.”
Remote work challenges
COVID-19 suddenly forced companies to shift to a work-from-home model. However, the majority of existing on-premises cyber security investments were not designed to support this type of operating model, which presented attackers with a much wider attack surface.
Daccache says remote work presents companies with many security challenges: The majority of companies were not prepared as they don’t normally allow remote work; they often lack the IT resources to enable secure remote work; there are bandwidth and connectivity issues; remote workers use personal, unprotected devices; traditional on-premises solutions won’t work for remote workers; and there are significant data privacy implications.
“Traditional on-premises solutions, firewalls and sandboxes were simply not designed to scale to protect remote users.”
What’s needed to protect the endpoint device is an EDR (endpoint detection and response) solution.
The 1-10-60 rule
According to Daccache, to stop a modern attack companies need to apply what CrowdStrike calls the “1-10-60” rule.
“You need very early, predictive detection – within the first minute, at the very first weak signals. You need to investigate it within the next 10 minutes, and you need to be able to respond within 60 minutes. To do that, you need to have at your disposal all the telemetry data to investigate quickly and the right tools to respond.”
Another real challenge is a shortage of skills. “Not all of us have the luxury of access to very highly skilled incident response specialists,” he said.
In conclusion: attacks are getting more sophisticated, solutions are too complex, skills are in short supply.
CrowdStrike is redefining security for the cloud era. Its cloud-native solution uses ML and big data analytics to enable analysts to learn from past attacks and get proactive. “That’s the power of crowdsourcing,” ended Daccache.