Invisible Threats: Why Hands-On-Keyboard Attacks Are Formidable

Fileless, hands-on-keyboard attacks are a particularly formidable malware-free assault because they do not depend on signatures traditionally used for detection, thereby creating a blindspot for malicious actors to exploit, according to the 2022 CrowdStrike Global Threat Report. Zero-trust network access (ZTNA) and inter-platform communication give companies greater visibility of their digital infrastructures, allowing them to thwart these attacks before it is too late. 

“The cybersecurity threats of today have evolved beyond malware and therefore cannot be contained through legacy security tools of the past. This pivot on behalf of malicious actors demands in turn that companies augment their detection capacities as needed to fortify their security posture,” Luis Padilla, Country Manager, CrowdStrike Mexico, told Mexico Business News.

Until recently, cybersecurity attacks had been traditionally based on malware, but over the last couple years new malware variants have declined year-over-year, representing only about 30 percent of attacks experienced by companies. Instead, threat actors are increasingly electing fileless ransomware attacks because they do not depend on signatures that are used to flag and purge traditional malware. Moreover, their capacity to “live off the land,” referring to the adversarial use and abuse of a company’s legitimate tools is sufficient to make this threat invisible to sandboxing, PowerShell and even machine learning-based analysis security tools. 

Furthermore, addressing this threat is challenging even after its detection because malicious actors often look to corrupt and or obstruct legitimate company tools essential to business operations. In other words, security experts cannot approach such a threat haphazardly without potentially disrupting or compromising critical business operations. Moreover, as observed in case studies, adversaries are often using fileless tools and methods in conjunction with other techniques for added stealth, enhanced lateral movement and data exfiltration. 

Having established the adversarial capacities enabled by fileless ransomware attacks “serves to highlight the importance of zero-trust network access (ZTNA) to thwart these types of attacks before they have an opportunity to embed themselves in your digital infrastructure,” said Padilla. In practice it would afford companies the control to admit authorized profiles and follow their behavior within their digital infrastructures. The latter functionally is particularly important given the concerted rise in social engineering attacks such as phishing campaigns and the exploit of multi-factor authentication (MFA) fatigue, which cybercriminals are using to gain seemingly authorized access to a company’s digital infrastructure. 

After the fact, a company’s ability to detect and track indicators of attack (IoA) during the early stages of an attack becomes critical. Companies that count with ZTNA controls have the added capacity of following authorized profiles to discover anomaly behavior indicative of compromised user identities and or insider threats. Those that do not use ZTNA have the added work of trying to identify invisible threat actors before they are able to fully execute and inflict damage, which is time-consuming and laborious work that requires gathering and processing copious amounts of data. CrowdStrike Falcon Identity Threat Detection and protection suite stops breaches faster by protecting workforce identities everywhere leveraging advanced AI in the world’s largest unified, threat-centric data fabric. It disrupts the attack at early stages, preventing compromised credentials from gaining access before they can attempt to move laterally. 

“Security controls transcend Crowdstrike sourced domains. CrowdStrike’s extended detection and response (XDR) facilitates this process for companies’ security teams through environmental telemetry, effectively allowing companies to leverage all of their security resources from one platform. This inter-platform communication intrinsically gives companies greater visibility of their digital infrastructures whose specialized efficacies are fomented with CrowdStrike’s ability to discern early IoA,” said Padilla.

CrowdStrike’s expansion from EDR to XDR essentially takes its endpoint and identity detection capabilities and extends them to other domains covered by third party security companies. This generates an added-value environment capable of studying unregistered indicators of attack to understand, thwart and prevent fileless attacks irrespectively of their ability to manipulate legitimate tools. Moreover, it allows organizations to use diverse security tools in conjunction for more thorough detection sweeps and informative investigations to take more assertive countermeasures against specific threats.

“We are not alone in this effort. Crowdstrike has announced the CrowdXDR Alliance, a unified and open Extended Detection and Response Coalition integrated by Security and IT Operations best-of-breed solutions. This benefits the market overall because it allows for the combined capacities of specialized security companies without losing their individual capacities. The alliance enables an out-of-the-box integrated XDR solution with real-time detection and threat hunting across all security domains and extends comprehensive visibility, protection and control across all environments,” said Padilla.