CrowdStrike recently released its Global Threat Report, an outline of their observations of threat actors and their techniques, covering the year of 2019. While the report itself contains numerous points of interest, one in particular caught the eye of the RiskIQ Research Team. CrowdStrike states, "...the trend toward malware-free attacks is accelerating with these types of attacks surpassing the volume of malware attacks." This shift in tactics requires a corresponding shift by defenders.
This post will take a more in-depth look at the implications of this shift and how defenders need to adapt to stay ahead of their adversaries, whether they wield malware or not.
In the report, CrowdStrike defines malware-free attacks as "those in which the initial tactic did not result in a file or file fragment being written to disk." Code executed from memory, stolen credentials used for remote login, and domain-spoofing are all examples of malware-free attacks. Existing CrowdStrike customers have deep visibility into internal endpoint activity along with prevention capabilities, making these attacks less of a concern. Still, it does suggest that defenders will have to work harder and deploy new approaches to identify attackers.
Any entity operating on the internet, for good or bad, generates signals. These signals, if collected properly, can be leveraged to investigate an attack, or even prevent it. The vision and mission of RiskIQ for the last ten years have been to capture, correlate, and instrument these internet infrastructure signals so enterprises can detect and defend their company, brand, people, and data. One of the best ways to detect and prevent malware-free attacks is based on the signals that they generate. Taking the three examples introduced earlier, we can see what signals will be generated from these activities.
Code Executed from Memory
Malicious code will more than likely need to get instructions via the network to function, which generates communication signals, specifically domains and IP addresses.
Stolen Credentials used for Remote Login
Valid credentials used within the network will ultimately authenticate from a given location and thus have an IP address associated with it. This location, while not always reflective of the attacker's true location giving us more signals to work with.
Typically, registering a domain requires payment and exchange of personal information. Once purchased, that domain will be parked or updated to point to a network location. Each step of this process—from the name, phone number, and email used to register to the hosting provider, and infrastructure used for hosting—generates signals.
Even without files, there are plenty of signals an analyst can use to combat such attacks. What's important to note, however, is where and how the signals are collected. Simply collecting local logs and internal endpoint data like process execution, system behavior, and network requests is insufficient. Relying on internal information alone is only half the picture. It's critical to leverage external Internet threat intelligence to complete the attack surface view.
Much like CrowdStrike is the leader in endpoint detection and response, RiskIQ is the leader in attack surface management and Internet Infrastructure threat intelligence. When used independently, both solutions enable organizations to defend themselves better, but when combined, they give organizations a complete, 360-degree view of their attack surface.
Leveraging the CrowdStrike Falcon APIs, RiskIQ has delivered an application that bridges both internal and external visibility. The app brings customer endpoint telemetry and rich CrowdStrike actor threat intelligence straight into RiskIQ PassiveTotal, the industry's most extensive collection of Internet data. Analysts can expect accelerated investigations, more-complete incident response efforts, and leveling-up of existing team member skills. All of this, regardless of whether the attack is malware-free or not.
Customers of both CrowdStrike Falcon and RiskIQ can easily test and see the power of this signal-based approach by installing the RiskIQ Illuminate application and starting a free-trial directly from the CrowdStrike Store.