The IT security landscape is evolving at breakneck speed. With new threats and vulnerabilities appearing everyday it’s easy to get stuck in firefighting mode—and that’s a problem. Now more than ever companies need to be proactive when it comes to evaluating and making strategic changes to their security. If you’re not evolving at the same pace as the threats, your risk goes up exponentially.
To help IT leaders make more strategic, forward-thinking decisions about their security, the team at Barkly identified three key trends that explain how malware is evolving. These trends highlight several important shifts in attack techniques that every organization needs to be ready for in 2018.
1. Fewer attacks rely on user mistakes
Ask any IT professional what their company’s most persistent liability is and the answer will be “end users.” Long described as “the weakest link in security,” end users are constant targets of malware campaigns designed to trick them into downloading malicious email attachments or visiting compromised websites.
Organizations know this and have strengthened their email security accordingly. Many have also increased investment in security awareness training to reduce the likelihood of mistakes. When you look at infection trends across 2017, however, it becomes clear that many attacks—including WannaCry and NotPetya, two of the year’s largest outbreaks—didn’t rely on tricking end users. They took a more direct approach to compromising organizations by exploiting shared access points like Microsoft’s Server Message Block (SMB) and Remote Desktop Protocol (RDP) that had been left open and exposed.
In 2018, we expect attackers will continue to target unsecured RDP and SMB ports and leverage other “clickless” ways of infecting organizations. That's why IT professionals should make every effort to identify and secure open ports.
2. Attackers use organizations’ tools against them
One of the most troubling trends we saw in 2017 was an increase in attackers who abuse otherwise legitimate system tools and processes already present within IT systems. Often referred to as “living off the land,” hijacking these tools makes attacks extremely difficult for antivirus solutions to detect.
NotPetya was a high-profile example of an attack that leveraged this tactic. While the initial infection was triggered when users installed an update for Ukrainian accounting software, it spread using PSExec and Windows Management Instrumentation (WMI)—two legitimate Windows tools widely used by system administrators. The virus spread quickly across victims' networks because these tools do not typically raise red flags.
Other examples of legitimate system tools that are being increasingly hijacked by attackers include PowerShell, Windows Credentials Editor, and Group Policy Objects, just to name a few. While these administration tools are very useful for managing large networks, they also pose a very real security risk.
IT professionals can mitigate that risk by disabling or restricting unused tools. It’s also critical for them to use endpoint security that isn’t completely reliant on file scanning or whitelisting since these fileless attack techniques can easily bypass such defenses.
3. Attacks are designed to spread automatically
Last year, we also saw a resurgence in attacks leveraging worm components to transform single infections into network-crippling events. The WannaCry ransomware outbreak was the most prominent example, spreading to an estimated 400,000 computers in more than 150 countries. That success has since inspired other malware authors to add worm components, and unfortunately there are now plug-and-play options that make carrying out attacks easier than ever.
This development demands a shift in how IT professionals view attacks. It’s no longer about the risk of a single employee infecting a single machine. One infected machine can now be a catalyst for a larger outbreak that takes down internal and external networks.
To help reduce the risk of worms, IT professionals need to prioritize blocking these kinds of attacks at the outset, before infections have the chance to spread.
Advice for 2018: Evolve your security
In the year ahead, hackers will find new ways to leverage these three trends in even more powerful attacks. To fight back, companies need to adapt their defenses. In addition to having a reliable backup and recovery strategy, IT professionals need to take advantage of innovations in endpoint security that allows new solutions to actively learn and adapt the protection they provide on a nightly basis as new malware is discovered.
As we gear up for another year filled with new threats and new challenges, we know attackers won’t be adhering to the status quo. Organizations need to be ready to adapt on the fly and make changes to their security stacks accordingly.