Non-malware is a massive and growing cybersecurity issue. Recent research from Carbon Black has shown that the issue is akin to a ticking time bomb with nearly two thirds (64%) of security researchers reporting that they’ve seen an increase in non-malware attacks since the beginning of 2016. The vast majority (93%) of security researchers surveyed also said non-malware attacks pose more of a business risk than commodity malware attacks.
A non-malware attack is one in which an attacker uses existing software, allowed applications and authorised protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name.
Non-malware attacks are also referred to as fileless, memory-based or “living-off-the-land” attacks. Because non-malware attacks are fileless, they more easily bypass traditional AV protection and ML-based AV, which typically stop attacks based on files rather than behaviours.
This makes non-malware a particularly potent threat affecting organisations across all industries. There is no organisation or business that can escape the growing reach of the non-malware threat.
Attackers will use successful exploits to gain access to web browsers, Office-suite applications, native operating system tools (think PowerShell or Windows Management Instrumentation – WMI) and other applications that grant the attacker a level of execution freedom. These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.
Carbon Black’s research found that amongst the most common types of non-malware attacks that researchers reported seeing were: remote logins (55%), WMI-based attacks (41%), in-memory attacks (39%), PowerShell-based attacks (34%), and attacks leveraging Office macros (31%).
So what does the fightback against this threat look like?
What is clear is that it is early days for artificial intelligence (AI) and machine learning (ML) – at least for a while yet they are not the answer. Our research found that AI is considered by most security researchers to be in its nascent stages and not yet able to replace human decision making in cybersecurity.
Trust in both AI and ML will need to grow significantly before they become a viable solution to the non-malware problem and this may take a long time to accrue. The research showed that 87% of security researchers said it will be longer than three years before they trust AI to lead cybersecurity decisions.
In the meantime it is vital for organisations and the teams tasked with keeping data and networks safe that they find a solution that works and that they can trust, now.
This is where next-generation antivirus (NGAV) comes in! We know that legacy AV is ill-equipped to deal with non-malware threats. Indeed our research showed that security professionals already recognise this as being the case with two-thirds saying they were not confident legacy AV could protect an organisation from non-malware attacks.
Better detection and response to threats is imperative for security. NGAV is the solution to the non-malware problem and one that organisations need to – and increasingly are – looking to in order to provide the defence against these kinds of attacks. It is critical to their organisations that non-malware attacks are effectively stopped.
What makes non-malware a significant threat is a potent mix of rapid growth, the lack of protection of legacy AV, the lack of efficacy from AI and ML defence alternatives and the damage non-malware attacks can cause to an organisation.
Non-malware is the ticking time bomb organisations need to be aware of and take action now to prevent a potentially hugely damaging explosion either tomorrow, next week or the month after. If there is no effective defence it is only a matter of time before an attack gets through.
Bu Eric O’Neill, National Security Strategist, Carbon Black
