How do we detect signature-less attacks?

Posted on 22 February 2018 by Gayle Kennedy

Cyber attacks – and the methods to detect and prevent them – have evolved dramatically over the past thirty years. As signature-based defenses have improved, attackers have found ways to bypass them. But how do they do this, and how do we at Countercept detect them when they do?

 

In our experience of threat hunting for potentially malicious files – using both signature and non-signature based techniques – we’ve discovered some burgeoning themes. Attackers are well versed in how common signatures work and are well versed in bypassing traditional detection. The art of obfuscating payloads by working around the known signatures that anti-virus software is programed to detect or padding out and modifying legitimate code is now a capability that even less advanced attackers have at their disposal.

 

What does this look like in action?

As an example, we’ll use a recent breach attempt on one of our clients. The attacker utilized Metasploit, a penetration testing framework used for offensive testing that is increasingly used for malicious purposes by attackers to generate payloads that contain infected files.

 

Most of the time, Metaspoilt payloads follow a common format and so are easily detectable by signatures. Instead, this particular example saw an attacker obfuscate their Metasploit payloads by creating a file that seemed innocuous (at least to anti-viral software), which allowed them to gain an initial foothold onto the target organization. From there, they were able to mix-up their payloads further as they began laterally moving throughout the network.

 

Hunt for behavior, not signatures

If we had relied on signature-based detection, this particular adversary would have been difficult to detect as they were well-versed in avoiding traditional detection.

 

However, threat hunters look for behaviors, instead of signatures. Despite encoding and obfuscating Metasploit results and avoiding known signatures, the attacker’s payloads exhibited the type of specific behaviors that our threat hunters look for, such as suspicious payloads running on the estate, anomalous network connections to unknown IP addresses, and suspicious processing activity. As a result, we were able to detect the presence of this attacker early on in the attack.

 

We quickly deduced that Metasploit had been used, which meant we were then able to hunt for its other known behaviors of Metasploit and eventually map the attacker’s actions. We then responded accordingly, degrading C2 channels and killing processes, while working with the customer to contain the overall attack and keeping on the lookout for anything new and malicious.

 

Signature-based detection still has a role to play

Don’t get us wrong – signature-based detection is remarkably effective at weeding out a large percentage of malicious files. But it is not enough on its own. Only a managed detection and response service that has threat hunting at its core will provide a holistic view into the methods of the modern-day threat actor.