This content is part of the Essential Guide: Antimalware tools and techniques security pros need right now
Problem solve Get help with specific problems with your technologies, process and projects.

Malware-free attacks: How can enterprises stop them?

New research shows that threat actors are "living off the land" and infiltrating corporate networks using malware-free attacks. Expert Nick Lewis explains how this is done.

Hackers are reportedly using little or no actual malware to infiltrate their victims' networks, yet much of traditional enterprise security software relies on detecting malicious code. What security controls should enterprises use to detect and defend against these "living off the land" malware-free attacks?

"Living off the land" is when an attacker uses the tools and credentials that exist on a system breach the network instead using malware, hence the term "malware-free" attack. It's important that the credentials or tools used to infiltrate an environment are already in existence on the system; installing new tools or creating new root and administrator accounts could bring attention from security administrators and prompt an investigation, thus putting the attack at higher risk of being detected. The attacker will use legitimate system management tools either built into the operating system or the existing third-party system management tool to access the systems. One of the other security controls attackers frequently bypass is single-factor username/password authentication. The attacker either captures the credential or uses a hash of the credential to then access other systems.

Dell SecureWorks issued a media alert about more attackers "living off the land," to bring more attention to how enterprises need to protect themselves. Detecting and defending against these types of malware-free attacks requires more than just using traditional antimalware tools and firewalls. The company's recommendations are basic cybersecurity hygiene, but on a large scale can still be difficult to perform. Potentially the easiest security control to adopt is Dell SecureWorks' first recommendation: implementing two-factor authentication. This can drastically reduce an attacker's capability to compromise credentials for use in the malware-free attack. A harder security control that can also detect these and many other types of attacks is monitoring the endpoint on the network and host-based activities. Monitoring the endpoint devices will help security teams detect any suspicious behavior, such as spike in file downloads, that may indicate a user's credentials have been comprised.

Next Steps

Find out how hackers are using fileless malware to attack enterprises

Learn why account credentials are a weak spot for cloud services

Read about how embedded documents pose security risks

This was last published in March 2016

Dig Deeper on Hacker tools and techniques: Underground hacking sites