Zero-Day and Fileless Threats Are Beating AV, but Advanced Endpoint Protection Can Give Firms a Fighting Chance

Good enough is good enough? Well, maybe it‘s time to revisit this metaphor, at least when it comes to stopping endpoint attacks. Despite the soaring risks created by new ways of working and evasive malware, many firms are sticking with what they know to protect endpoints: basic anti-virus tools that rely on spotting detectable signatures to catch threats.

According to a 2021 Cyberthreat Defence Report by Gigamon, almost three-quarters of organisations have an anti-virus/anti-malware tool in place. In contrast, just over half (56.8%) of respondents said they use an advanced anti-virus/anti-malware solution like endpoint detection and response (EDR). That being said, at the time of the survey, about a third were planning on investing in this type of technology in the next 12 months.

Let’s hope they did. With zero-day and fileless attacks on the rise, reducing endpoint security risk and stopping advanced threats and malware is not something that standard AV solutions can be relied on to do.

For organisations that want to escape devastating attacks—or at least minimise their impact—taking a layered approach to endpoint security has never been more important. At the very least, this means investing in next-generation AVs and endpoint detection and response (EDR) platforms. However, to really put a stop to zero-day and fileless attacks, companies may want to look at multi-faceted threat detection and response security products like SenseOn.

Unpredictable Attacks Are Everywhere

Fileless and zero-day threats bypass traditional AV solutions because they don‘t have easily recognisable signatures. When threats are unlike anything an AV vendor has seen before or don‘t rely on executable files for deployment, they can slip past undetected.

These kinds of attacks on endpoints are getting more common. In 2018, ZDNet published an article titled “Zero-days, fileless attacks are now the most dangerous threats to the enterprise.” Based on research by the Ponemon Institute, the article described how, between 2017 and 2018, almost two-thirds of enterprise players experienced cyberattacks that utilised zero-day or fileless malware—a 20% increase year-on-year.

In the years since, things have only gotten worse. In 2020, fileless attacks increased by a whopping 900%. And in Q1 2021, nearly three-quarters (74%) of all threats detected were zero-day malware able to bypass traditional endpoint protection solutions.

Today, a new wave of zero-day and fileless threats is putting millions more firms at risk. Earlier this year, Kaspersky cybersecurity researchers came across a malicious campaign that saw threat actors taking advantage of Windows events logs to plant fileless last stage Trojans and keep them hidden on target devices. This type of technique has not been seen before, with Kaspersky advocating that it should be added to the “Hide Artefacts“ section in the “Defence Evasion“ stage of the MITRE ATT&CK matrix.

Zero-Day and Fileless Endpoint Attacks Are Now Everyday Threats

Not long ago, fileless and zero-day malware was something that only well-resourced nation-state attackers had access to. Today, these technologies are within reach of “regular” hackers. Although most zero-day exploits in 2021 could be attributed to state-sponsored groups, around a third of the exploits were traced to private cybercrime groups. This is in contrast to the mid-2010s when only a “small proportion” of financially-driven threat actors were exploiting zero-days.

The number of ransomware operators using zero-day flaws is also on the rise. For example, the HelloKitty ransomware group recently took advantage of a zero-day bug in SonicWall’s SMA 100 series 10.x firmware.

This rise in advanced threat development shows no sign of cooling off either. The recent boom in ransomware-as-a-service suggests that cybercriminal gangs are starting to “invest” in individuals who have the skills to exploit zero-days and write custom malware designed to bypass standard enterprise firewalls. This is not surprising—security researchers believe that fileless attacks are 10 times more likely to succeed than file-based attacks.

As fileless malware and zero-day exploits become more obtainable, IT security professionals are likely to see more of these types of attacks in the near future.

To Fight More Sophisticated Endpoint Attacks, Layer Up

Alongside AV defences, which still have a vital role to play in stopping known threats, security operations teams need advanced endpoint security that does not just rely on predictable patterns to spot attacks or give a limited view into what‘s happening. Even NG-AVs, which use machine learning and artificial intelligence, cannot do this on their own. For comprehensive visibility across endpoints, businesses should consider endpoint security solutions that use endpoint detection and response (EDR) technology.

Looking for behavioural patterns that indicate threats like zero-day and fileless malware, EDR endpoint security tools can use behavioral analysis to detect sophisticated attacks in real time across all endpoints connected to a corporate network and automate responses before threats spread across a network.

But endpoints are just one attack vector. For truly effective protection against advanced threats, organisations need a solution stack that not only looks at endpoints but also at the rest of a company‘s digital estate too. Often, malicious activity may look normal on an endpoint (including desktops, laptops, mobile devices, and IoT). However, when seen in context with data from the network, cloud, and other parts of a company’s IT infrastructure, it becomes obvious that it‘s malicious.

Consolidating point solutions like NGAV, EDR, NDR, SIEM, and more, SenseOn gives organisations an unparalleled view of all that is happening within their environment, including the behaviour of devices, processes, users, and network telemetry. All within a single agent.

Using proprietary technology we call “Threat Triangulation,” SenseOn performs behavioral analysis from different angles, stopping to think and learning from experience. In this way, it mimics how a talented human analyst thinks and acts and greatly reduces the number of false positives that filter back to defenders. It also uses deception technology to trick attackers and more easily uncover attacks—the most-sought after investment in 2021, according to the above-mentioned Gigamon report.

To make investigation easier, every alert surfaced by SenseOn is linked to other alerts, making up a threat “Case.” Each Case shows the sequence of events as they happened and the relationship between affected devices. All Cases are also mapped to the MITRE ATT&CK framework. Coming across time-sensitive and critical threats like ransomware, SenseOn can automatically take remediation steps, quarantining impacted machines without human input.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.