Are the latest cyber threat reports an ignorable sales pitch?
YOU MAY have seen recent headlines concerning the rise of “fileless” cybersecurity attacks. The very latest warnings emanate from a joint survey undertaken by the Ponemon Institute and Barkly.
Readers will not be surprised to learn that the Ponemon Institute earns money from its advisory & consultative efforts on organizations’ cybersecurity strategies, and Barkly is a commercial endpoint cybersecurity specialist.
The motives behind these two organizations advertising their findings, therefore, are clear: they want to raise awareness of this type of threat of course, plus, naturally, they would like organizations to buy their solutions to it.
For the uninitiated, an “endpoint” in cybersecurity parlance means a computing device used by the majority of an organization’s workforce to undertake their work. Typically that is a computer or mobile device.
The important distinction is that the endpoint in question is not necessarily an in-house server, network infrastructure device, cloud service, or any other of the elements that make up today’s IT topology.
— Infosecurity Mag (@InfosecurityMag) November 15, 2017
The rise of the fileless attacks – Fileless Attacks Ten Times More Likely to Succeed. pic.twitter.com/xfjqqQgTIv
— CyberByte (@cyberbytesrl) November 16, 2017
A fileless cyber attack is not a new threat, nor is it particularly different in its motives from other cyber threats. It is different in that its malicious intent is not embedded in a particular data cluster aka a file, which can pass as an entity onto an organization’s network.
Most people will be aware of file-based threats and will have come across infected Word/Excel documents and .zip archives, or files purporting to be pictures of local beauties who’ve “just moved into the neighborhood” and are desperate to make new acquaintances.
Fileless threats could, therefore, be classified as “any threat not carried by a file”, but have become known, rather, as malicious code that makes its way onto a network via approved applications.
The approval of applications and the way they are used is usually the business of an IT department or security officer. In short, they are apps which are thought to be safe (enough).
A prime example of a fileless infection would be as follows:
- A user navigates to a website on an approved web browser.
- User clicks something on site.
- Browser invokes add-on/extension/code or scripting layer: Adobe Flash, ActiveX, Java runtime environment etc.
- Code bundle is downloaded by the add-on to computer’s memory.
- Code bundle runs and does something malicious: grabs personal data or keystrokes, and so forth.
The two elements of a fileless cyber threat, therefore, are “approved application” and “user”.
Approved applications, such as browsers, email clients, messaging apps and so on are required by staff in order to actually do what they’re paid for. Therefore, as tools of the trade, they have to work as well as they can, within certain constraints imposed by wary IT departments.
While most cybersecurity experts would love to lock down systems so that they are 99.9 percent safe, the reality of work means that systems, like their users, need to be enabled to work in ways that are, unfortunately, potentially dangerous.
The truth is that computing systems are constantly subject to threats, and always will be, despite what the cybersecurity consultants may say.
There are the security gaps that are obvious yet necessary: some organizations will still actually need an instance or two of older applications which will only run on Windows XP, SP 2. A non-executive board member’s ancient laptop may still be running a deprecated version of Flash inside Internet Explorer. Every organization has its own examples.
However, even the most up-to-date IT installations, locked down and protected by the latest cutting-edge tech are permanently threatened.
It is safe to say with 100 percent certainty every organization will suffer from cyber attacks which will have notable negative consequences.
There is no “if”, only “when”.
Security experts are fond of lecturing the rest of the enterprise on matters of cybersecurity, but are spectacularly prone to the same human gaffes as the rest of us: DXC’s (previously part of Hewlett Packard Enterprises) latest errors show the way that paid security professionals are as prone to egg-on-face as the rest of us.
Corresponding to the two keys to cybersecurity weaknesses (users and applications), there are two methods of risk minimization that enterprises can employ: staff education and tech-based cybersecurity.
The former will always make mistakes, the latter cannot mitigate against all threats, for all time.
With this in mind, while warnings about the rise of fileless threats are useful (and to this author, interesting), surveys and articles of the type that highlight a particular sort of threat imply a falsehood: that by “keeping up with the latest” in whatever’s being (indirectly) touted, the enterprise is safe.
What we at Tech Wire Asia would urge is planning and practice: plan for when (not if) systems are compromised, and practice – regularly – the methods of recovery which you’ve planned.
- Spectre & Meltdown highlight tech industry’s disparities
- You don’t have to be a cybersecurity expert to protect your small business
- How US$1000 (or nothing) buys malware access to your network
- Mysterious 鬼 (“devil”) malware’s motives unknown
- Bangladesh and Pakistan are the most vulnerable to cyberattacks in Asia