6 ways malware can bypass endpoint protection

Malware attacks are growing more and more numerous. They find most success against those with little protection, but they are also overwhelming endpoint security measures using various methods that are always evolving and improving, just like endpoint security measures themselves.

Learning how to challenge this growing threat means understanding what attackers are actually doing and how. Here are 6 ways attackers are using malware to bypass or otherwise overcome endpoint protection security.

1. Script-based attacks

Typical endpoint protection security will defend against breaches primarily when new files are introduced into a system, like when new software is installed. Script-based attacks, however (also known as “fileless” attacks) make use of existing software like PowerShell and other computer components, circumventing this crucial point of security. These kinds of attacks have a higher success rate than almost any other, and are among the most difficult to spot. The key is to identify uncommon operations being executed by common applications.

2. Hosting malicious sites on popular infrastructure

Phishing attacks have always relied on deception for success, and one of the best tricks (and one of the simplest) used by attackers is to host malware on infrastructure that people tend to trust or that can’t be blacklisted by traditional security methods at all. Google cloud is one such example, and attackers are even using platforms like GitHub for their nefarious purposes. Command-and-control servers can also be hosted on these legitimate platforms, even benefiting from their built-in encryption features. Just like with script-based attacks, defense in this case means being able to spot unusual activity. Here, it is usually masked as normal communication but happens at unusual times.

3. Poisoning legitimate applications and utilities

Successful breaches, if gone undetected, can often lead to further threats. Attackers who manage to gain access to a business, for example, can then access all the third-party apps and tools used by employees, installing backdoors and other malicious code there. Open-source code is especially vulnerable to this, since attackers can hide nefarious code within legitimate bug fixes or software improvements that get reviewed and accepted.

4. Sandbox evasion

Think your sandbox keeps you safe? Well, it certainly helps, but a decent hacker can find a way around this protection as well. Malware can be engineered to be quite dynamic, only activating outside the sandbox or when interacting with a real person, for example. Any delay in detonation within the sandbox can also be a liability, allowing malware to spread elsewhere before it’s destroyed.

5. Unpatched vulnerabilities

Sometimes, it’s just hard to keep up. Much of cybersecurity requires ongoing care and attention in the form of software patches and updates that include fixes to vulnerabilities. But not everybody is on top of their patches, and the result is countless machines operating on unpatched software that includes all the old vulnerabilities. Malware doesn’t need to bypass something that isn’t there – it can shoot straight and get direct access.

6. Taking down the security agents

There are a lot of endpoint security agents out there. Most machines are protected from multiple sources. But, unfortunately, even the security agents meant to protect can be taken down. Each agent may cover and protect a different area, but they also often overlap with one another in an inefficient manner. What’s more, any security agents installed on an already compromised machine can be taken down from within. If patches and updates to these agents aren’t constantly being installed, there is a window of opportunity for the right attacker at the right time.
Hackers and attackers are working hard to be at the top of their game. We have to do the same, and that starts by looking at the 6 potential risk areas above.

It’s always better to talk, lets talk!

USAIsrael