Aggregated honeypot data, over a six-month period, showed that more than 50% of the attacks focused on defense evasion, according to Aqua Security.
Threat actors avoid detection
These attacks included masquerading techniques, such as files executed from /tmp, and obfuscated files or information, such as dynamic loading of code.
In addition, in 5% of the attacks, threat actors used a memory resident malware. Compared with prior Aqua Nautilus research in 2022, there was a 1,400% increase in fileless attacks. This clearly indicates that threat actors are now focusing more on ways to avoid detection to establish a stronger foothold in the compromised system.
“Threat actors are more heavily focused on and increasingly successful at evading agentless solutions,” said Assaf Morag, lead threat intelligence researcher for Aqua Nautilus. “The most persuasive evidence of this was our discovery of HeadCrab, the extremely sophisticated, stealthy, Redis-based malware that compromised more than 1,200 servers. When it comes to runtime security, only agent-based scanning can detect attacks like these that are designed to evade volume-based scanning technologies, and they are critical as evasion techniques continue to evolve.”
Cloud computing has revolutionized the way organizations design, develop, deploy, and manage their applications. While this modern approach brings many benefits such as scalability, flexibility, and agility, it also comes with inherent complexities. With the shift to cloud native architectures, the attack surface has expanded significantly, introducing new security risks that must be addressed.
Identifying malicious behavior in runtime environments
Protecting runtime environments requires at least a monitoring approach that includes scanning for known malicious files and network communications, then blocking them and alerting when they appear. However, this is still insufficient.
A better solution includes monitoring for indicators or markers that suggest malicious behavior as well – for instance, behaviors such as unauthorized attempts to access sensitive data, attempts to hide processes while elevating privileges, and the opening of backdoors to unknown IP addresses.
Ultimately, it’s critical to implement robust protection measures in runtime environments to ensure that data and applications are secure and to avoid being vulnerable to attacks.
The report also highlighted Nautilus research into software supply chain risk. The report illustrates various areas in the cloud software supply chain that can be compromised and pose a significant threat to organizations.
In one specific use case, Nautilus demonstrates the implications of misconfigurations in the software supply chain and how they can lead to critical threats. This is significant because organizations of all sizes are at risk for misconfigurations and even minor misconfigurations can have a serious impact.
Source: https://www.helpnetsecurity.com/2023/07/04/threat-actors-detection-evasion/