More often than not, data breaches are the result of some form of malware intrusion. While malware is often an indicator of compromise, not all attacks are malware-based. According to Dmitri Alperovitch, CTO of CrowdStrike, there is a growing trend toward malware-free based intrusions.
In a video interview with eWEEK, Alperovitch explains what types of new threats his firm is now seeing and what can be done to stop them.
“We’re able to track every single thing from an execution perspective that happens on a system,” Alperovitch said.
CrowdStrike’s core technology platform is called Falcon and includes multiple components. Alperovitch explained that there is a driver that sits on systems that tracks all commands, network connections and file system events that happen on a machine.
“That allows us to detect not just malware, but what I call malware-free intrusions,” Alperovitch said. “We’ve seen a trend recently where advanced adversaries from China and other places have been breaking into companies without using malware.”
Alperovitch noted that there are lots of tools in the market to detect malware and organizations tend to scan their networks for malware as well. The presence of malware on a system is what is known as an Indicator of Compromise (IoC), which is often used by security experts to identify if a security breach has occurred. Alperovitch added that if there is no malware, there are no IoCs to find.
“We’ve coined the term Indicator of Attack, which moves beyond an IoC, which is essentially a signature,” Alperovitch said.
With the Indicator of Attack approach, the idea is to actually track activities and understand the context and relationship to normal system actions. As an example, Alperovitch said that if a user opens up a Word document and that document in turn launches a command prompt that modifies the system registry, that’s not a normal system action.
Among the different malware-free attacks that Alperovitch has seen lately are web shell-based attacks. A web shell is a small text file that can sit on a server and provide an attack vector for multiple vulnerabilities. Adversaries leverage the web shell to gain remote access and control of systems.
From a prevention perspective, there are multiple steps that can be taken to protect against malware-free attacks. The first step is to detect and prevent the placement of a web shell on a system in the first place. During the attack stage, when credential theft is occurring, as well as post-attack, Alperovitch said that there is a need to contain the adversary and prevent it from doing damage.
“As companies are becoming more and more sophisticated in deploying advanced malware detection systems, the adversaries are adapting to evade them,” Alperovitch said.
Watch the full video interview with Dmitri Alperovitch, CTO of CrowdStrike, below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist