CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

Intrusions Without Malware: Don’t Forget the Other Sixty Percent

The time has come to start paying attention to the other sixty percent.  No, this isn’t a political piece.  Rather, I am trying to call attention to something that, in my opinion, is not high enough on the priority list of many people in the information security profession.

The time has come to start paying attention to the other sixty percent.  No, this isn’t a political piece.  Rather, I am trying to call attention to something that, in my opinion, is not high enough on the priority list of many people in the information security profession.  Although it is difficult to measure with certainty, some studies estimate that sixty percent of all intrusions involve no malware at all.

How do attackers manage to be so successful without using any malware at all?  That is a great question, and it is one that would take quite a bit of detail to answer in depth and properly.  At a high level though, the answer is related to a trend we’ve been seeing in information security over the last few years.  Although attackers still use malicious code quite often, they have been relying less and less on it.  While certainly not the only way to intrude, attackers seem to be having a field day stealing credentials, using legitimate tools, and masquerading as legitimate users.  It turns out that it is fairly easy for them to do so using a variety of different techniques.

I first touched on this topic in 2014 in a SecurityWeek piece entitled “Not All Intrusions Involve Malware”, and I took the discussion a step further in a piece last year entitled “The Increasing Importance of Security Analytics”.  Now I’d like to take a look at what I see in the information security community, both on the technology side as well as on the operational side.  I’d also like to discuss how taking a layered approach to detection can help organizations keep pace with this evolving attacker behavior.

Credential AttacksOn the technology side, I am increasingly confused by how many companies focus solely on building a better malware mousetrap.  That isn’t to say that we can’t continually improve our detection and prevention capabilities around malicious code.  Rather, my point is that even if a given technology is 100% effective at preventing and/or detecting malware (which is never going to be the case of course), it is still only solving 40% of the problem.

Simply put, detection and prevention technologies that don’t also have the ability to grapple with intrusions that involve no malware at all are partially effective technologies at best.  Even more so if they are stovepiped and operate in a vacuum.

On the operational side, I am also increasingly confused by how many organizations continue to focus exclusively on chasing malware.  Of course, I understand the need to prevent ransomware and to deal with various different types of malware, but security operations cannot end there.  At best, a security operations team focused solely on malware catches 40% of the malicious activity occurring.  At worst, it is a team that is turning a blind eye to significant risk that has been introduced into the organization it is charged with defending.

Of course, it’s easy to lament the short sightedness of focusing exclusively on malware.  But how can organizations pivot to a more holistic focus, particularly when it comes to detection?  I believe this is where it is helpful to take a three-layered approach to detection.  I’ll explain.

Way back, when information security was a relatively new profession, we were primarily focused on signature-based detection.  When we learned of different attacks, we would write signatures for those attacks, and use those signatures to detect future instances of the same type of attack.  This was indeed a great beginning, but we quickly learned that it fell short in a number of ways.  Firstly, and perhaps most obviously, signature-based detection only detects known knowns.  That which is known bad.  But what happens when a new attack comes along that we haven’t seen before?  Secondly, signatures lack context. That means that activity matching a signature, but in a different context, often results in false positives. And with signature-based detection, we have never experienced a shortage of false positives, unfortunately.

Signature-based detection does provide good value for detecting certain types of attacks, so there is no reason to throw it away.  Rather, what we soon realized is that we needed to supplement our signature-based detection with another detection approach.  Enter detonation-based (sandbox-based) detection.  The concept here is quite logical — the best way to understand the true intentions of a binary is to detonate it.  To literally see what it does.  From there a conclusion can be drawn about the true nature of that binary.

Advertisement. Scroll to continue reading.

Indeed, detonation-based detection has been a resounding success within the information security community.  The only issue with it is that it has caused a somewhat myopic focus on malware at the expense of other types of intrusions.  Sandboxes have been a catastrophic success in the sense that they have greatly improved our detection capabilities, and as a result, have drawn us to focus almost exclusively on the types of intrusions they are ideally positioned to detect — those involving malicious code.

This is why I believe that the time has come to add a third layer to our detection approach: analytics-based detection.  In my experience, analytics is the best way to detect intrusions that involve no malware at all.  In order to do this, we need to look at behaviors on the network, across user and system accounts, and elsewhere.  For example, the difference between an employee using a given account legitimately and an attacker using that same account for nefarious purpose is the intent.  The bits and bytes look the same.  Unfortunately, there is no intent bit in the TCP/IP header, so we need to be a bit more resourceful here in order to identify departures from expected behavior.

Granted, analytics means many different things to many different people.  But to me, analytics means taking a deep understanding of attacker behavior and producing accurate models to identify when activity matching those behaviors occurs.  In other words, analytics shouldn’t just be a bunch of fancy math looking for a problem to solve.  It should be focused on attacker behavior and oriented towards de
tecting it.

We shouldn’t let the present success of detonation-based detection distract us from the future need to look beyond it.  The percentage of intrusions that involve no malware at all is only going to increase with each passing year.  It’s time to weave analytics-based detection into our security programs to ensure we keep pace with the evolving threat landscape.

Related Reading: Privileged Credentials Remain Security Weak Point

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...