Ever since the “Vienna Virus” prompted the development of the first antivirus solution in 1987, cybersecurity has come to resemble a high-stakes game of catch up: new threats appear, defenses are re-designed to defeat these threats, adversaries evolve methods to evade these defenses, rinse and repeat.
Unfortunately, this approach has put cyber defenders at a disadvantage; threat actors can evolve their attacks far faster than a detection-based paradigm allows defenders to adapt their systems.
Yet, looking at how threats like fileless attacks have evolved, it’s easy to understand why many organizations gave up on trying to prevent breaches in the first place. After 20+ years of file-based malware, the 2010s saw the theoretical ability of threat actors to execute attacks solely from application memory manifest in real-world cyber threats like the Poweliks malware.
This kind of cyber threat proved that threat actors could now deploy and sustain malware without dropping any files on target systems. As a result, the entire paradigm of signature-based antivirus software, which assumed that threats had recognizable footprints, became redundant as a preventative tool.
In response to the proliferation of fileless attacks, mainstream cybersecurity thinking pivoted to the “assume breach” principle that presumed threats were already in the system and preventing them was no longer possible. Endpoint detection and response and so-called “next-generation” endpoint protection platforms arose out of this thinking. The idea here is that detecting an attack in progress, and then reacting with remediation tools was the best that defenders could hope for.
However, this approach has not borne fruit either: the cost of cybercrime continues to rise, even as cybersecurity budgets increase as well. Accordingly, 91 percent of cybersecurity leaders want their organization to move away from “assume breach” to breach prevention in the next three years, research by MeriTalk shows.
With threat actors learning how to squeeze profit from each and every network access opportunity, it is becoming clear to security professionals that dealing with threats only once they get inside the network is unsustainable. Prevention, therefore, is making a long-overdue comeback.
When the Frontline Is Inside Your Network, Attackers Get the Advantage
The biggest issue with the “assume breach” mentality is that it gives threat actors the high ground in an incredibly hostile threat landscape. When assuming that your network has already been breached becomes your primary strategy, your security priorities naturally fall back on the idea of detection and response. The problem with this strategic shift is that no matter how good your abilities in this respect are, adversaries will always have the upper hand.
The reason why is that relying solely on an “assume breach” strategy effectively invites threat actors to play hide and seek, except that you are not quite sure who you are looking for. This is a game threat actors are well prepared to play.
Defense evasion techniques are well-known among cybercriminals, allowing them to readily bypass many detection-based tools and readily corrupt their targets. One way they do this is through greater use of fileless attack techniques such as living off the land or in-memory attacks.
Though this form of cyberattack is what prompted many organizations to adopt the “assume breach” methodology in the first place, the use of fileless threats has since surged by more than 800 percent, making detection at critical entry points like endpoints almost impossible.
The ability of new strains of ransomware, often deployed through human-operated methods, to bypass controls without leaving evidence and silently exfiltrate data long before detection is possible also dramatically raises the stakes for organizations.
“Assume Breach” Has a Place But Not as a Primary Strategy
The “assume breach” mindset can be an effective way of filling in security holes. As a primary security strategy, however, it is highly unreliable. With malware becoming harder to spot, the ability of organizations to mount a successful assumption of breach response has also decreased. Lack of visibility, a key ingredient of any “assume breach” strategy, is partly to blame.
To have any chance of catching intruders before they wreak havoc, organizations need to have almost perfect visibility into their network traffic (e.g., traffic logs, NetFlow, full packet captures) as well as endpoint usage statistics (such as process trees, network traffic, memory contents, etc.)
With the growth of hybrid work sending the numbers of endpoints and the network conditions in which they operate soaring, achieving this visibility is an increasingly elusive task. In a survey of 600 UK CISOs, 30 percent admit that, due to the rise in WFH initiatives, they have effectively lost track of what devices are even connected to their networks. Few organizations likely do much better — a sobering thought for “assume breach” focused security professionals.
Making Breach Prevention Easier
Although relying on “assume breach” is not fit for purpose when it comes to modern cybersecurity, the alternative, actually stopping malware before it enters your network and executes, can seem like an impossible challenge. Particularly at endpoints, which is where most threats gain entry, attackers have immense scope for access and plenty of hiding places.
At the same time, endpoint detection and response tools are often too expensive, resource-heavy, or operationally awkward for organizations to sustain, particularly those with lean security teams.
With prevention returning as a priority for cybersecurity professionals, part of the solution means revisiting the vectors through which cybercriminals enter the network. While the threat level has never been higher, most breaches still happen through well-known pathways like phishing attacks, unpatched applications, stolen credentials, and insider threats. Securing these means shifting from detection and response and back towards cybersecurity fundamentals through efforts such as patch management and employee cybersecurity awareness training.
Ultimately, the most reliable way to genuinely secure any network is to deploy zero trust security across the entire IT environment. Enforcing zero trust alongside proactive protection on endpoints, where threats can linger within device memory and patches are inevitably missed, is naturally a difficult task.
Fortunately, turning this problem on its head is exactly what Morphisec Guard is designed to do. Morphisec lightens the load for security teams by protecting device memory and deploying virtual patches within endpoints. Critically, rather than relying on rules-based defense, our solution uses moving target defense to make application memory an invisible target for threats. Integrated with OS native antivirus and available on a per endpoint basis, Morphisec makes preventative cyber security a reality for even the leanest security teams.
*** This is a Security Bloggers Network syndicated blog from Morphisec Breach Prevention Blog authored by Matthew Delman. Read the original post at: https://blog.morphisec.com/move-away-from-assume-breach-to-improve-prevention