Breaches… Ransomware… Extortion… these have become commonplace news reports, but what is the enabling step behind all these problems? ‘Defense Evasion’. No, it's not a fancy way of saying "hide and seek." Defense evasion refers to the methods that cyber attackers use to bypass or disable security measures put in place by their targets. In other words, it's the bad guys' way of cheating in the game of cyber attack.
MITRE ATT&CK, a framework that describes the tactics and techniques used by cyber attackers, identifies defense evasion as one of the eleven tactics employed by attackers. Let's take a closer look at some of the defense evasion techniques used by these sneaky hackers:
Obfuscated Files or Information
Attackers often use various methods to hide the files or information they're trying to steal or execute on a system. They might use encryption, steganography (hiding data within seemingly innocent files), or other techniques to make their malicious payload look like benign data. For example, an attacker might embed malware within an image file, making it appear to be a harmless picture of a cat. But we all know there's no such thing as a harmless cat picture on the internet!
Deobfuscate/Decode Files or Information
On the flip side, attackers may also use tools to decode or deobfuscate information that's been protected by security measures. By doing so, they can access and manipulate data that would otherwise be off-limits. For instance, an attacker may use a script that can decrypt a password stored in an encrypted file, giving them access to sensitive accounts.
Dynamic Link Libraries (DLLs) are files that contain code used by other programs. Attackers can exploit the way programs load DLLs to trick them into loading malicious code instead of the intended code. This is called DLL side-loading, and it's a sneaky way to bypass security measures. For example, an attacker might create a malicious DLL and name it the same as a legitimate DLL that a program relies on. The program will then unwittingly load the attacker's code instead of the real DLL.
Another way that attackers can evade security measures is through process injection. This involves injecting malicious code into a legitimate process running on a target system. By doing so, the attacker can execute their code in the context of the legitimate process, making it harder to detect and block. For example, an attacker might inject malicious code into a system process like svchost.exe, which is often used to run various system services.
These technical control bypasses might be hard to detect through traditional means, but when monitoring is deployed to these computers with a tool like Wazuh, we can build a behavioral profile that points to anomalies in actions - like a system suddenly connecting to a new country, or start making automated edits to users files in bulk fashions.
All in all, defense evasion is a serious threat in the world of cybersecurity, and attackers are always looking for new and creative ways to bypass security measures. By partnering with our team at ChainLynx Tech, we can get you set up with the monitoring you need to find and eliminate these threats on your networks.