October 5, 2023

Fully undetectable malware – Why your security software solutions aren’t enough

Learn why advanced solutions like EDR, XDR, SIEMs, and SOCs may not fully protect against evolving malware threats.

The modern security landscape is constantly shifting in a cat and mouse game of malware versus countless software solutions such as EDR, XDR, SIEMs and even managed SOCs and it’s easy to fall into the misconception that having the latest, greatest solution on the market will be enough to protect your business from falling victim to an attack.

Unfortunately, this is not the case, as malware developers are constantly adapting their approach to make even the newest solution obsolete in no time at all.

How can these solutions be bypassed?

There are lots of techniques and not every solution is built the same: some will be as simple as defeating signature-based detection, such as modifying existing malware just enough to avoid detection. Some solutions are more robust and observe the behaviours of processes. Some may look for suspicious traffic within the network, others may ingest event logs to identify malicious activity.

These can all be defeated in various ways, for example, “Living off the Land” attacks, where a threat-actor may abuse legitimate functionality of the operating system to evade detection. Some well-known threat actors rely heavily on powershell to execute their attacks; as a result, powershell is usually heavily monitored by most software solutions, though it is still possible to bypass detection using obfuscation techniques and the ever-evolving ingenuity of attackers.

Other methods which are highly effective against even the market leaders in EDR/XDR include injecting malware into legitimate processes and/or preventing the solution itself from reading what the process is doing through techniques such as userland hooking, or even simply preventing event logs from accessing the process.

It would take a highly skilled attacker to bypass these solutions, and why would they target us anyway?

This is not the case at all, there are many threat-actors, particularly on the dark-web, who claim to offer fully supported, undetectable malware solutions for as little as $1000. This obviously makes the entry point for less skilled attackers much lower, and they may well seize an opportunity to breach a network when they see it.

So what, we’re just doomed?

Not at all! The software you deploy in your network should be just one of many lines of defence. It is important to ensure that your staff are alert to phishing attempts and are trained in how to handle them. In 2022 alone there were over 500 million reported phishing attacks, accounting for roughly 90% of corporate security breaches.

Regular patching and penetration testing of any external facing infrastructure or applications will go a long way to ensure that they are well configured and not vulnerable, which could offer easy access into your network for opportunistic attackers. This is also an important process to help develop the security posture of your organisation.

If your network is breached, you want to ensure that an attacker cannot gain access to critical infrastructure. A well-thought-out and clear incident response strategy, combined with routine patching and penetration testing, will significantly contribute to mitigating that risk.

And if you believe that your organisation is already mature in this respect, a red team engagement might be what you’re looking for to confirm or improve upon this.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch