Why detection and response technology won’t solve all ransomware attacks

Automated moving target defense

Ransomware has become prolific, with a new ransomware attack striking on average every 10 seconds. That figure may shrink to just two seconds by 2031. Today’s threat actors are powerful and sophisticated enough to successfully hold national governments ransom. But this doesn’t mean that state-level entities are their primary targets.

On the contrary, ransomware groups are increasingly targeting both enterprises and SMBs thanks to an attractive effort-to-reward ratio. According to the 2023 Verizon Data Breach Investigations Report, ransomware was a top action-type present in breaches, at 24% of reported breach data.

The Verizon report suggests that for ransomware victims, the overall costs of recovering from an incident are increasing. Potential and extended system downtime, insurance complications, regulatory reporting processes and potential fines, and exposed customer, partner, or employee data introduce long-term and highly damaging ramifications. Preventing an attack in the first place has become imperative.

Endpoint detection and response (EDR) and extended detection and response (XDR) are industry-standard when it comes to ransomware protection and attack mitigation, using a combination of signature and behavior-based detection methods to protect against known and detectable threats. However, threat actors have adapted and developed tactics and techniques that can successfully evade EDR and XDR systems. The techniques are well-documented, including in-memory attacks, fileless malware, and other defense evasive techniques. Multiple studies show these comprise of more than 30% of malware seen in the wild.

Recent examples include new variants of the BlackBasta ransomware that evaded detection by EPP and EDR solutions, GuLoader, an advanced threat targeting legal and investment firms in the U.S., and InvalidPrinter, a highly-stealthy loader that had zero detection on Virus Total for an extended period. ProxyShellMiner, a variant targeting ProxyShell vulnerabilities in MS-Exchange, is another well-documented example.

Attackers have spent the last several years refining techniques that create the conditions for ransomware attacks at scale. Two advancements work in their favor:

  • The rise of fileless malware: Attackers prefer malware that’s designed to be undetectable. That’s because EDR and XDR technology relies on static and dynamic analysis to find and detect malicious activity. Static analysis techniques examine files, code, or binaries to identify potential threats. Yet, fileless malware doesn’t use traditional files and leaves no static content to analyze, making it extremely difficult to detect the presence of malware. Dynamic analysis observes the behavior of software or files during execution, and that’s generally more effective at detecting fileless malware than static analysis. However, dynamic analysis is resource intensive and often executed within controlled environments such as sandboxes or virtual machines. Furthermore, dynamic analysis has been designed to monitor behavior during execution; fileless malware working directly in-memory will evade detection if an analysis tool doesn’t (or can’t) monitor in-memory related activities. Some malware uses polymorphic techniques to hide its presence in-memory too. As a result, malware can present as legitimate processes, making it hard to detect and block.
  • Availability of generative AI tools: Generative AI can potentially equip attackers with increased sophistication and technique variants that are harder to defend against and at a speed and scale that’s difficult to sustain. Defenders are also concerned with the reactive nature of EDR and XDR systems as detection often occurs post-breach, and remediation they are not fully automated. In a ransomware scenario, this means that an attacker may have already established lateral movement within the network. According to the 2023 IBM Data Breach report, the average time to detect and contain a breach takes approximately 322 days. Extensive use of AI-supported security tools and automation helps to reduce detection and containment to 214 days. However, this still leaves a significant window for attackers to establish persistence and potentially exfiltrate valuable information. Organizations using EDR and XDR systems with AI capabilities for defense must question the robustness and security of their underlying datasets, training sets, and the machines that implement this learning process to protect systems from unauthorized and potentially weaponized malicious code. 

Time to change the security paradigm

While attackers employ polymorphism to evade detection, defenders can also apply this technique. Consider that in the event of an attack, if a target resource doesn’t exist or it’s continually morphed (moved), the chance of targeting a system is significantly reduced. 

Automated moving target defense (AMTD) technologies use polymorphism to move, change, obfuscate, and/or morph attack surfaces and disrupt adversary kill chains. AMTD effectively guards against attacks by introducing complexity, uncertainty, and prevention tactics. Its origins are linked to military strategy for sniper defense and relies on cover and concealment and staying mobile to eliminate the opportunity for a clear shot.

For example, if a highly trained and extremely intelligent sniper targets a hidden or continuously moving target, the sniper’s chances of success are reduced. The sniper may even compromise or expose themselves due to repeated and incorrect misfires.

AMTD technologies work as an application loads to memory space; the technology morphs and conceals process structures, and other system resources, deploying lightweight skeleton traps to deceive attackers. Unable to access original resources, malicious code fails, thereby stopping and logging attacks with full forensic details.

This prevention-first approach can stop threats cold, even if existing AI-based detection and response tools are bypassed. Since the attacks are prevented, security teams gain crucial time to investigate threats while knowing their systems are safe.  The deterministic nature of AMTD also means that the solution generates high-fidelity alerts, which helps prioritize efforts by security teams, reducing alert fatigue.

AMTD technology doesn’t replace detection and response systems. Rather, it offers an additional layer of defense and complements EDR and XDR toolsets. AMTD boosts capabilities and hardens the overall attack surface using defense-in-depth capabilities that stop unknown attacks that existing detection and response solutions can’t.

The growing prevalence and sophistication of ransomware and other cyberattacks underscore the importance of strengthening and advancing endpoint protection. Defenders should take a page from adversary playbooks: adopt the tactics they use. Don’t only attempt to detect and retroactively remediate their attacks, but evolve to pre-emptively prevent them from occurring.

Ronen Yehoshua, co-founder and CEO, Morphisec

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.