From 3c1983a14c9d7f86e790c48571770e6dfb6dcd84 Mon Sep 17 00:00:00 2001 From: Donnacha Date: Fri, 1 Mar 2024 15:59:00 +0000 Subject: [PATCH 1/2] Added reference for fileless. --- blogs+posts/software-engineering/endpoint-protection/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/blogs+posts/software-engineering/endpoint-protection/README.md b/blogs+posts/software-engineering/endpoint-protection/README.md index b77e10d..6af731c 100644 --- a/blogs+posts/software-engineering/endpoint-protection/README.md +++ b/blogs+posts/software-engineering/endpoint-protection/README.md @@ -147,6 +147,8 @@ Feel free to connect and message me on [LinkedIn](https://www.linkedin.com/in/do [Antivirus Software](https://en.wikipedia.org/wiki/Antivirus_software) - Wikipedia +[Fileless Malware](https://en.wikipedia.org/wiki/Fileless_malware) - Wikipedia + ## Appendix I - Endpoint Protection Components From 52b82a8a7f1fe8486be19468ba603d57ce39e9c3 Mon Sep 17 00:00:00 2001 From: Donnacha Date: Fri, 1 Mar 2024 16:25:02 +0000 Subject: [PATCH 2/2] Updated writeup on Fileless and added definition for Process Genealogy. --- .../software-engineering/endpoint-protection/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/blogs+posts/software-engineering/endpoint-protection/README.md b/blogs+posts/software-engineering/endpoint-protection/README.md index 6af731c..7a50bb8 100644 --- a/blogs+posts/software-engineering/endpoint-protection/README.md +++ b/blogs+posts/software-engineering/endpoint-protection/README.md @@ -102,9 +102,9 @@ More specific 'Detection & Response' solutions emerged as the industry began to By the mid-2010s, Ransomware had became a thing - a worldwide problem - leading to anti-ransomware (ARW) solutions to detect and block ransomware behaviour as well as measures to roll-back and undo the effects of ransomware. Of course, this decade also saw the rise in Cloud Computing and, as well as utilizing cloud to support Endpoint Protection, protecting assets in the cloud itself became necessary as the threat landscape changed. #### Fileless Malware & Live-off-the-Land (LOL) -The end of the decade saw a new type of threat emerge that involved exercising code or running a script that wasn't stored in a file, most often seen as in-memory malware. This form of attack is challenging for AV vendors because it completely bypasses the file-centric paradigm that formed the basis of previous solutions, such as whitelisting, signature-based detection or other pattern-matching techniques. Instead, the focus has to shift to the runtime check and/or behaviour analysis to detect the process as malicious. +The end of the decade saw a new type of threat emerge that involved exercising code or a script that wasn't stored in a file, most often seen as in-memory malware. This form of attack is challenging for AV vendors because it completely bypasses the file-centric paradigm that formed the basis of previous solutions, such as whitelisting, signature-based detection or other pattern-matching techniques. Instead, the focus has to shift to the runtime checks and behaviour analysis to detect the process as malicious. -Additionally, this form of attack is often associated with what is referred to as 'Live off the Land' attacks that involves leveraging _known-good_ tools, commands and utilities to do its bidding. This poses challenges for traditional AV solutions because while each individual process is in itself 'good', it's the combined, over-all affect of the chain of events (or process chain) that is malicious. Endpoint protection solutions have to consider each part of the process chain in context of what has gone before, what its parent process and other ancestors are, etc. Here, _Process Genealogy_ plays a crucial role in providing that context by maintaining a record of parent processes up the ancestry tree. Of course, this space is another place where malware authors and antimalware defenders play a game of _cat and mouse_ with malware authors doing their utmost to obfuscate parent-child relationships and AV solutions applying _smarts_ to detect those same relationships. +Additionally, this form of attack is often associated with what is referred to as 'Live off the Land' techniques that involves leveraging _known-good_ tools, commands and utilities to achieve the malware's objectives. This poses challenges for traditional AV solutions because while each individual process is in itself 'good', it's the combined, over-all affect of the chain of events (or process chain) that is malicious. Endpoint protection solutions have to consider each part of the process chain in the context of what has gone before, what its parent process and other ancestors are, etc. Here, _Process Genealogy_ plays a crucial role in providing that context by maintaining a record of parent processes up the ancestry tree. Of course, this space is another place where malware authors and antimalware defenders play a game of _cat and mouse_ with malware authors doing their utmost to obfuscate parent-child relationships and AV solutions doing their utmost to detect them. ### 2020's @@ -178,6 +178,7 @@ The following is a glossary of notable internal technologies that make modern da | Hooking | This describes the ability of an antivirus solution to embed itself in other running programs and intercept (i.e. 'hook') certain system calls before they get executed. It enables the protection software to examine the type of calls being made and analyze the 'intentions' of the program in real-time to determine whether the operation should be allowed to proceed. For example, certain operating system calls might be blocked when referencing certain resources. In fact, 'Hooking' can be used to effect _Self Protection_ by intercepting function calls to delete the AV executable files. | On-access Scanning | This is the technology under the hood that enabled real-time protection where a process is scanned as it is being accessed - i.e. OAS. This is actually quite a technically challenging task because not only does it involve working around the normal operation of the OS starting a process, such that various checks can be performed, but it has often had to achieve this with little or no cooperation from the OS vendor.| | AV Engine | Depending on the design, AV solutions split the tasks of _scanning_ and _determination_ into various scanners that do the job of gathering info (e.g. File, E-mail, etc.) and the internal engine that consumes this data and makes a determination on whether the object under evaluation is good or bad. | +| Process Genealogy | This describes technology that tracks parent-child process relationship, maintaining a record of the relationship of what processes created child processes regardless of whether they're still running. This can be quite sophisticated in how it detects indirect parent-child relationships when malware tries to hide such relationships by circuitous and indirect routes. | ## Appendix II - Additional Cybersecurity Solutions