Gone are the days when antivirus software could serve as the panacea to all cyber threats. The rise of identity-based attacks, where hackers use stolen credentials or personal data to compromise systems, has rendered traditional signature-based antivirus defenses obsolete.
Conventional antivirus systems, which rely on comparing unfamiliar code with a database of known malicious signatures, open the door to a number of evasion techniques hackers can use to get around threat detection software.
With antivirus software in many cases still forming the bedrock of security on consumer and enterprise devices alike, threat actors are more careful about the types of malware they use to avoid being recognised.
For example, some have opted to solely use polymorphic malware in their attacks, which continually alters, or mutates, its code in order to avoid being flagged by antivirus software.
Hackers are using previously unknown malware strains, also referred to as zero-day malware, which do not have signatures assigned to them and as such are similarly undetectable by many antivirus products.
Another growing trend among threat actors is the use of fileless malware, malicious code that operates within a computer’s memory, as opposed to the hard drive. With no malicious files stored on the device, there’s nothing for the antivirus to detect when it scans for threats.
Living off the land (LOTL) attacks are a type of fileless malware that doesn’t require the attacker to install any code or scripts within the target system. Instead, these attacks leverage legitimate tools already installed in the environment such as PowerShell or Windows Management Instrumentation (WMI).
Movement away from malware spells trouble for traditional antivirus systems – identity theft takes center stage
Once the primary weapon in a cyber criminal’s arsenal, malware is playing a less crucial role, as they adopt more efficient means of compromising victims.
Statistics show threat actors are beginning to move away from malware-based attacks in order to maximize their stealth capabilities. In its annual global threat report, CrowdStrike found that malware-free activity accounted for 75% of all threat detections in 2023, up from 71% in 2022, and 62% in 2021.
Most cyber attacks today revolve around stealing the victim’s digital identity as hackers have found they can save a lot of time and effort by simply entering via the front door using stolen credentials.
As 88% of the average hacker’s attack time is spent breaking in and gaining initial access, the efficiency gains promised by identity-based attacks have changed behaviors, with 80% of cyber attacks now leveraging stolen credentials.
This information could be stolen by the threat actor themselves via a phishing, man-in-the-middle (MitM), or spoofing attack, or stolen by a separate hacker and sold to budding cyber criminals via the dark web.
Traditional antivirus software is powerless when hackers use compromised digital identities, as it’s unable to differentiate the legitimate user and the threat actor.
One common attack vector known as credential stuffing uses a database of legitimate credentials that were either stolen in a previous attack or purchased from the darkweb.
This method doesn’t require any malicious software being downloaded onto the target machine and so there is nothing for the antivirus software to detect.
Lateral movement attacks are a growing problem, here’s how you can protect yourself
Another significant challenge plaguing antivirus software today is the evolution of evasion methods used by cyber criminals to move within a corporate network once they’ve gained initial access.
Hiding behind legitimate credentials, threat actors are getting a lot better at remaining undetected as they navigate deeper into a network in search of sensitive data or other high-value assets.
CrowdStrike’s research revealed that the average breakout time – the time it takes for an intruder to move into other systems on the network – is trending downwards as they refine their techniques.
It only takes threat actors an average of 62 minutes to begin moving into separate parts of the network, according to CrowdStrike, whereas it took organizations an average of 250 days to detect an identity-based attack.
This discrepancy underscores the scale of the problem facing organizations, with traditional, signature-based antivirus software unable to protect them.
To address this growing problem CrowdStrike has developed the Falcon Identity Threat detection platform, which uses AI and ML to detect and prevent threats in real-time. Unlike traditional antivirus, Falcon does not solely rely on signatures; instead it analyzes vast amounts of telemetry data to identify anomalous behavior indicative of malicious activity.
CrowdStrike’s platform helps organizations meet the challenge of safeguarding against lateral movement within their corporate networks. With its advanced endpoint detection and response (EDR) features, Falcon helps security teams quickly identify and respond to unauthorized lateral movement attempts. What’s more, with visibility into both on-premises Active Directory and cloud identity providers like Entrea ID and Octa, it can also help to stop hybrid lateral movement.
By correlating endpoint telemetry data and analyzing network traffic patterns, Falcon can detect suspicious behavior indicative of lateral movement tactics, allowing organizations to contain and remediate threats before they spread.
CrowdStrike also simplifies security management and expenditure through its cloud-native architecture and unified platform approach. Unlike traditional antivirus solutions that can require complex on-premises infrastructure and manual updates, CrowdStrike’s cloud-based platform provides seamless deployment and centralized management across a range of environments. Businesses can take advantage of this to reduce operational overheads as well as scale their security posture with time.
The company also offers a next-generation antivirus (NGAV) solution that leverages a combination of artificial intelligence, behavioral detection, and exploit mitigation to neutralize both known and unknown threats. Instead of locking organizations into a reactive security posture, NGAV exposes known threats and novel attacks in real time, and offers a set of effective tools to help organizations block these threats quicker than ever before.
Businesses can no longer afford to rely solely on traditional antivirus software to defend against modern cyber threats. Identity theft and sophisticated lateral movement tactics have exposed the limitations of signature-based defenses, necessitating a reorientation towards proactive, intelligence-driven cyber security solutions.
