Q: What do your clients have in common with the U.S. Democratic National Committee (DNC)?
A: Both are subject to cyber attacks involving non-malware.
Because malware gets much of the attention, you might think it’s the biggest cyber threat. But a new report, based on a recent survey of security researchers, finds otherwise.
The report, entitled “Beyond the Hype,” was released last week by Carbon Black, a provider of endpoint-security software. The report is based on a survey of 410 security researchers, conducted by Carbon Black this past December and January. All respondents had at least 1 year of experience as either a CISO, security engineer/analyst, security data scientist, pen-tester or threat researcher.
Non-malware attacks often involve attackers posing as employees within corporate systems. This lets them impersonate corporate officials and, among other things, send fraudulent emails from corporate addresses, take over hardware and steal login information.
How common are non-malware attacks? Very, the Carbon Black report finds:
> 64% of respondents said they’ve seen an increase in non-malware attacks over the last year.
> The most common types of non-malware attacks seen were: remote logins (cited by 55% of respondents); Windows WMI-based attacks (51%); in-memory attacks (39%); PowerShell attacks (34%); and attacks leveraging Microsoft Office macros (31%).
> The types of data most frequently attacked by non-malware were: customer data (cited by 62% of respondents); corporate intellectual property (53%); credentials (42%); and financial data (41%). In addition, just over half (51%) said they’ve seen non-malware attacks aimed at disrupting service.
> 93% of respondents said non-malware attacks pose a greater security risk than attacks using commodity malware such as viruses. “Non-malware attacks will become so widespread and target even the smallest business,” said one respondent, “that users will become familiar with them.”
Yet survey respondents were not terribly optimistic about their ability to stave off these non-malware threats:
> Two-thirds of respondents said they’re not confident their legacy antivirus software could protect their organization from non-malware attacks.
> Roughly three-quarters (74%) agreed that current AI-driven security solutions are flawed. And 87% said it will be at least 3 years before they trust AI solutions to lead their cybersecurity decisions.
> 70% believe attackers can bypass security solutions that use machine learning. Nearly a third (30%) said doing so would be “easy” for attackers.
The takeaway for solution providers? If security is among your services, make sure you’re targeting not just malware, but also non-malware attacks.
Check out more findings from the Carbon Black survey report.