Posted inSecurity

BeyondTrust: Removing admin rights effective in preventing malware

BeyondTrust reveals that malware-as-a-Service (MaaS) and human-operated ransomware campaigns continue to be a major cybersecurity threat

BeyondTrust malware
James Maude, Lead Cybersecurity Researcher, BeyondTrust

Without the right protection, malware will disable endpoint security controls and undermine security investments, according to the latest study by global Privileged Access Management (PAM) firm BeyondTrust.

BeyondTrust Labs’ Malware Threat Report 2021 provides insights into threats and privileged account misuse on Windows devices around the world. The report, based on real-world monitoring and analysis of attacks between Q1 2020 and Q1 2021, also dives into reoccurring threat themes and maps out tools, techniques, and procedures against the MITRE ATT&CK Enterprise Framework.

The BeyondTrust Malware Threat Report explored the 58 techniques in the MITRE ATT&ACK Framework lists for Cobalt Strike threat emulation software, using Privilege Management for Windows, against 150 current malware strains.

It found that the use of native tools to perform fileless attacks in the initial stages of attack is a growing trend, enabling attackers to gain a strong foothold by establishing a persistence mechanism with security controls disabled.

The study also highlighted that the MITRE ATT&CK Framework is effective in distilling a wide range of malware strains and cyberattacks into component techniques, which can then be mitigated.

BeyondTrust also noted that the emoval of admin rights and implementation of pragmatic application control are two of the most effective security controls for preventing and mitigating the most common malware threats.

Meanwhile, BeyondTrust Privilege Management for Window’s out-of-the-box policies proactively disrupted all 150 different, common attack chains tested.

“For decades, enterprises have made significant investments in security solutions in an attempt to strengthen their cyber defenses,” said James Maude, Lead Cybersecurity Researcher at BeyondTrust. “Many of these investments have proven to be ineffective, particularly with changes brought on by the pandemic. Security perimeters have dissolved, creating an exponential growth in attack surfaces, and rendering network monitoring and firewall technologies less effective. Endpoint privilege management solutions enable enterprises to reduce their attack surfaces, while gaining greater control over their digital infrastructure.”

While ransomware has clearly evolved, the fundamental needs to execute code and leverage privileges have largely remained consistent. Whether it is ransomware hitting a single endpoint, or a sophisticated, tailored attack, the benefits of proactively reducing attack surfaces by removing admin accounts and controlling application execution are highly effective.

Threat actors work ceaselessly to evolve their operations and have matured significantly over the past year. Attackers are exploiting new exposures, using elevation of privilege attacks and sophisticated malware campaigns to take advantage of an enterprise’s often vulnerable front line of defense, their users.

Parallel to legitimate software companies trending towards SaaS, threat actors are shifting to Malware-as-Service (MaaS) with specialists emerging in different areas, including enterprise credential sales, initial access to a target organisation, lateral movement capability, and payload delivery. Today, there can be many different pieces of malware that come together in an attack. A ransomware attack can be comprised of multiple threat actors, tools and platforms. And, as threat actors seek to maximise the disruption to organisations and extract the highest ransom payments, the ransomware model is also shifting towards human-driven, enterprise-wide attacks.