05
Threat Defiance Report

ORION: DETECTING FILELESS MALWARE

Adversaries are constantly improving their tradecraft and modifying cyber tactics, techniques, and procedures to avoid detection. They create malware to look like legitimate programs or libraries, often modifying existing trusted programs and libraries to add a small malicious component, or using trusted programs to execute malicious scripts. Many modern adversaries conduct intrusions without any malicious software at all; using legitimate programs to “live off the land” – accessing your systems in the same manner as administrators and users. Advanced adversaries frequently deploy such mechanisms or employ only small disposable tools for initial access to determine the security solutions you have deployed. This provides the adversary with valuable information so they can tailor follow-on actions to avoid detection by your static solutions. These toolkits often reside entirely in memory; avoidcreating any files that could be detected (fileless malware).

While other security companies paint a trivialized picture of magic solutions to automatically find and eliminate attacks, they will inevitably fall short against the adversaries that will cause the greatest harm. Simplified dashboards gloss over the critical details. Agents add continuous load and memory usage on systems, slowing down your business while tipping their hand to adversaries who will tailor an approach to bypass them. Even when competing products’ signatures and heuristics detect malicious activity, follow-on actions rarely extend beyond clearing the individual artifact from the rest of the network. In most cases, this leads to a forensic and live memory analysis campaign to investigate machine to machine. This concept and methodology creates a ONE-TO-ONE Security model that is not scalable or effective. 

The root9B ORION HUNT platform is based off a different mindset. We recognize that the only way to defeat intelligent adversaries is to go beyond static defenses; to empower trained operators incorporating both machine power and human intelligence. Our ORION system can sweep large networks, detecting malicious activity in live memory analysis at scale. Our live-memory analysis component is far beyond all other memory analysis capabilities on the market today. First, It can collect data from a wide variety of system sources deep within systems, and apply analytic techniques to detect anomalies and malicious activity across the entire network. Second, it was designed for enterprise-wide scanning and analysis, while other memory analysis capabilities demand extensive manual work to analyze each host individually. The automation that ORION provides is there to equip the trained operator; to provide an active cybersecurity operating environment, giving security teams an agile remote or onsite capability to perform global reach defense operations and live analysis. To make the judgement calls only a human can.

The root9B HUNT strategy not only excels in detection, it provides the “Now what” lacking in competing products; it provides operators the ability to interrogate and examine hosts live, taking actions to track down not only the immediate detection, but the rest of the intrusion and the attackers’ tactics. ORION was designed to provide HUMAN intelligence driven operation in an agentless and inherently stealthier and more precise way. This design approach is a different methodology from competing products which only have the approach of mass network interrogation across an operating environment. To root9B, these products, although not persistent agents, operate in the same manner as Anti-Virus solutions and End Point Detection and Response (EDR) solutions. All of these products have their place in the market, but none of them will protect you from the sophisticated adversary.

Not only that, but ORION is built as a platform, not a sealed box or downloadable piece of software. Custom payloads may be created and integrated as easily as ORION’s data can be accessed. Data collection may be conducted in an isolated network or via 3rd-party tools or even offline and later imported into ORION’s central database. ORION functions in even locked-down networks with multi-level security.