MITRE ATT&CK®, a publicly available security toolkit that helps enterprises overcome cyber threats, defines defense evasion as a way for malicious actors to evade detection during an attack.
MITRE ATT&CK®, a publicly available security toolkit that helps enterprises overcome cyber threats, defines defense evasion as a way for malicious actors to evade detection during an attack. Hackers use this technique to bypass security tools and mechanisms to gain a stronger foothold in enterprise cloud environments.
Enterprises’ increasing commitment to cybersecurity and the adoption of cutting-edge security tools make defense evasion a critical tactic for threat actors. According to Gartner, 2024 will see a 14.3% increase globally in expenses related to cybersecurity, with cloud security contributing a massive 24.7%.
Businesses are now commissioning robust CNAPP, EDR, and MDR solutions (among many others) to protect their environments and help keep adversaries from escalating attacks and exfiltrating data. But is this enough?
All tactics in the MITRE ATT&CK framework are dangerous, but defense evasion deserves special attention. Adversaries prioritize this tactic because unless they evade the array of cybersecurity and cloud security tools now in use, their malicious strategies and efforts will not yield any results.
Without defense evasion, threat actors can’t orchestrate data breaches.
It’s next to impossible to conduct large-scale and complex cyberattacks when in the crosshairs of robust security tools. Defense evasion techniques ensure that every step in an attack chain is easy and uncomplicated.
Leveraging stealth
The most effective defense evasion techniques ensure that hackers don’t draw attention to themselves. To avoid detection by security teams and tools, threat actors often try to blend in with an enterprise’s cloud environments and conduct malicious activities in the guise of legitimate users and accounts. Manipulating and utilizing legitimate processes and mechanisms within a cloud environment to facilitate an attack is known as “living off the land” (LOTL).
In addition to hijacking legitimate processes and accounts, threat actors also try to deactivate, disable, and reconfigure security tools to make their attack chains simpler. However, while they attempt various defense evasion techniques to escalate attacks, enterprises and their blue teams are constantly refining their security controls and tools.
Will an attacker stay one step ahead of your enterprise’s cybersecurity program? Or will your blue team and security tools catch even the stealthiest adversaries? The effectiveness of an enterprise’s cloud security posture hinges on who wins that battle.
16 common techniques associated with defense evasion
MITRE ATT&CK lists numerous defense evasion techniques that enterprises must be aware of. However, a few of these are particularly pertinent to cloud security.
The following are the most critical cloud-adjacent defense evasion techniques that businesses know about:
Abuse elevation control mechanisms: Threat actors sidestep rules that define account privileges to gain advanced access rights to various cloud-based resources.
Manipulate access tokens: Threat actors alter legitimate access tokens and apply them with different security mechanisms across cloud environments.
Build image on host: Adversaries directly build a container image on a host to sidestep cloud security tools that look for malicious behaviors in registries.
Deobfuscate files: Threat actors conceal information that may point to a data breach in obfuscated files; certain sub-techniques like software packing help adversaries evade signature-based detection.
Modify domain or tenant policies: By reconfiguring trust relationships and identity syncing in various cloud tenants, hackers can evade centrally managed security and surveillance tools.
Exploit application vulnerabilities: Adversaries take advantage of a cloud security misconfiguration or vulnerability to evade security tools.
Hide artifacts: Threat actors conceal artifacts that are evidence of malicious behavior; these include malicious code, users, virtual instances, emails, and various other malicious files; common sub-techniques include hiding files, directories, and file systems.
Hijack an execution flow: With sub-techniques like dynamic link library (DLL) search order hijacking and DLL side-loading, threat actors execute different payloads to evade security defenses; many of these sub-techniques involve injecting malicious DLL files.
Impair defenses: Adversaries interfere with their victim’s security mechanisms, which may include antivirus software, cloud firewalls, cloud logs, and threat detection and response tools.
Impersonate trusted parties: Similar to phishing, threat actors impersonate a trusted individual, organization, or entity to manipulate victims into unknowingly partaking in malicious behaviors.
Masquerade the true file type: Sub-techniques like mimicking valid code signatures, renaming system utilities, abusing double file extensions, and breaking process trees let hackers alter the names, locations, and metadata of various cloud artifacts to avoid suspicion and detection.
Modify authentication processes: Adversaries interfere with authentication protocols and processes to gather legitimate credentials or alter privilege configurations on user accounts.
Modify cloud compute infrastructure: By creating, reconfiguring, or removing components like virtual machines, snapshots, and compute instances, hackers modify cloud infrastructures and services to sidestep defenses.
Obfuscate files or information: With sub-techniques like binary padding, software padding, steganography, command obfuscation, and encrypted files, adversaries render incriminating artifacts and malicious files inaccessible or unreadable.
Real-life example: In their recent attack campaigns across the USA and Asia, the Winnti hacking group used malicious tools to obfuscate payloads and evade detection.
Take over valid accounts: By taking over valid cloud accounts, threat actors can employ a range of attack tactics including defense evasion, initial access, and persistence.
Weaken encryption: Threat actors interfere with encryption tools that protect ported data.
9 recommendations to mitigate defense evasion tactics and techniques
The following are some best practices companies can adopt to prevent defense evasion.
1. Ensure continuous monitoring of cloud environments
No matter what techniques, sub-techniques, and malicious tools hackers use to try to bypass an enterprise’s cybersecurity defenses, 24/7 monitoring of all cloud workloads and activities will help identify and respond to defense evasion.
2. Prune down your attack surface
By constantly analyzing attack paths and actively remediating risk , businesses proactively reduce their attack surface to its bare minimum. Seeing toxic combinations gives security teams an accurate prioritization so the can focus , configurations and vulnerabilities that matter. .
3. Use a runtime sensor
A runtime sensor that can run on Linux hosts and Kubernetes clusters lets enterprises connect the dots between audit logs, workload runtime signals, and cloud activities to identify defense evasion-related threats.
4. Elevate threat intelligence and research
By joining threat intelligence communities, businesses can ensure their cloud security rule sets, coverage, and knowledge are never stale. Additionally, you should choose cloud security providers with a powerful research ecosystem.
5. Address vulnerabilities and misconfigurations proactively
It’s essential to proactively assess risks and identify any weaknesses and misconfigurations across your cloud components, APIs, and applications that might make it easier for adversaries to evade your defenses.
6. Equip teams with investigation capabilities
By empowering critical teams (cloud builders) with security capabilities and self-service tools, you’ll ensure that employees can protect their respective cloud segments. Teams and personnel should have the resources, tools, and segment-specific knowledge to identify and respond to a threat, regardless of the defense evasion technique employed.
While continuous monitoring is an effective solution to combat defense evasion techniques, it’s only one half of the puzzle. Businesses must deploy real-time, 24/7 threat detection and response tools to identify signs of defense evasion before they mature into full-fledged security disasters.
8. Use graphs to better understand cloud security architecture
By leveraging security tools that feature graph-based visualizations, businesses can get a better sense of their cloud environments and security controls and configurations. Graphs provide a different perspective on the inner workings and security vulnerabilities of cloud environments, which can help companies optimize their security controls and tools.
9. Optimize access permissions
Since many defense evasion techniques involve hijacking legitimate accounts with access privileges, businesses must make cloud infrastructure entitlement management (CIEM) a top priority. With CIEM, you’ll ensure that all user accounts follow the principle of least privilege.
How Wiz can help counter defense evasion techniques
Defense evasion involves bypassing cloud security mechanisms. The only way businesses can mitigate this dangerous attack tactic is by ensuring that their cloud security tools are foolproof. That means, companies must upgrade their detection mechanisms from traditional signature-based ones to complex behavior-based methods.
Wiz’s CDR capabilities provide real-time threat detection and response capabilities that can help you alert on and remediate defense evasion techniques. Wiz’s CDR tool also leverages runtime signals and cloud logs, which can help identify malicious activity related to defense evasion in real time. By using Wiz’s CDR, businesses can secure their most valuable data, containers, PaaS resources, serverless functions, and virtual machines.
Get a demo today to see how Wiz can stop threat actors from sidestepping your cloud security mechanisms.
See Your Cloud Activities Come to Life
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
In this post, we'll explore NIST's cloud security standards and how they provide a framework of best practices that enhance the safety and reliability of cloud environments.
Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.
Vulnerability management involves continuously identifying, managing, and remediating vulnerabilities in IT environments, and is an integral part of any security program.
API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.