To achieve true defense in depth, endpoint protection needs to be able to detect all types of attack tools and techniques, not just malware.
Attackers increasingly rely on non-malware, or fileless, attack techniques to gain remote access to victim networks.
These remote access agents have been notoriously hard to detect and block due to their configurability and their ability to hide from your defenses.
Dynamic Shellcode Protection is an exciting new addition to Sophos Intercept X, designed to prevent active adversaries from achieving one of their most sought-after goals: using remote access agents to gain “hands on keyboard” privileges.
Adversaries love remote access agents
Adversaries plant agents to give them remote access to a system so they can conduct more robust attacks. They are a favorite post-exploitation tool used in “living off the land” attacks, enabling the attacker to issue commands, scope a victim’s environment, or drop ransomware.
Remote access agents have recently been used in high profile attacks like SolarWinds and Gootloader. The adversary takes control of an already running process and controls it for their own use.
Using the analogy of a plane hijacking, while other steps in the attack chain give the attackers access to the cockpit, it’s the remote access agents that give them the ability to control the plane. To make the situation even more difficult, even after the attacker is ejected the shell they leave behind can still be used to remotely control the plane.
Dynamic Shellcode Protection in Intercept X
Dynamic Shellcode Protection is a system-level mitigation that detects the behavior of covert remote access agents and prevents attackers from gaining control of victim’s networks.
This game-changing feature is included and enabled in all Intercept X Advanced and Intercept X Advanced with EDR subscriptions for both endpoint and server. It protects against advanced, stealthy malware and memory-delivered post-exploitation agents. It doesn’t rely on signatures, machine learning, or the cloud; instead it focuses on suspicious behavior.
Suspicious behavior includes identifying processes that create a remote agent inside another process. This allows attackers to come in through one application and migrate to another application while maintaining a connection to their command and control systems. It also gives them the ability to hide their tracks and establish persistence on the device.
With Dynamic Shellcode Protection, Intercept X customers can take comfort in knowing they now have even stronger protection against remote access trojans, fileless malware, and ransomware attacks.
For a technical deep dive into this attack technique and how Dynamic Shellcode Protection stops it, read Mark Loman’s excellent article.
To learn more about Intercept X and to start a no-obligation free trial, visit our website.