Microsoft’s Response to AtomBombing is Post-Infection Detection
In March 2017, Microsoft (known for fixing vulnerabilities in their software products once a month on “Patch Tuesday”) recently addressed post-infection detection, investigation, and response with their Windows Defender Advanced Threat Protection [ATP]). Microsoft is a company that is continuing to evolve in product/services, and is now expanding to the depths of defending operating systems from attacks. This most recent Windows Defender ATP update protects against both code injection techniques, “Process Hollowing” and “AtomBombing.” While it is important to protect against infection on the front line, sophisticated attackers will still find their way in, so post-exploitation techniques become the only way to detect data being exfiltrated.
The Microsoft update that addresses both “Process Hollowing” and “AtomBombing” will only be available for those that have purchased Windows Defender and will only be available in October or November 2017. Windows Defender ATP has only been addressing security issues for less than a year and Windows customers have to purchase Windows Defender ATP.
The Impact of AtomBombing Endpoint Infection
enSilo researchers discovered AtomBombing back in October 2016. At the time of AtomBombing’s release, AtomBombing went undetected by most security solutions, due to the attacker hiding the injected malicious code within an atom table. Once AtomBombing is used successfully, the attacker has the ability to hide within legitimate processes, making it more difficult to detect them. AtomBombing opens a new route for attackers to move freely within an infected device.
AtomBombing Attributions and Impact
- Atom tables lie within Windows’ operating systems and allow applications to store and share data. The name AtomBombing is derived from the use of Atom tables and the “bombing” part is self-explanatory. AtomBombing is stealthy and avoids detection by using innocent looking API’s to pass code into the target process, through the global atom table.
- AtomBombing has the ability to fool whitelisted apps into executing malicious operations, which go undetected with most security products.
- AtomBombing can’t be patched.
- AtomBombing evades detection.
- AtomBombing is another tool for an attacker to add to their toolbox.
AtomBombing was also found in a version of a notorious banking Trojan of Dridex that evaded detection and took part in a malicious campaign targeting UK banks.
Beyond Detection: The Need for Real-Time, Post Infection Protection
According to Microsoft, “even the best pre-infection endpoint defenses will be breached eventually, as cyberattacks become more sophisticated and targeted. Windows Defender Advanced Threat Protection (ATP) helps our enterprise customers detect, investigate, and respond to advanced attacks and data breaches on their networks.”
enSilo takes both a pre-infection (NGAV) and post-infection (automated EDR) approach that goes beyond detection but also offers real-time protection and blocking of malware on infected endpoints. enSilo's post-infection capabilities reside inside of the operating system and will stop attackers from stealing, or maliciously encrypting your data. enSilo is the only comprehensive endpoint security solution that provides real-time protection, pre- and post-infection.
Malware/cyberattacks are evolving and modifying intrusion techniques at a rate that even an overcrowded market of security products is continuously getting bypassed daily. We read in data breach forensic reports that malware causing the most significant data breaches went undetected for usually months and in some cases years without being detected. Isn’t it time to look at information security differently? Keeping up with the different malware strands and the new malicious techniques that are constantly being developed is beyond manic. Simply prevent the consequences.