Anti-Exploit Technology is Fundamental for Cloud Workload Security

All attacks include malicious activity, but not all attacks include writing malware to disk
Anti-exploit technology prevents attackers from gaining a foothold
What to look for in anti-exploit technology

Attacks, exploits and vulnerabilities

Any complete cloud workload security stack must feature robust anti-exploit technology for both end-user and server systems. Cloud workloads run on servers, either on-premises or in the cloud, and end-user systems access those workloads. End-user systems can give attackers indirect access to workload data, while servers can provide more direct access if attackers achieve a foothold.

When trying to gain access to a Windows system, attackers exploit vulnerabilities, known or unknown (zero day). The exploits may be novel, or part of a widely used exploit kit. The vulnerabilities attackers exploit may be within the Windows operating system or applications running on the system. The vulnerable component may run in kernel or user-mode, providing different levels of privilege to the attacker. Attackers may also string together attacks to elevate privilege locally once they have gained a remote foothold on a system, or they may move laterally by attacking other systems.

File-less attacks

Commonly, organizations believe the point of an attack is to place malware on a system. In the case of ransomware or cryptojacking, this is true, but it is not always true. In file-less attacks, the malicious activity occurs entirely in memory; no file is written to disk for traditional anti-virus solutions to detect. Instead, an attacker exploits a vulnerability then remotely runs commands on a system to either attack another system or exfiltrate sensitive data.

Detecting the signs of a successful attack is important. Endpoint Detection and Response and Managed Detection and Response solutions do just that; look for indicators of compromise and/or attack. However, anti-exploit technology aims to detect and block attacks early in the attack cycle -- at the point when an attacker is attempting to exploit a vulnerability to gain initial access to a system.

What to look for in anti-exploit solutions

Part of a complete prevention and detection stack managed from a single console

Point solutions have value, but tend to expand the impact of security when not included as part of a wider approach
Look for a solution that encompasses multiple security techniques, from signatures to advanced machine learning and threat-hunting capabilities

Coverage of both kernel- and user-mode exploits of known and unknown vulnerabilities

Detecting yesterday’s attacks is easy, preventing tomorrow’s attacks is difficult
Look for a solution with advanced detection and mitigation that includes the full software stack in your environment

Applicable across on-premises and cloud, end-user and server

Adoption of hybrid-, multi-cloud has created complexity, which may lead to security costs
Look for a solution that covers where your architecture is today, and will be tomorrow

Support for Virtual Desktop Infrastructure, including full-session, terminal services hosts and Remote Desktop Protocol

Work-from-home won’t end any time soon
Look for a solution which with minimal impact on performance and administration

While anti-exploit technology for Windows systems is not a panacea, it is a critical part of the security stack. Using focused, yet generic detection and mitigation techniques to prevent the abuse of common types of vulnerabilities will stop attacks before a foothold is gained. Attackers will continue to discover and exploit vulnerabilities in Windows systems, and the popular applications they run.

Bringing it all together

Hybrid-, multi-cloud environments give organizations tremendous flexibility in furthering business goals, but they also introduce complexity for security teams. Even after a zero-day vulnerability is exposed, teams struggle to quickly patch systems, especially servers. Security teams struggle to update controls while vendors attempt to identify new exploits and variants. This is where strong anti-exploit capabilities fill in the gaps by detecting and mitigating exploit attempts, stopping attacks from succeeding in the early stages of an attack.