Defense Evasion: Advanced Techniques Undermining Cybersecurity

What could be worse than discovering that your systems have been breached by attackers? Experiencing a breach that you don't detect at all.

That’s what can happen when threat actors deploy effective defense evasion techniques, which allow them to operate undetected within the systems they are targeting. From a cybersecurity perspective, defense evasion presents a significant challenge, especially when dealing with sophisticated attackers who work hard to hide their tracks and make breaches challenging to identify.

The good news is that with the right practices and tools, it’s possible to detect and mitigate defense evasion risks, as this article explains.

In this article:

What is defense evasion?

Defense evasion is the ability of attackers to operate undetected while they are breaching an IT system. The concept forms part of the MITRE ATT&CK database, a set of freely available resources to help organizations understand and manage cybersecurity risks. Among MITRE’s publications is a guide to defense evasion techniques, which defines defense evasion as the act of “trying to avoid being detected.”

Arguably, the term defense evasion can be a bit confusing because the concept doesn’t refer to evading defenses as a means of carrying out an attack. For instance, finding a way to bypass an Identity and Access Management (IAM) system in order to gain access to a server wouldn’t be an example of defense evasion. It would just constitute breaking into the server.

Instead, defense evasion involves avoiding detection once attackers have carried out a successful breach. Evading systems designed to detect malicious activity is one way that defense evasion can occur, and in that respect the term makes sense. But it’s important not to conflate defense evasion with the mere execution of an attack.

Why is defense evasion critical to understand?

The concept of defense evasion is critical in the context of modern cybersecurity because the focus of cybersecurity strategies tends to be on detecting and responding to attacks – a practice that doesn’t necessarily work well when attackers are actively trying to evade detection.

Conventional cybersecurity strategies involve practices like scanning for vulnerabilities, which can reveal risks that attackers might exploit, and security monitoring, which may provide evidence of an active attack or breach by identifying anomalies inside systems. These practices are effective, and they’re core elements of any modern cybersecurity strategy.

However, if attackers are trying to hide their tracks, scanning and monitoring may not be effective at detecting a breach. Defense evasion creates the risk that attackers may be able to operate unhindered. It’s also likely part of the reason why it takes 207 days, on average, to detect breaches, according to IBM.

This is why searching for and blocking defense evasion techniques is a key cybersecurity practice that businesses should leverage alongside other techniques, like scanning and monitoring.

Common defense evasion techniques

Blocking defense evasion starts with understanding the techniques that attackers might use to avoid being detected. There are a variety of potential measures they could use, and MITRE offers a detailed list of specific defense evasion strategies.

But to illustrate what defense evasion often looks like in practice, consider the following types of defense evasion techniques and scenarios.

Rootkits

Rootkits are malicious software that allow attackers to control a host system either by intercepting application calls in user space or by running malicious code directly inside an operating system kernel.

In many cases, rootkits are installed through a compromised bootloader or firmware. This means they load when a computer starts, making it easy for them to hide their tracks and evade detection. For this reason, installing rootkits is a common technique threat actors use to evade detection.

Fileless attacks

In a fileless attack, threat actors compromise systems without installing files onto an operating system. Instead, they typically rely on malware that runs in memory, leaving no permanent traces behind on a computer or server’s file system.

Fileless attacks can be a form of defense evasion because if attackers don’t plant files on a target system, scanning and monitoring tools that look for malware installed on disks won’t be effective in detecting the attack. Other methods – such as analyzing user or process behavior to detect anomalies – could potentially work; nonetheless, fileless attacks are one strategy threat actors might use to obscure their activity.

Living off the land

A living off the land attack (sometimes called an LOLBin attack) is a type of breach where threat actors use a system’s legitimate applications and tools to carry out malicious activity. For example, attackers could take advantage of flaws in a shell program to execute commands that shouldn’t be available to them, or modify configuration files for legitimate applications in ways that elevate their privileges.


Because living off the land attacks depend on normal applications and processes, and don’t require the installation of malware, they are another type of attack that can be challenging to detect using malware scanners, which makes this a popular technique for defense evasion.

How to detect and mitigate defense evasion

If attackers are actively trying to avoid detection using techniques that render traditional security tools ineffective, how can you find them?

The answer is to deploy a defense-in-depth strategy that provides multiple layers of protection and breach detection capabilities. For instance, an organization concerned with mitigating defense evasion might deploy each of the following defense techniques:

  • Scanning of applications to detect vulnerabilities that attackers could exploit. This helps reduce the attack surface and prevent potential breaches from occurring.
  • Scanning systems for the presence of malware, another common sign of an active attack.
  • Monitoring the network for unusual activity, like port scans, which are often an early sign that someone is looking for ways to breach a system, or connections to unknown endpoints.
  • Analyzing authentication and authorization logs for anomalies, like users who have connected from an unusual location. This may also be a sign that someone is impersonating a legitimate user.
  • Collecting and analyzing logs and other data related to user activity, such as which systems a user accesses and what the user does inside each system. Anomalies in this data may also be a sign of the presence of attackers.
  • Monitoring process behavior on servers and computers to detect anomalies, such as processes not associated with recognized applications or unusual process unique identifiers (UIDs).
  • Monitoring CPU, memory and other resource utilization levels for host systems. Spikes that can’t be explained by legitimate activity (like deploying a new application) could reflect malicious activity on a host.

By collecting data through all of the techniques described above and correlating that data, businesses can maximize their ability to detect attacks even in cases where malicious parties are trying to evade detection.

Elevate your runtime defense with Aqua CNAPP

As an integral part of a Cloud Native Application Protection Platform (CNAPP), Aqua provides a robust, intelligence-driven solution for active runtime protection of cloud native workloads. To keep up with the velocity of digital transformation, it allows SOC teams to accelerate detection and response by seamlessly blocking any unauthorized activity without causing downtime to running workloads. As the threat landscape continues to evolve, enhance resilience against escalating cyber threats and zero-day attacks through behavioral detection, which is based on real-world threat intelligence from the Aqua Nautilus research team. 

Jose Ignacio Fernandez del Campo Aguado
José Ignacio is a Technical Product Marketing Manager at Aqua Security with over 15 years of experience in cybersecurity, risk management, security operations, and software development. He gained these skills through multiple roles at McAfee Enterprise (now Trellix) and Aqua Security, where he embraced technologies like Docker, Kubernetes, DevSecOps, and Cloud Security, progressing from Technical Support Engineer to Support Manager, and eventually to Technical Product Marketing Manager. José Ignacio's expertise lies in his strong technical drive and ability to foster cross-team collaboration for successful outcomes. Outside of work, he is passionate about singing and martial arts, promoting positivity and creativity in everything he does.