.png)
Security tools are good at inspecting websites, domains, URLs, and files, so attackers are moving lower in the stack and communicating directly with IP addresses, where visibility is limited. According to Palo Alto Networks’ report, this creates a visibility gap that allows malicious traffic to blend into normal internet activity and evade detection.
At the internet edge, this gap starves security systems of the telemetry needed to identify and block threats. Threat actors hide the signals security tools rely on, use shared infrastructure to avoid detection, and scale these techniques with AI.
How attackers evade detection
Threat actors avoid detection by removing the signals security tools use to identify malicious activity. One method is communicating directly with IP addresses instead of domains, making it harder for security tools to collect information about a connection.
Malware such as WannaCry has used fake Server Name Indicators (SNIs) in direct-to-IP connections to make traffic appear legitimate and bypass security controls. When this traffic is routed through trusted cloud providers or content delivery networks (CDNs), it becomes harder for security teams to determine the destination of the connection and assess its risk.
Adversaries exploit network routing and covert discovery mechanisms to conceal their intent. High-evasion threats use ultracovert channels to discover command-and-control destination IP addresses without resolving a domain. By bypassing traditional DNS, they remove the high-level indicators modern security logic depends on. They use AI and proxy networks to conduct scans and exploits while rotating source IP addresses faster than reputation databases can track them. The same approach extends to infrastructure hosted on CDNs and cloud platforms.
AI helps them generate large numbers of short-lived IP addresses. Enterprise adoption of AI agents expands the attack surface. When these agents host services or interact with data through direct-to-IP connections, they create new exposures and make endpoints more vulnerable to hijacking.
Why reputation-based defenses fall short
Methods for filtering IP-layer connections rely on the assumption that threat intelligence is comprehensive and up to date. In practice, the limitations of reputation feeds create a persistent gap that threat actors can exploit.
Researchers found that 52% of IP addresses involved in direct-to-IP connections were absent from open-source intelligence feeds, despite such feeds serving as a primary source for tracking malicious infrastructure.
Even when malicious IP addresses are identified, they do not immediately appear in threat intelligence feeds. Researchers found an average 20-day delay before these feeds were updated, creating a roughly three-week window during which attackers could operate without a reputation-based signal.
Extensive threat intelligence provides only partial coverage. Firewalls can store only a fraction of the malicious IP addresses active at any given time. Threat actors generate new IP addresses faster than security systems can identify and track them, leaving organizations with incomplete visibility and allowing known threats to slip through network defenses.
The case for real-time connection analysis
Security teams have spent years improving their ability to inspect websites, applications, domains, URLs, and payloads. At the network layer, traffic is often filtered using threat intelligence feeds and IP reputation data. Attackers increasingly exploit the limitations of this approach.
By communicating directly with IP addresses, they reduce the visibility available to security tools. They operate through trusted cloud providers and content delivery networks, making malicious traffic harder to distinguish from legitimate business activity.
AI accelerates the problem by helping adversaries create and rotate infrastructure faster than threat intelligence systems can track it. Malicious connections may not appear in reputation databases when security decisions are made.
Organizations need more than historical reputation data to assess risk. Alongside application-layer inspection, security teams need real-time visibility into network connections and the ability to evaluate traffic based on behavior and context.
from Help Net Security https://ift.tt/yHarYc1
0 comments:
Post a Comment