Adaptive Protection is Put to the Test

When we think of threat actors’ chosen vessels for their malevolent payloads, we often think of sketchy or infected websites or dangerous executables built by attackers. There was a time when bad actors typically wrote malware designed to do damage before antivirus solutions had a chance to identify their signatures and isolate the threat. But today’s criminals are using legitimate business applications as cover, allowing them to hide in plain sight while leveraging good code to do bad things.

Symantec’s 2024 Ransomware Threat Landscape report signals this uptick in “living off the land” (LOTL) techniques, where threat actors launch sophisticated attacks through operating system features or legitimate tools. From 2021 to 2023, nearly half of all ransomware attacks used LOTL tools, and six out of 10 of the tools most commonly used in all ransomware attacks were legitimate software. Tools like Windows OS components, PsExec, PowerShell, WMI, AnyDesk, Atera, Splashtop and ConnectWise have become prime targets for exploitation.

Here’s the problem: System administrators rely on these same tools to keep operations running smoothly and securely. This makes it especially challenging for admins to differentiate between normal, everyday actions and unusual behaviors that could signal potentially malicious activity. That’s exactly what attackers are counting on—and it’s a major reason the engineers at Symantec developed Adaptive Protection. 

What is Adaptive Protection?

Adaptive Protection, a unique feature of Symantec Endpoint Security (SES), learns its organization’s or division’s day-to-day individual traits and blocks combinations that fall outside of that profile. It uses behavioral analytics to automatically learn and apply exceptions to cover the usage it does observe, and block items outside normal usage without impacting recognized workflows and behaviors. Adaptive Protection simplifies life for security teams by shrinking their attack surface and identifying anomalous behaviors that may indicate an LOTL attack. 

Teams with this endpoint security feature can:

• Monitor and identify normal behaviors within the entire organization or individual groups
• Construct a policy framework that okays normal behaviors and blocks behaviors outside the norm, including variations of normal behaviors
• Reduce their attack surface 
• Accelerate detection of potential threats

Sounds pretty great, right? Here’s how it works.

When deployed in a corporate environment, Adaptive Protection starts by learning normal actions and behavior, which are then monitored and flagged (but not blocked) each time they appear. After a holding period of 90, 180 or 365 days, an administrator can see if these actions have ever been seen and determine whether to allow or block them. Admins can block those never-before-seen actions from occurring without worrying about negatively impacting the environment and its users. In fact, Adaptive Protection can block more than 450 individual actions. For example, if Microsoft Word is running PowerShell but that falls outside the normal scope of behavior, it can be blocked. The set of allowed actions form a policy for that organization. 

For security teams, there are real benefits. Because Adaptive Protection allows legitimate actions while simultaneously blocking legitimate actions that are outside normal usage, it ultimately shrinks the attack surface and disarms attackers by stopping attempted LOTL attacks. In fact, it can stop LOTL attacks even before security systems detect them on their own.

MRG Effitas puts Adaptive Protection to the test

It’s easy to talk about how Adaptive Protection works, but the real question is: does it perform in real-world scenarios? The answer is a resounding yes—and we have the proof. 

Recently, we decided to rigorously test Adaptive Protection’s capabilities within environments that were based on actual customer operating environments. The objective: to evaluate how well the solution could block attacks early in the kill chain. 

Testing within Tempus 

To execute a true in-the-wild (ITW) test, we chose MRG Effitas, known for their proven track record of sourcing real-world samples that effectively evaluate security solutions. MRG Effitas boasts an advanced testing environment called Tempus which evaluates EPP products against the latest cyber threats and provides instant alerts through email, Slack or Discord when malware samples are missed by EPP products. This makes Tempus not only an effective test environment, but it also offers a chance for teams to make quick and efficient product enhancements. 

We set up six machines running Symantec Endpoint Protection (SEP), with one acting as a control and the others using five different allow/deny policies implemented by actual SES customers. To simulate normal user behavior, we opened the malicious link in Chrome, downloaded the sample and ran it. Each sample was executed in an unprotected system and compared to the results on the protected systems. Using hardened virtual machines kept the environment invisible to the malware, allowing us to observe the full lifecycle of the attack.

The results were loud and clear

The test revealed that Symantec Adaptive Protection works–and works well. 

In just a few days, we found over half a dozen instances in which Adaptive Protection delivered earlier protection against threats based solely on attack surface reduction. Notably, Adaptive Protection detected malware 4 seconds faster than systems not running it. And thanks to MRG Effitas’ ability to deliver real-world samples in real time coupled with policies used by actual Symantec customers, the tests offered insight into Adaptive Protection’s real-world applications and viability. Ultimately, these tests underscored Adaptive Protection’s ability to limit attacker options and opportunities.

We’re right there with you

As attackers change the game, so do we. We at Symantec are constantly evolving to arm organizations with proven solutions that address dynamic challenges head-on. And backing our claims requires pitting our solutions and technologies against real-world threats. This round of rigorous testing proved that Adaptive Protection is essential for a critical advantage—and that we’re blazing the trail for solutions that work better for users and better against today’s increasingly intricate and volatile attacks. 

For a deeper dive into our ITW test findings, Zsombor Kovacs, CTO of MRG Effitas and Liam O’Murchu, Symantec’s Technical Director and co-author of the Putting Adaptive Protection to the Test white paper, will take the stage at the upcoming Virus Bulletin Conference in Dublin. As part of the CTA’s Threat Intelligence Practitioners’ Summit track, these two cybersecurity pundits will present the results of our Adaptive Protection tests and discuss how it combats LOTL attacks without limiting operations.