Threat actors are constantly searching for new and sophisticated ways to avoid detection in order to successfully perform malicious attacks, and their increasing power and ambition was evident during 2017 when an estimated 230,000 malware samples were produced, and 4,000 ransomware attacks threatened organisations, each day.
Apart from the rise in ransomware attacks, 2017 also saw a sharp increase in the number of fileless malware attacks - a threat organisations need to start paying more attention to.
As the name suggests, fileless malware attacks tend to rely as little as possible on executables during infection and compromise. Some fileless attacks use a system's own trusted system files and services to obtain access to devices and others would opt for memory-only attack vectors. In other words, fileless attacks trade persistence with stealth and evasion. In many cases, these attacks bypass traditional signature-based security and forensics tools.
Several high- profile groups, such as FIN7, Lazarus, and Oilrig performed damaging fileless attacks during 2017, which has encouraged cyber criminals to adopt fileless attack techniques, once mostly used by nation-states, more extensively.
According to a recent survey conducted by the Ponemon Institute, it was estimated that 20% of attacks on organisations during 2016 were fileless attacks - a number which has grown to 29% in 2017, and is estimated to increase by 35% in 2018.
Furthermore, 42% of survey respondents said their company experienced at least one successful fileless attack in 2017, while 75% of all successful compromises involved fileless methods.
There are several reasons why attackers prefer to use fileless attack methods. For one, the fact that the malicious logic of the attack usually occurs only in memory makes traditional static detection impossible, as no file is saved to disk.
In addition, it also complicates post-event analysis, since many artifacts related to the attack exist in memory only, and they might be overwritten or removed by the time of discovery (through a reboot for example). In-memory detection and artifact collection can be done through the use of heuristics and behavioral analysis, which can detect malicious in-memory activities.
The use of scripts and admin tools also makes it easy for attackers to hide their presence and purposes. Scripts can be very easily obfuscated and delivered in several stages, while actions performed by admin tools might seem legitimate to an organisation.
The use of scripts and admin tools also makes the sharing of traditional Indicators of Compromise (IoC’s) more difficult, since there are usually no les to share. Instead, organisations should share techniques related to fileless attacks discovered by them.
In the face of the growing fileless threat, the security industry has not remained idle, and additional capabilities have been added to many security products in an attempt to tackle the issue. Capabilities dealing with in-memory analysis, such as dynamic or run- time analysis, and memory heuristics, to detect suspicious activities in memory have been introduced.
As another defence, security products can also enforce different policies across an organisation, which can limit the access some users have to powerful tools such as PowerShell and WMI, or to internal organisational tools.
Some also contain a compliance capability, which provides administrators with the ability to monitor possible vulnerabilities within their organisation – such as unpatched software or use of old operating systems, and enforce updates. Though not perfect, these capabilities can improve the ability to detect fileless attacks.
Navigating the changing threat landscape and dealing with a sophisticated strain like fileless malware can be a daunting prospect to many businesses. Regardless of an organisation’s choice of security solutions, there are some steps businesses and users can take to protect themselves from fileless attacks:
- Restrict the use of scripts and scripting languages inside the organisation, by applying different policies to different areas of the network. Allow scripts to run from read-only network locations or access only specific machines.
- Restrict and monitor the use of Interactive PowerShell and WMI within the organisation.
- Block execution of macros and digitally sign trusted macros, which can be allowed to run within the organisation.
- Make sure all computers and programs are updated regularly and on time. This will prevent the exploitation of known and patched vulnerabilities.
- Do not click on unknown or untrusted links, and do not open email attachments which are unknown or untrusted. Infection through social engineering is the most common method of infection.
- Deploy an advanced endpoint protection solution which can detect and mitigate fileless attacks. Some advanced endpoint solutions can also enforce all the points mentioned above.
Article by Deep Instinct senior vice president Stuart Fisher.