The first half of 2017 has already seen a large number of attacks that have compromised major networks worldwide. Ransomware has led the charge in viral infections, but other infections have taken hold of networks quietly while hiding in plain sight.
In these types of attacks, fileless malware secretly invades networks and takes hold of systems using the host's native tools and applications to exfiltrate data, deliver additional malware payloads, and remain a persistent threat, which allows attackers to exploit the systems again during future campaigns.
How do you fight an enemy you don't see? Well thankfully, fileless malware isn't truly undetectable—but you definitely need to know where to look and what to look for to reduce your chances of getting infected—or in the event of a compromise, to limit the spread of the exposure.
While the measures below are not by any means all encompassing, they do provide a good foundation to build on, using layered security practices, and they're peppered with customized solutions that should meet (or exceed) your organizations specific needs.
SEE: Fileless malware: The smart person's guide (TechRepublic)
1: Restrict unnecessary scripting languages
One of the key factors that fileless malware relies on to carry out its attacks on hosts are management frameworks and tools that are native to the system's operating system. In many of these types of attacks, PowerShell and Windows Management Instrumentation (WMI) frameworks are utilized to secretly execute commands on the host while the infection resides in resident memory.
If your organization doesn't use these applications, one of the best protections is to disable them altogether. This will harden the system against using PowerShell to manipulate the host or WMI to enumerate system variables, which in turn can be used to attack the host. But if the hole is closed, attackers won't be able to rely on this vector.
SEE: Information Security Certification Training Bundle (TechRepublic Academy)
2: Disable macros and digitally sign trusted macros
Oh macros, what a delicate web you weave. On one hand, the macro functionality offers a little programming muscle to an assortment of productivity files. On the other hand, running unsecured code is never a good idea. Disabling macros is the best, most surefire way to prevent unsecured code from running on your systems if macro functionality is not something your organization utilizes.
However, if macros are a requirement for end users in your enterprise, merely enabling macros will simply not do enough to keep your systems secure. By digitally signing macros authorized for use by the organization and enabling only macros that are digitally signed, users will be able to run macros that have been vetted by the company, while protecting devices against all other types of macros by effectively disabling them.
3: Monitor security appliance logs for unauthorized traffic
As part of general best practices in maintaining your network and optimizing its security posture, monitoring the logs from various devices, such as firewalls to intrusion prevention systems (IPS), should be done in a centralized and consistent manner to best detect unauthorized traffic exiting the network.
Ideally, baselines should be recorded for network activity based on multiple snapshots taken of points in time, such as the network under duress during heavy workloads, during off-peak times when it is not in use, and at multiple times throughout the workday, to not only gain a better understanding of the operating flow of the network but also to apply heuristics analysis that aids in detecting abnormal network activity compared to the baselines. This will help you determine which devices are transmitting inordinate amounts of data (or communicating with unknown/unauthorized devices remotely), which is a telltale sign of infection.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
4: Implement endpoint security with active monitoring
While endpoint security, such as antivirus, has been largely ineffective in detecting fileless malware infections, there are endpoint solutions that have a heuristics component that operates through behavioral analysis on a client-by-client basis.
By analyzing system behaviors against known baselines, deviations or significant changes in a system's usual behavioral patterns will result in a prompt. Administrators can use this to reflect the changes as being on par with a change in system usage or to remediate a potentially infected device before it spreads.
In addition, certain types of malware, like ransomware, have a specific set of behavioral characteristics that are common to all infections: encrypting end-user data at alarming rates. By keying in to these identifying patterns, heuristics-based end points can and do halt many of these forms of behavior-based threats until end users manually authorize the process to continue, effectively stopping the threat before it delivers its full payload.
5: Perform patch management across all devices
Again—and not surprisingly—one of the most important best practices in protecting systems from becoming compromised seems like a no-brainer. Yet despite the key role that patch management plays in securing an environment (and preventing breaches), many organizations are still behind the curve on keeping up with updates.
As recent as the WannaCry worm, fixes from Microsoft were released upwards of three months prior to the outbreak that affected organizations across the globe—and still some were nearly devastated by the encrypted payloads that could've been prevented had the patches been deployed months prior.
Fileless malware is not beholden to any particular vector of infection. It can be introduced as malicious code from a rogue application, downloaded from an infected website, or even distributed as part of a zero-day vulnerability. Though the latter is the most common delivery method for fileless malware to compromise a system and escalate privileges to infect a host, a tested and timely delivery of patches could effectively protect against any of the number of malware delivery methods associated with fileless malware infections.
- How to protect your company against Fileless Malware attacks? (Business Security Insider by F-Secure)
- New malware works only in memory, leaves no trace (CyberScoop)
- I infected my Windows computer with ransomware to test RansomFree's protection (TechRepublic)
- Macro based malware - Keep them out in the right way (Business Security Insider by F-Secure)
- Fileless Malware: What it is and how to protect against it (BioCatch)
Has your organization been the target of fileless malware? What methods do you use to protect against it? Share your advice and experiences with fellow TechRepublic members.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.