The first half of 2017 has already seen a large number of attacks that have compromised major networks worldwide. Ransomware has led the charge in viral infections, but other infections have taken hold of networks quietly while hiding in plain sight.
In these types of attacks, fileless malware secretly invades networks and takes hold of systems using the host’s native tools and applications to exfiltrate data, deliver additional malware payloads, and remain a persistent threat, which allows attackers to exploit the systems again during future campaigns.
How do you fight an enemy you don’t see? Well thankfully, fileless malware isn’t truly undetectable—but you definitely need to know where to look and what to look for to reduce your chances of getting infected—or in the event of a compromise, to limit the spread of the exposure.
While the measures below are not by any means all encompassing, they do provide a good foundation to build on, using layered security practices, and they’re peppered with customized solutions that should meet (or exceed) your organizations specific needs.
Restrict unnecessary scripting languages
One of the key factors that fileless malware relies on to carry out its attacks on hosts are management frameworks and tools that are native to the system’s operating system. In many of these types of attacks, PowerShell and Windows Management Instrumentation (WMI) frameworks are utilized to secretly execute commands on the host while the infection resides in resident memory.
If your organization doesn’t use these applications, one of the best protections is to disable them altogether. This will harden the system against using PowerShell to manipulate the host or WMI to enumerate system variables, which in turn can be used to attack the host. But if the hole is closed, attackers won’t be able to rely on this vector.