Attacks/Breaches

8/17/2018
10:30 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Challenges of Detecting Fileless Malware Attacks

Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Security teams must also understand the underlying distinctions between the two.

Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update. However, hiding within that link could be a page with JavaScript that opens the door to a greater threat. That script could stay fully fileless as it runs behind the scenes, accessing PowerShell and making commands to the user's machine. In a worse case, it might use that user's credentials to seek out other places to access.

Given the speed of today's business networks and the computers on them, this malicious form of attack needs only a few seconds to start the damage and begin to propagate. That damage could be inflicted in many ways, and its results could be deadly for an organization whose data is now at risk of being removed, destroyed, or encrypted. Further complicating the problem, as the IT and security teams comb through their data to see how such an attack began, there's simply no evidence to find. It's as if someone has evaded all the layers of security and stolen the crown jewels without leaving a trace.

While fileless attacks present a real danger to organizations, their risks can be mitigated. The first step in protecting your environment is education. Teams need to view file-based and fileless malware as two completely different types of attacks. Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Organizations also need to understand five important distinctions between the two:

1. Analyzing fileless code in an OS-agnostic method: Malicious attacks are often designed to operate on a specific operating system and product patch level configuration. This is known as the "Goldilocks Principal." For example, a threat might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.

2. Identifying and analyzing concealed and obfuscated code: Fileless attacks often make use of techniques that conceal or obfuscate the malware, causing detection tools to incorrectly label the code as benign or even fail to analyze the traffic in the first place. For example, fileless exploits attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. Fileless attack code can also be obfuscated within seemingly harmless PDF or Microsoft Office documents.

3. Detecting a broad spectrum of fileless attacks with no impact on network and host performance: Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed. Why is this a challenge? Almost all web pages employ some form of JavaScript. This represents an enormous challenge for tools performing network-based detection of fileless attacks over the tens, hundreds, or even thousands of transactions occurring per second. When it comes to host-based detection, this challenge can result in significant resource consumption on an end user's machine, potentially affecting business productivity.

4. Determining if recovered code will execute benign or malicious operations: Many benign applications and processes use scripts for legitimate purposes. These same scripts write cookies and perform other operations that involve making changes to the host. However, fileless attacks often operate in much the same way. Distinguishing these normal operations from malicious ones is the core challenge of fileless detection. Fileless attacks are more difficult for analysts to investigate manually because there are usually fewer samples and artifacts to analyze post-infection than for file-based attacks. Fileless attackers continue to evolve their techniques to make their attacks look more and more like normal daily operations, making it difficult to get ahead of the threat.

5. Detecting threats in real time: Post-processing systems are designed to look for malicious activity after an event has occurred. These systems include tools such as sandboxes and anomaly detection. While these types of tools may eventually detect the threat, they often don't discover the attack until one or more systems have been compromised and the damage has already been done. Attackers know this and use this lag from detection to remediation to their benefit. In today's threat environment, the longer any threat stays on any network, the greater the risk.

A Shift in Thinking
While fileless malware isn't a net-new threat, the complexity and volume of the techniques threat actors employ to attack an organization's networks are evolving at a rapid place. By addressing the challenges above, security teams can begin to lay the required groundwork for lowering their risk while setting the pillars of their security posture for years to come.

But in order to prepare for the growing threat of fileless malware, security teams must undergo a philosophical shift in thinking, beginning with a comprehensive reexamination of past incidents that lacked a clear initial attack vector. Applying a "was this fileless?" filter on those incidents should help the team prioritize its training and investments. Then, once the team identifies existing problems and begins the process of addressing those issues, root causes, or deficiencies, the team can use the results to investigate tools that can fill those fileless malware detection gaps.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hashem2s
50%
50%
hashem2s,
User Rank: Apprentice
8/19/2018 | 10:58:50 AM
Thanks
Thank for the informative article
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When they asked me to do a pen test, I wasn't thinking of this!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...