Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2018
10:30 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Challenges of Detecting Fileless Malware Attacks

Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Security teams must also understand the underlying distinctions between the two.

Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update. However, hiding within that link could be a page with JavaScript that opens the door to a greater threat. That script could stay fully fileless as it runs behind the scenes, accessing PowerShell and making commands to the user's machine. In a worse case, it might use that user's credentials to seek out other places to access.

Given the speed of today's business networks and the computers on them, this malicious form of attack needs only a few seconds to start the damage and begin to propagate. That damage could be inflicted in many ways, and its results could be deadly for an organization whose data is now at risk of being removed, destroyed, or encrypted. Further complicating the problem, as the IT and security teams comb through their data to see how such an attack began, there's simply no evidence to find. It's as if someone has evaded all the layers of security and stolen the crown jewels without leaving a trace.

While fileless attacks present a real danger to organizations, their risks can be mitigated. The first step in protecting your environment is education. Teams need to view file-based and fileless malware as two completely different types of attacks. Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Organizations also need to understand five important distinctions between the two:

1. Analyzing fileless code in an OS-agnostic method: Malicious attacks are often designed to operate on a specific operating system and product patch level configuration. This is known as the "Goldilocks Principal." For example, a threat might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.

2. Identifying and analyzing concealed and obfuscated code: Fileless attacks often make use of techniques that conceal or obfuscate the malware, causing detection tools to incorrectly label the code as benign or even fail to analyze the traffic in the first place. For example, fileless exploits attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. Fileless attack code can also be obfuscated within seemingly harmless PDF or Microsoft Office documents.

3. Detecting a broad spectrum of fileless attacks with no impact on network and host performance: Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed. Why is this a challenge? Almost all web pages employ some form of JavaScript. This represents an enormous challenge for tools performing network-based detection of fileless attacks over the tens, hundreds, or even thousands of transactions occurring per second. When it comes to host-based detection, this challenge can result in significant resource consumption on an end user's machine, potentially affecting business productivity.

4. Determining if recovered code will execute benign or malicious operations: Many benign applications and processes use scripts for legitimate purposes. These same scripts write cookies and perform other operations that involve making changes to the host. However, fileless attacks often operate in much the same way. Distinguishing these normal operations from malicious ones is the core challenge of fileless detection. Fileless attacks are more difficult for analysts to investigate manually because there are usually fewer samples and artifacts to analyze post-infection than for file-based attacks. Fileless attackers continue to evolve their techniques to make their attacks look more and more like normal daily operations, making it difficult to get ahead of the threat.

5. Detecting threats in real time: Post-processing systems are designed to look for malicious activity after an event has occurred. These systems include tools such as sandboxes and anomaly detection. While these types of tools may eventually detect the threat, they often don't discover the attack until one or more systems have been compromised and the damage has already been done. Attackers know this and use this lag from detection to remediation to their benefit. In today's threat environment, the longer any threat stays on any network, the greater the risk.

A Shift in Thinking
While fileless malware isn't a net-new threat, the complexity and volume of the techniques threat actors employ to attack an organization's networks are evolving at a rapid place. By addressing the challenges above, security teams can begin to lay the required groundwork for lowering their risk while setting the pillars of their security posture for years to come.

But in order to prepare for the growing threat of fileless malware, security teams must undergo a philosophical shift in thinking, beginning with a comprehensive reexamination of past incidents that lacked a clear initial attack vector. Applying a "was this fileless?" filter on those incidents should help the team prioritize its training and investments. Then, once the team identifies existing problems and begins the process of addressing those issues, root causes, or deficiencies, the team can use the results to investigate tools that can fill those fileless malware detection gaps.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hashem2s
50%
50%
hashem2s,
User Rank: Apprentice
8/19/2018 | 10:58:50 AM
Thanks
Thank for the informative article
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1936
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
CVE-2021-27904
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
CVE-2021-27901
PUBLISHED: 2021-03-02
An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination. The LG ID is LVE-SMP-210001 (March 2021).
CVE-2021-21321
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
CVE-2021-21322
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...