Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2018
10:30 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Challenges of Detecting Fileless Malware Attacks

Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Security teams must also understand the underlying distinctions between the two.

Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update. However, hiding within that link could be a page with JavaScript that opens the door to a greater threat. That script could stay fully fileless as it runs behind the scenes, accessing PowerShell and making commands to the user's machine. In a worse case, it might use that user's credentials to seek out other places to access.

Given the speed of today's business networks and the computers on them, this malicious form of attack needs only a few seconds to start the damage and begin to propagate. That damage could be inflicted in many ways, and its results could be deadly for an organization whose data is now at risk of being removed, destroyed, or encrypted. Further complicating the problem, as the IT and security teams comb through their data to see how such an attack began, there's simply no evidence to find. It's as if someone has evaded all the layers of security and stolen the crown jewels without leaving a trace.

While fileless attacks present a real danger to organizations, their risks can be mitigated. The first step in protecting your environment is education. Teams need to view file-based and fileless malware as two completely different types of attacks. Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Organizations also need to understand five important distinctions between the two:

1. Analyzing fileless code in an OS-agnostic method: Malicious attacks are often designed to operate on a specific operating system and product patch level configuration. This is known as the "Goldilocks Principal." For example, a threat might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.

2. Identifying and analyzing concealed and obfuscated code: Fileless attacks often make use of techniques that conceal or obfuscate the malware, causing detection tools to incorrectly label the code as benign or even fail to analyze the traffic in the first place. For example, fileless exploits attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. Fileless attack code can also be obfuscated within seemingly harmless PDF or Microsoft Office documents.

3. Detecting a broad spectrum of fileless attacks with no impact on network and host performance: Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed. Why is this a challenge? Almost all web pages employ some form of JavaScript. This represents an enormous challenge for tools performing network-based detection of fileless attacks over the tens, hundreds, or even thousands of transactions occurring per second. When it comes to host-based detection, this challenge can result in significant resource consumption on an end user's machine, potentially affecting business productivity.

4. Determining if recovered code will execute benign or malicious operations: Many benign applications and processes use scripts for legitimate purposes. These same scripts write cookies and perform other operations that involve making changes to the host. However, fileless attacks often operate in much the same way. Distinguishing these normal operations from malicious ones is the core challenge of fileless detection. Fileless attacks are more difficult for analysts to investigate manually because there are usually fewer samples and artifacts to analyze post-infection than for file-based attacks. Fileless attackers continue to evolve their techniques to make their attacks look more and more like normal daily operations, making it difficult to get ahead of the threat.

5. Detecting threats in real time: Post-processing systems are designed to look for malicious activity after an event has occurred. These systems include tools such as sandboxes and anomaly detection. While these types of tools may eventually detect the threat, they often don't discover the attack until one or more systems have been compromised and the damage has already been done. Attackers know this and use this lag from detection to remediation to their benefit. In today's threat environment, the longer any threat stays on any network, the greater the risk.

A Shift in Thinking
While fileless malware isn't a net-new threat, the complexity and volume of the techniques threat actors employ to attack an organization's networks are evolving at a rapid place. By addressing the challenges above, security teams can begin to lay the required groundwork for lowering their risk while setting the pillars of their security posture for years to come.

But in order to prepare for the growing threat of fileless malware, security teams must undergo a philosophical shift in thinking, beginning with a comprehensive reexamination of past incidents that lacked a clear initial attack vector. Applying a "was this fileless?" filter on those incidents should help the team prioritize its training and investments. Then, once the team identifies existing problems and begins the process of addressing those issues, root causes, or deficiencies, the team can use the results to investigate tools that can fill those fileless malware detection gaps.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hashem2s
50%
50%
hashem2s,
User Rank: Apprentice
8/19/2018 | 10:58:50 AM
Thanks
Thank for the informative article
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...