Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2018
10:30 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Challenges of Detecting Fileless Malware Attacks

Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Security teams must also understand the underlying distinctions between the two.

Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update. However, hiding within that link could be a page with JavaScript that opens the door to a greater threat. That script could stay fully fileless as it runs behind the scenes, accessing PowerShell and making commands to the user's machine. In a worse case, it might use that user's credentials to seek out other places to access.

Given the speed of today's business networks and the computers on them, this malicious form of attack needs only a few seconds to start the damage and begin to propagate. That damage could be inflicted in many ways, and its results could be deadly for an organization whose data is now at risk of being removed, destroyed, or encrypted. Further complicating the problem, as the IT and security teams comb through their data to see how such an attack began, there's simply no evidence to find. It's as if someone has evaded all the layers of security and stolen the crown jewels without leaving a trace.

While fileless attacks present a real danger to organizations, their risks can be mitigated. The first step in protecting your environment is education. Teams need to view file-based and fileless malware as two completely different types of attacks. Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Organizations also need to understand five important distinctions between the two:

1. Analyzing fileless code in an OS-agnostic method: Malicious attacks are often designed to operate on a specific operating system and product patch level configuration. This is known as the "Goldilocks Principal." For example, a threat might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.

2. Identifying and analyzing concealed and obfuscated code: Fileless attacks often make use of techniques that conceal or obfuscate the malware, causing detection tools to incorrectly label the code as benign or even fail to analyze the traffic in the first place. For example, fileless exploits attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. Fileless attack code can also be obfuscated within seemingly harmless PDF or Microsoft Office documents.

3. Detecting a broad spectrum of fileless attacks with no impact on network and host performance: Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed. Why is this a challenge? Almost all web pages employ some form of JavaScript. This represents an enormous challenge for tools performing network-based detection of fileless attacks over the tens, hundreds, or even thousands of transactions occurring per second. When it comes to host-based detection, this challenge can result in significant resource consumption on an end user's machine, potentially affecting business productivity.

4. Determining if recovered code will execute benign or malicious operations: Many benign applications and processes use scripts for legitimate purposes. These same scripts write cookies and perform other operations that involve making changes to the host. However, fileless attacks often operate in much the same way. Distinguishing these normal operations from malicious ones is the core challenge of fileless detection. Fileless attacks are more difficult for analysts to investigate manually because there are usually fewer samples and artifacts to analyze post-infection than for file-based attacks. Fileless attackers continue to evolve their techniques to make their attacks look more and more like normal daily operations, making it difficult to get ahead of the threat.

5. Detecting threats in real time: Post-processing systems are designed to look for malicious activity after an event has occurred. These systems include tools such as sandboxes and anomaly detection. While these types of tools may eventually detect the threat, they often don't discover the attack until one or more systems have been compromised and the damage has already been done. Attackers know this and use this lag from detection to remediation to their benefit. In today's threat environment, the longer any threat stays on any network, the greater the risk.

A Shift in Thinking
While fileless malware isn't a net-new threat, the complexity and volume of the techniques threat actors employ to attack an organization's networks are evolving at a rapid place. By addressing the challenges above, security teams can begin to lay the required groundwork for lowering their risk while setting the pillars of their security posture for years to come.

But in order to prepare for the growing threat of fileless malware, security teams must undergo a philosophical shift in thinking, beginning with a comprehensive reexamination of past incidents that lacked a clear initial attack vector. Applying a "was this fileless?" filter on those incidents should help the team prioritize its training and investments. Then, once the team identifies existing problems and begins the process of addressing those issues, root causes, or deficiencies, the team can use the results to investigate tools that can fill those fileless malware detection gaps.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hashem2s
50%
50%
hashem2s,
User Rank: Apprentice
8/19/2018 | 10:58:50 AM
Thanks
Thank for the informative article
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.