Attacks/Breaches

8/17/2018
10:30 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Challenges of Detecting Fileless Malware Attacks

Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Security teams must also understand the underlying distinctions between the two.

Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update. However, hiding within that link could be a page with JavaScript that opens the door to a greater threat. That script could stay fully fileless as it runs behind the scenes, accessing PowerShell and making commands to the user's machine. In a worse case, it might use that user's credentials to seek out other places to access.

Given the speed of today's business networks and the computers on them, this malicious form of attack needs only a few seconds to start the damage and begin to propagate. That damage could be inflicted in many ways, and its results could be deadly for an organization whose data is now at risk of being removed, destroyed, or encrypted. Further complicating the problem, as the IT and security teams comb through their data to see how such an attack began, there's simply no evidence to find. It's as if someone has evaded all the layers of security and stolen the crown jewels without leaving a trace.

While fileless attacks present a real danger to organizations, their risks can be mitigated. The first step in protecting your environment is education. Teams need to view file-based and fileless malware as two completely different types of attacks. Simply applying file-based tools and expectations to fileless attacks is a losing strategy. Organizations also need to understand five important distinctions between the two:

1. Analyzing fileless code in an OS-agnostic method: Malicious attacks are often designed to operate on a specific operating system and product patch level configuration. This is known as the "Goldilocks Principal." For example, a threat might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses.

2. Identifying and analyzing concealed and obfuscated code: Fileless attacks often make use of techniques that conceal or obfuscate the malware, causing detection tools to incorrectly label the code as benign or even fail to analyze the traffic in the first place. For example, fileless exploits attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. Fileless attack code can also be obfuscated within seemingly harmless PDF or Microsoft Office documents.

3. Detecting a broad spectrum of fileless attacks with no impact on network and host performance: Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed. Why is this a challenge? Almost all web pages employ some form of JavaScript. This represents an enormous challenge for tools performing network-based detection of fileless attacks over the tens, hundreds, or even thousands of transactions occurring per second. When it comes to host-based detection, this challenge can result in significant resource consumption on an end user's machine, potentially affecting business productivity.

4. Determining if recovered code will execute benign or malicious operations: Many benign applications and processes use scripts for legitimate purposes. These same scripts write cookies and perform other operations that involve making changes to the host. However, fileless attacks often operate in much the same way. Distinguishing these normal operations from malicious ones is the core challenge of fileless detection. Fileless attacks are more difficult for analysts to investigate manually because there are usually fewer samples and artifacts to analyze post-infection than for file-based attacks. Fileless attackers continue to evolve their techniques to make their attacks look more and more like normal daily operations, making it difficult to get ahead of the threat.

5. Detecting threats in real time: Post-processing systems are designed to look for malicious activity after an event has occurred. These systems include tools such as sandboxes and anomaly detection. While these types of tools may eventually detect the threat, they often don't discover the attack until one or more systems have been compromised and the damage has already been done. Attackers know this and use this lag from detection to remediation to their benefit. In today's threat environment, the longer any threat stays on any network, the greater the risk.

A Shift in Thinking
While fileless malware isn't a net-new threat, the complexity and volume of the techniques threat actors employ to attack an organization's networks are evolving at a rapid place. By addressing the challenges above, security teams can begin to lay the required groundwork for lowering their risk while setting the pillars of their security posture for years to come.

But in order to prepare for the growing threat of fileless malware, security teams must undergo a philosophical shift in thinking, beginning with a comprehensive reexamination of past incidents that lacked a clear initial attack vector. Applying a "was this fileless?" filter on those incidents should help the team prioritize its training and investments. Then, once the team identifies existing problems and begins the process of addressing those issues, root causes, or deficiencies, the team can use the results to investigate tools that can fill those fileless malware detection gaps.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
hashem2s
50%
50%
hashem2s,
User Rank: Apprentice
8/19/2018 | 10:58:50 AM
Thanks
Thank for the informative article
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...