Last week, in part 2 of this series on fileless attacks, we discussed countermeasures — and how all those countermeasures can be circumvented. Yet, if all countermeasures can be circumvented, how does anyone begin to mitigate the impact of fileless attacks?
The most common and accepted solution is to patch whenever a vulnerability is announced as quickly as possible. When a security vulnerability is discovered, the software vendor is notified and (hopefully) takes responsible and rapid action to release a security patch. Customers then download the patch, test, and apply it to all of their systems that are impacted.
Even though a vendor may release a security patch within 72 hours of a vulnerability being reported, the average time from when a patch is released to when customers apply it is approximately 28 days—nearly a month. Whether the organization can't apply patches because of legacy applications or has decided to wait to patch the affected systems, that's a long time to remain totally exposed to a cyberattack. Furthermore, this approach provides absolutely no insight into whether a system was already compromised by the time the patch was applied. How can you be sure that your systems haven't already been compromised by the time you patch them?
Is there a better solution against fileless malware than patching alone? Turns out there is: Moving Target Defense (MTD).
Moving Target Defense
This concept is similar to the "shell game," dating back to ancient Greece, where the player must find the pea under one of three shells after the shells have been moved.
The Department of Homeland Security defines MTD as:
The concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts.
MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment.
To effectively stop fileless malware, MTD employs what is known as a "polymorphic" technique. Polymorphing scrambles the binary layout of the compiled application either at compile-time (CASP) or during run-time (RASP) without affecting the performance or compatibility of the application's logic. The polymorphic application runs identically to a non-polymorphic version of the application.
CASP and RASP
Compile-time Address Space Protection (CASP) scrambles the application's binary during compilation, and is therefore a static shuffling of the binary layout of the application.
This is an effective security solution as it makes each instance of the application unique at the binary level. No two copies of the same application are identical when the assembly instructions and memory layout are examined.
Assuming the attacker manages to obtain a copy of the polymorphed application, this implies the attacker needs to craft a different attack for each unique instance of the application instead of being able to leverage the same attack across all installations of the same application. Crafting a custom attack for each polymorphed instance of the same application substantially increases the cost for the attacker, because even if the attacker were to get a copy of the particular instance of the polymorphed application, the crafted attack would only be for this specific version of the polymorphed application. The attack would fail on a different polymorphed instance of the same application.
Run-time Address Space Protection (RASP) scrambles the application's binary continually while it is running. This security technique is even more effective because the attacker can no longer rely on the binary layout of the application to be static and therefore predictable to craft their attack. As the application's binary layout continually shifts, the ability to infiltrate the application becomes exponentially harder.
The large majority of organizations rely on anti-virus software as their primary security solution against fileless malware. Unfortunately, as we've seen over the past several decades, this approach has failed to protect our systems. It's become an arms race of keeping pace with attackers and never getting ahead of them. Clearly, this approach hasn't produced the results expected. Isn't it time to re-evaluate your approach to endpoint security?