HACKERS DON’T PLAY BY THE RULES, and their game keeps changing. Locking out executable malware by keeping anti-virus software loaded with the latest signature file doesn’t mean you’re safe anymore. These days, fileless security threats—also known as “non-malware” attacks—leverage RAM, the Windows system registry, and even PowerShell and the Windows Management Instrumentation (WMI) module to kick off multistep “attack chains.”
Such threats are often invisible to old-school endpoint protection software that watches exclusively for file-based malware. Unfortunately, that’s the only kind of protection most SMBs employ.
“Attacking operating system constructs such as memory helps these exploits avoid being detected,” says Doug Cahill, senior analyst and group director for cybersecurity at Enterprise Strategy Group, adding that such threats are increasingly common. “According to our research, 24 percent of organizations experienced a fileless attack in the last 12 months.”
Since the introduction of Windows XP, every version of Microsoft’s flagship desktop operating system has included PowerShell and WMI, not to mention a variety of other openings that make exploiting memory easier. Even advanced security tools can fail to spot PowerShell infections. “Often there’s little or nothing to detect in a fileless attack,” says Rory Sanchez, CEO of True Digital Security, a security services firm with 70 employees and offices in West Palm Beach, Fla., and Tulsa, Okla.
Take a Closer Look
Telltale signs that fileless malware may be at work include unexpected network traffic and connections to and from servers with which you shouldn’t be communicating. Both are hard to spot. “These attacks leverage legitimate applications that many knowledge workers use on a daily basis,” Cahill observes.
What can companies do to guard against fileless attacks? “The first defense is training, security awareness, and keeping up with patch management,” says Sanchez.
You’ll also need a managed detection and response (MDR) solution or other next-generation endpoint security system that continuously looks for network traffic anomalies. “Only companies that employ advanced behavioral detection to monitor applications, and thus detect attack chains, are effective in addressing fileless attacks,” Cahill says.
Security tools with traffic analysis features that can block dangerous servers and IP addresses are useful too. True Digital Security partners with WatchGuard Technologies Inc., of Seattle, to deliver this type of functionality. “If bad traffic locations get blocked by one WatchGuard firewall, others will know and can block that address as well,” Sanchez says. “The sooner the word spreads about suspicious sites the better.”
Capabilities like those must be handled with care though. MDR systems can easily mistake a router inspecting SSL traffic for a hacker, for example. Furthermore, employees going to places they don’t normally visit may need to request special permissions, much in the way they might notify their credit card companies when leaving the country. “We had a client CEO who traveled to China and couldn’t log in,” Sanchez says. “Once he called, we could open a connection for him.”
The same logic can apply to entire customer accounts. “Maybe you block all emails from Poland, based on spam and malware traffic analysis,” says Sanchez. “But if you get a customer in Poland, then you have to make arrangements to allow traffic from certain IPs to get through.”
MDR solutions aren’t cheap either, Sanchez notes, which can be a turnoff for some customers. Stressing the freedom they provide to buy, sell, and communicate safely with customers and business partners, though, can overcome such concerns. With behavior-based software, Sanchez says, “security can stop being a business inhibitor and become a business enabler.”
And if that doesn’t work, he adds, remind clients subject to regulatory compliance requirements that they have little choice in the matter. MDR protection is essential today.
“I’m not a big fan of government regulation, but I am a fan of seatbelts, and many wouldn’t wear them except for the law,” Sanchez says. “We love regulatory compliance in security, because [customers] have to buy it.”