If traditional defences are useless, how can fileless malware be detected?
June 19, 2018
TEISS blogger Niall Sheffield, Solutions Engineer at SentinelOne says that traditional antivirus defences are largely useless against the latest fileless attacks...so what can be done?
Cyber security has always taken the form of an arms race between defenders developing more advanced protection and attackers discovering new techniques to overcome them. Unfortunately, the threat actors usually retain an advantage in this perpetual battle as they can wield previously unseen cyber weapons that the defenders will be unprepared for. One of the most recent techniques to enter the field is the threat of fileless malware.
The vast majority of cyber-attacks over the years have revolved around infiltrating the target’s systems with malware, usually relying on an unsuspecting victim to download a file or click on a link. As a result, much of the security industry has been built around countering file-based threats by detecting specific signatures that indicate harmful code.
However, attackers have evolved their techniques by reducing the number of files available for security controls to assess and pass judgement on. In fact, according to a study by the Ponemon Institute, 29% of the attacks organisations faced during 2017 were fileless. This has rendered signature-based defences such as traditional antivirus largely useless against the latest attacks.
More advanced threat actors are now initiating their attacks without using any files at all, exploiting legitimate systems tools instead of implanting malicious code. Two of the most popular choices are PowerShell and Windows Management Instrumentation (WMI), as these tools are present in every Windows machine and have abilities that are very dangerous in the wrong hands. PowerShell can automate tasks across multiple machines for example, which can be subverted to enable an attacker to quickly move laterally through a network.
Because they work using legitimate programs rather than malicious code, these fileless attacks leave nothing for signature-based security solutions to work with, which means most intrusions can pass entirely undetected for months or even years at a time. As the file-less aspect is simply a delivery method, the impact and overall threat level of such an attack depends on the victim’s unique operational structure and the threat actor’s aims and methods.
The technique is well-suited for delivering cryptomining malware for example, as illicit mining requires a long dwell time to be profitable. However, other than draining processing power and potentially causing performance issues or service outages, illicit cryptomining is not a particularly large threat itself.
Conversely, fileless malware can be used to facilitate extremely damaging advanced persistent threats (APTs) with the attacker fully exploiting their access to the compromised system over a long period of time. Intruders can potentially take full control of a target machine, quickly spread throughout the network, and exfiltrate or manipulate mission critical data for months at a time while remaining undetected.
We also see fileless malware attacks being used in conjunction with other techniques, with for example PowerShell being used to download a remote file with an .exe-based payload. These kinds of hybrid attacks are often the result of “installs-as-a-service”, with a hacker selling their ability to use file-less attacks to gain a foothold for the file-based payload of another criminal group.
Without any threat signatures to detect, traditional AV is completely by-passed by most fileless attacks – effectively ending its role as a means of defence against advanced attackers. That said, AV does still have a role to play in continuing to filter out more common attacks, allowing the remaining threats to be scrutinised without being limited by the size or type of file, as well as those silent threats which have no files or visible payload.
To reliably identify and stop attacks using fileless techniques such as subverting PowerShell, organisations need to be equipped with not only file-based security controls, but also system-based behavioural inspection capabilities. As these attacks do not leave evidence in the system we need to look for anomalous activity among users themselves, even when only legitimate tools are being used on the endpoint.
Activity such as a pattern of logins from particular accounts out of normal business hours, or an unusually large and rapid series of file accesses and data transfers stemming from certain endpoints, are clear signs of potentially malicious activity. However, without the right tools in place, these signifiers will pass completely unnoticed.
Many organisations fall into the trap of focusing on identifying malware itself, but this means the attackers will continuously gain the advantage in the arms race with each new technique or malware iteration. By focusing instead on the subtle but universal signs left by attacker delivery mechanisms on endpoint devices, organisations can ensure they are ready to defend themselves against not only today’s threats, but future cyber weapons as well.