Maksim Kabakou - Fotolia

Security Think Tank: Fileless malware not totally undetectable

What should organisations do at the very least to ensure business computers are protected from fileless malware?

Imagine a malicious software that is almost invisible to security experts. Pretty scary to be blindsided, right? These threats are known as fileless malware. The malware is called “fileless” because it is designed to run entirely in memory and to cover most, if not all, signs of itself on a storage device.

Although the malware is fileless when it is in memory, it still needs a file to set up shop on a system. It does that the same way that most malware ends up on a machine – through a malicious attachment or compromised website. The payload is not stored on disk; it is run directly in memory. There is no file on disk that an antivirus program can look at.

Many antivirus solutions rely on existing malware signatures to detect and block malicious traffic. The attackers utilise certain tools to carry out memory-based attacks through malicious macros that trigger malware to load onto the machine. Fileless malware is designed to avoid detection of these macros.

But keep faith – fileless malware is not totally undetectable. However, you need to know what to look for to reduce your chances of getting infected or how to limit the spread of the exposure, if your network is compromised.

One of the key factors that fileless malware relies on to carry out attacks is management frameworks and tools that are native to the system's operating system. In such attacks, certain frameworks are used to secretly execute commands.

You may be tempted to disable task management/automation frameworks (such as PowerShell) if your organisation does not use these applications. But if you disable them, a user can still accomplish the same actions – they will just use another method to perform tasks, such as the command prompt, tools or scripts. Disabling such frameworks actually reduces the capability to monitor and manage your environment, making it more susceptible to attack.

An easy way to protect your organisation is to manage access controls and privileged user accounts, giving administrative access only to those who absolutely need it to carry out their job functions. This includes limiting admin logins. Frequently logging into accounts with local admin privileges and keeping sessions open across multiple machines makes for an easy target. Limiting admins to logging into admin accounts only when they need to perform crucial tasks can help reduce risk. Admins should use standard user accounts, without privileges, for day-to-day tasks that do not require admin access.

General best practices in maintaining your network and optimising security include monitoring logs from various devices on your network, such as firewalls. This type of monitoring should be done consistently to detect unauthorised traffic at various points throughout the day, such as during heavy workloads or off-peak hours. This will not only give you a better understanding of the operating flow of the network, but will also help to detect abnormal network activity, which is a telltale sign of infection.

For most organisations, patching should be a no-brainer. Yet despite the crucial role that patch management plays in securing systems and preventing breaches, many organisations don’t do a great job with updates.

Fileless malware does not discriminate on how it finds its way into a system – whether it is downloaded from an infected website or distributed as part of a zero-day vulnerability. A timely delivery of patches could effectively protect against a number of malware delivery methods or fileless malware infections.

An educated team is the best defence against malware, or any attack on your organisation’s systems. Prioritise training users on how to identify scams, malicious links, phony email addresses, and more. Run internal phishing simulation campaigns to identify risks and potentially vulnerable devices.

Also, require employees to use unique and strong passwords that are changed frequently, and never use hard-coded or default passwords. A minimum of eight characters and use of passphrases (longer sequences of words or text) are recommended for stronger security.

Taking these steps will provide a good foundation to build on, using layered security practices and finding solutions that should meet or exceed your organisation’s security needs.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close