Maksim Kabakou - Fotolia

Security Think Tank: How to tackle fileless malware attacks

What should organisations do at the very least to ensure business computers are protected from fileless malware?

Fileless malware presents an interesting set of challenges for the security professional. Because nothing is written to the hard drive, the standard security controls such as a signature-based antivirus are rendered more, or completely, ineffective.

Additionally, as trusted programmes, such as Windows PowerShell and Windows Management Instrumentation (WMI) are used to execute the instructions embedded in the malware, the instructions are assumed to be legitimate.

So the dilemma is this: how to protect systems and applications from themselves? How can security controls be put in place to stop legitimate programmes executing illegitimate commands?

First, we have to consider the human error factor. The common points of entry for fileless malware are through compromised websites or emails containing links to such websites.

Despite the difficulty in getting the message across to “stop clicking links in emails”, we need to keep reinforcing this message and keep educating users on how to do their jobs more safely and securely. A great saying is “four eyes are better than one click” and we should be encouraging users to ask for help if they are unsure, rather than berating them.

Second, the hygiene tasks, such as patching operating systems, are still important. While PowerShell and WMI can’t really be disabled, security updates will minimise some of the attacks encoded in fileless malware.

Implementing the least privilege for users and applications will also minimise the impact, as will implementing Powershell logging and Constrained Language mode.

Read more about malware

Third, there is a case for filtering, blocking or blacklisting compromised websites. If the malware can’t access command and control servers or the exploit kits, then the attack will be severely degraded. Of course, this is easier said than done, but organisations can work with their internet service provider (ISP) and other resources to block the majority of these sites.

Finally, look at behavioural measures, for example tracking the activity of superusers and look for new or strange patterns. If a user (or superuser) suddenly starts to access systems or databases at odd times of the day or in different parts of the organisation, this could be an indicator of a compromise; and the organisation should then launch its incident response/management process to counteract it.

This was last published in March 2018



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.