Maksim Kabakou - Fotolia
Fileless malware presents an interesting set of challenges for the security professional. Because nothing is written to the hard drive, the standard security controls such as a signature-based antivirus are rendered more, or completely, ineffective.
Additionally, as trusted programmes, such as Windows PowerShell and Windows Management Instrumentation (WMI) are used to execute the instructions embedded in the malware, the instructions are assumed to be legitimate.
So the dilemma is this: how to protect systems and applications from themselves? How can security controls be put in place to stop legitimate programmes executing illegitimate commands?
First, we have to consider the human error factor. The common points of entry for fileless malware are through compromised websites or emails containing links to such websites.
Despite the difficulty in getting the message across to “stop clicking links in emails”, we need to keep reinforcing this message and keep educating users on how to do their jobs more safely and securely. A great saying is “four eyes are better than one click” and we should be encouraging users to ask for help if they are unsure, rather than berating them.
Second, the hygiene tasks, such as patching operating systems, are still important. While PowerShell and WMI can’t really be disabled, security updates will minimise some of the attacks encoded in fileless malware.
Implementing the least privilege for users and applications will also minimise the impact, as will implementing Powershell logging and Constrained Language mode.
Read more about malware
- The first new point of sale malware in many months is stealing data from the magnetic strips on payment cards.
- Cyber attackers are exploiting three recently discovered vulnerabilities in Microsoft Office to spread multifunction Zyklon malware..
Third, there is a case for filtering, blocking or blacklisting compromised websites. If the malware can’t access command and control servers or the exploit kits, then the attack will be severely degraded. Of course, this is easier said than done, but organisations can work with their internet service provider (ISP) and other resources to block the majority of these sites.
Finally, look at behavioural measures, for example tracking the activity of superusers and look for new or strange patterns. If a user (or superuser) suddenly starts to access systems or databases at odd times of the day or in different parts of the organisation, this could be an indicator of a compromise; and the organisation should then launch its incident response/management process to counteract it.