Maksim Kabakou - Fotolia
The nature fileless malware means it often cannot be rebuffed by simple antivirus protection and is incredibly difficult to detect once it is in the system.
This makes it critical to get in front of the problem and prevent it happening in the place. This requires installing multiple layers security as well as ensuring system resilience so that all bases are covered.
Security automation tools such as Cyberarc, DarkTrace or SAP’s Enterprise Threat Detection can identify potential attacks based on anomalies or behaviour deemed suspicious.
For example, connections from an IP address, whether recognised or unfamiliar, might be coming from an unknown or unusual geographical location where the organisation has no recognised business interests. Because this could indicate that a virtual private network (VPN) server or other masking protocol is being used to make it appear that the connecting party is located somewhere they are not to seem legitimate, automation tools will flag with an alert or block access altogether.
Identifying potentially suspicious activity through the incoming network traffic can allow early insight into an attack that might be underway, even if there is no “traditional trace” a file.
IT security still seems to be an afterthought in many organisations. This is short-sighted – the risk breaches and their impact should be reduced from the outset, and the port call for doing this is to design enterprise systems so that security has the same importance as the other functions they are required to fulfil.
Within that, every business computer needs to be configured correctly, macros disabled and security updates and patches for applications and operating systems installed on a regular basis.
Infections often exploit vulnerabilities in plugins or extensions for the internet browser – these should also be disabled, with those that are necessary to the organisation’s function being included in the software update routine.
Frameworks such as PowerShell that are essential to the IT team for administration tasks need to be disabled on computers that do not need them.
Arming everyone in the enterprise with knowledge via proactive training is key to preventing machines becoming infected. As well as ensuring everyone understands why unnecessary applications should not be installed, it’s important that people can recognise when their machine might be infected – if it’s running slowly, for example, or asking for unusual credentials.
Training comes in many forms: weekly emails with tips on what to be aware of, webinars run by the information security department, or mandatory training sessions, for example.
If the worst happens
If fileless malware attacks do infiltrate the system, behavioural analytics is an organisation’s best defence.
Artificial intelligence (AI) solutions can learn what is normal across a computer or system and use this as a comparison if current behaviour is different. As such, these AI solutions can help to identify when a legitimate program such as PowerShell is being used in an unusual way and quickly isolate the problem so that it can be analysed by a security professional.
Resilience needs to be built-in, with processes and technical abilities to isolate business computers that are behaving strangely – communicating to external IP addresses suspiciously, for example.
As a last resort, if it is suspected that a computer has succumbed to fileless malware, the can be emptied by unplugging the machine or removing the battery. Although some malware can recover through registry entries, it is worth a chance if no other options are available.
Read more from Computer Weekly’s Security Think Tank about dealing with fileless malware
- How to tackle fileless malware attacks.
- Social engineering at the heart fileless malware attacks.
- Aim to detect and contain fileless malware attacks quickly.