When it comes to malware, one thing is certain: Attackers don’t rely on the same trick for very long. It’s always a race to outsmart, outperform and outmaneuver even the best endpoint tools.
Dark Reading noted attackers are pulling ahead of security teams. Most file-based malware is undetectable by antivirus tools, even as fileless attacks completely skirt this kind of security. Overwhelmed and underequipped, have endpoint tools finally reached their end of life?
The Newest Threat on the Block?
The newest threat on the malware market take the form of fileless attacks, which exploit in-memory vulnerabilities, PowerShell scripts or Office macros to infect target computers and entirely avoid antivirus systems.
Also called nonmalware attacks because they don’t require any external files to begin the infection process, this threat vector has been quietly gaining ground. Security firm and IBM partner Carbon Black explained that 64 percent of security researchers said they’ve seen an increase in nonmalware attacks since the beginning of 2016.
More worrisome? Ninety-three percent of those surveyed said that “nonmalware attacks pose more of a business risk than commodity malware attacks.”
File-based attacks, meanwhile, are also finding ways to avoid detection tools and compromise corporate endpoints. Part of the problem stems from malware reporting: Only half of all file-based attack details have been submitted to malware repositories, and just 20 percent of those attacks were uploaded to antivirus engines, SentinelOne reported. In other words, companies are effectively flying blind when it comes to both fileless and file-based malware.
Going Inside File-Based Attacks
While the solution to combating file-based attacks is relatively simple — companies need to freely share threat data, while antivirus providers need to increase both the uptake of malware signatures and antivirus update frequency — combating fileless malware is more challenging.
To understand why, it’s helpful to examine how these attacks work. Typical modes of infection include phishing emails with malicious attachments or compromised websites that prompt users to click on infected links. Once inside the endpoint, these attacks run approved processes to execute commands and begin the download of malware or rootkit packages.
Given the inherently privileged nature of PowerShell and Windows Management Instrumentation (WMI), cybercriminal actions don’t register as system threats, and security professionals are left in the dark. It’s no surprise, then, that fileless attacks are on the rise. Ars Technica reported that more than 140 bank networks have been infected with in-memory malware over the past few months, while The Register detailed a macro-based attack targeting Israeli organizations.
Fighting Fileless Attacks With Endpoint Security
So how do companies fight back against fileless defense failures? First is the recognition that fileless attacks are the likely future of malware — threat actors won’t risk traceable files when they can infect with virtually no trace.
Next is the evolving role of endpoint security. While better information sharing can help limit the impact of file-based malware, fileless infections will always fly under the radar. As a result, the most effective defense tactic lies with network traffic. Despite their lightweight packaging and sneaky use of system-approved processes, fileless attacks still generate observable — and odd — network traffic.
Threatpost suggested that companies start by disabling PowerShell for networks, then closely monitoring outbound traffic and tracing it back to any applications making the request. This can help spot outliers: For example, if Windows Notepad or Calculator are suddenly making network requests, chances are something isn’t right.
Companies now face the double threat of file-based and fileless malware. Combating both means evolving endpoint protection to include better information sharing for file-based threats and increased traffic oversight to help fight fileless foes.