When it comes to malware, one thing is certain: Attackers don’t rely on the same trick for very long. It’s always a race to outsmart, outperform and outmaneuver even the best endpoint tools.

Dark Reading noted attackers are pulling ahead of security teams. Most file-based malware is undetectable by antivirus tools, even as fileless attacks completely skirt this kind of security. Overwhelmed and underequipped, have endpoint tools finally reached their end of life?

The Newest Threat on the Block?

The newest threat on the malware market take the form of fileless attacks, which exploit in-memory vulnerabilities, PowerShell scripts or Office macros to infect target computers and entirely avoid antivirus systems.

Also called nonmalware attacks because they don’t require any external files to begin the infection process, this threat vector has been quietly gaining ground. Security firm and IBM partner Carbon Black explained that 64 percent of security researchers said they’ve seen an increase in nonmalware attacks since the beginning of 2016.

More worrisome? Ninety-three percent of those surveyed said that “nonmalware attacks pose more of a business risk than commodity malware attacks.”

File-based attacks, meanwhile, are also finding ways to avoid detection tools and compromise corporate endpoints. Part of the problem stems from malware reporting: Only half of all file-based attack details have been submitted to malware repositories, and just 20 percent of those attacks were uploaded to antivirus engines, SentinelOne reported. In other words, companies are effectively flying blind when it comes to both fileless and file-based malware.

Going Inside File-Based Attacks

While the solution to combating file-based attacks is relatively simple — companies need to freely share threat data, while antivirus providers need to increase both the uptake of malware signatures and antivirus update frequency — combating fileless malware is more challenging.

To understand why, it’s helpful to examine how these attacks work. Typical modes of infection include phishing emails with malicious attachments or compromised websites that prompt users to click on infected links. Once inside the endpoint, these attacks run approved processes to execute commands and begin the download of malware or rootkit packages.

Given the inherently privileged nature of PowerShell and Windows Management Instrumentation (WMI), cybercriminal actions don’t register as system threats, and security professionals are left in the dark. It’s no surprise, then, that fileless attacks are on the rise. Ars Technica reported that more than 140 bank networks have been infected with in-memory malware over the past few months, while The Register detailed a macro-based attack targeting Israeli organizations.

Fighting Fileless Attacks With Endpoint Security

So how do companies fight back against fileless defense failures? First is the recognition that fileless attacks are the likely future of malware — threat actors won’t risk traceable files when they can infect with virtually no trace.

Next is the evolving role of endpoint security. While better information sharing can help limit the impact of file-based malware, fileless infections will always fly under the radar. As a result, the most effective defense tactic lies with network traffic. Despite their lightweight packaging and sneaky use of system-approved processes, fileless attacks still generate observable — and odd — network traffic.

Threatpost suggested that companies start by disabling PowerShell for networks, then closely monitoring outbound traffic and tracing it back to any applications making the request. This can help spot outliers: For example, if Windows Notepad or Calculator are suddenly making network requests, chances are something isn’t right.

Companies now face the double threat of file-based and fileless malware. Combating both means evolving endpoint protection to include better information sharing for file-based threats and increased traffic oversight to help fight fileless foes.

More from

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…