[BreachExchange] What is Fileless Malware and How to Protect Against Attacks

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jun 15 16:46:44 EDT 2021


https://www.itbusinessedge.com/security/fileless-malware/

Although the total number of malware attacks went down last year, malware
remains a huge problem. While the number of attacks decreased, the average
cost of a data breach in the U.S. is rising, signaling that malware
developers are building more sophisticated strains meant to avoid detection
and provide a bigger payday.

Fileless malware is a strain that, like many other forms, uses phishing to
get users to allow it onto their devices. It then uses trusted internal
applications to hide its presence and gain access to multiple devices and
datasets. How can you protect against something that uses whitelisted
applications to its advantage? We’ve put together this guide to help you
learn what fileless malware is and how you can protect against attacks.

Fileless malware prevention

What is fileless malware?
What kinds of applications does it hijack?
Look for indicators of attack instead of indicators of compromise
Use managed threat hunting services
Phishing prevention rules apply
Prevention is the best way to protect against fileless malware

What is fileless malware?

With most malware, attackers try to install malicious files onto your
computer. However, fileless malware hides within legitimate applications
and executes harmful activities while the wanted programs are running.
Fileless malware is memory-based, which makes it harder to detect because
it doesn’t have a signature like other types of malware.

These attacks work by injecting malicious code into applications you
already have installed on your computer. Attackers can do this through
phishing and social engineering. Once the code is included in a legitimate
application, it can move laterally across your network to gain access to
more information.

What kinds of applications does it hijack?

Fileless malware targets software you already have installed on your
computer, like word processors or JavaScript applications. However, it also
often uses native applications that you may not even realize you have, like
Microsoft PowerShell or Windows Management Instrumentation (WMI). With
these native tools, fileless malware applies malicious scripts into the
benevolent ones, so the scripts will run while the app is performing
routine processes.

Look for indicators of attack instead of indicators of compromise
Indicators of attack (IOAs) are signs that an attack might be in progress
as opposed to indicators of compromise, which are evidence of steps
attackers are taking to perpetuate an attack. IOAs on their own don’t
necessarily signal an attack, but specific combinations of IOAs would.

For example, before someone robs a store, they may walk through it several
times. This alone, of course, is not necessarily a cause for concern.
However, should they pair that with returning after the store is closed and
disabling a security system, clearly, the store is under attack. Similarly,
a phishing email plus a small command execution and communication with
someone offsite are often IOAs for cyberattacks.

Use managed threat hunting services

Active threat hunting is time-consuming and labor-intensive because it
requires gathering and standardizing large amounts of data. In-house teams
can struggle to hunt threats effectively and complete their normal work,
meaning you’d need to hire people completely dedicated solely to threat
hunting. However, you can also outsource this job to a managed threat
hunting service. These services monitor networks 24/7 and proactively look
for anything that might go unnoticed by traditional security systems.

Phishing prevention rules apply

When looking to protect your business from fileless malware, it’s important
to train your team on the steps they should take to prevent phishing
attempts from succeeding. Don’t click on links in emails when you don’t
know the sender, and double-check email addresses before opening any
attachments. Also, legitimate businesses will never ask you for login
credentials over email. Just trust your instincts. If something feels
suspicious, it likely is.

Prevention is the best way to protect against fileless malware

Fileless malware is very difficult to detect once it’s gotten onto your
device, so prevention is the best way to protect against it. Teach your
employees to be cautious about the links they click both from their email
and online and to report suspicious activity to your IT team immediately.
Consider employing managed threat hunting services to look for indicators
of attack and proactively protect your network. By following these steps,
your business can avoid a catastrophic breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210615/8786d1ed/attachment.html>


More information about the BreachExchange mailing list