Maksim Kabakou - Fotolia

Security Think Tank: Human, procedural and technical response to fileless malware

What should organisations do at the very least to ensure business computers are protected from fileless malware?

fileless malware attacks are growing. According to research by the Sans Institute, issued in their 2017 Threat landscape survey, a third of organisations reported experiencing fileless attacks.

So why are they becoming so popular and what can security professionals and organisations do to mitigate the risk they pose?

The nature of these attacks may seem very different to the kind of malware onslaught we have sadly become so accustomed to facing.

The reason why these fileless attacks are so successful, and therefore growing in popularity, is that they effectively operate under the radar, as they hijack Microsoft Windows tools, such as PowerShell and Windows Management Instrumentation (WMI), to attack.

This means that malware detection is effectively rendered obsolete, as any activity coming from Windows tools is deemed legitimate and therefore unchallenged or prevented, as antivirus software cannot really detect them. So acting almost entirely in memory, fileless attacks perplex security professionals and exploit vulnerabilities in organisations’ networks.

Human response

We are familiar with the idea of a phishing email delivering a toxic payload or link to malware-laden website. There is still an element of user interaction required to enable this kind of attack to take place. Education of users is still key.

Teaching users how to recognise unfamiliar, unexpected or suspicious forms of email is vital, as there will still be some form of executable required to enable a fileless attack. A trained team needs to be in place to monitor network traffic to throw up any anomalous behaviour.

As much as people can be the Achilles heel in any security plan, due their unpredictability or lack of training, we also know that procedures can sometimes be a weakness too.

Think of what happened when the world was hit by NotPetya ransomware and an emergency patch was issued – many organisations failed to install the new patch and the wave continued.

So change management must be firmly in hand with updates and patches religiously applied, even if patching has to be triaged if the level of patches and updates is high.

We also need to make sure that if technical solutions, such as protective monitoring, identify an anomaly, then we must have a process is in place to handle the alert. Without this, the alert is a claxon going off in an empty room.

Technical response

Baselining your traffic will go a long way to help you discover if there is erroneous activity on your networks, so security information and event management (Siem) platforms will help with understanding what is “normal”.

In the same way that if your car makes a particular noise when you drive it, this is normal. If it suddenly starts making a particular noise, you know from your experience of its baseline behaviour this is not normal and you need to investigate the cause of the noise.

Setting firewall boundaries so that you are in control of the maximum amount of data that can leave your network, combined with notifications on network exit controls, will also help if largescale (at least larger than normal) exfiltration is happening and you can then investigate further. Set tolerances on servers around the amount of information that can be moved.

Listen to your network like you listen to your car, and if there is a noise that is new, make sure you check it out.

Read more from Computer Weekly’s Security Think Tank about dealing with fileless malware

Read more on IT risk management