Maksim Kabakou - Fotolia

Security Think Tank: Social engineering at the heart of fileless malware attacks

What should organisations do at the very least to ensure business computers are protected from fileless malware?

fileless malware is not new, but it is quickly gaining traction among attackers as a common method of compromise. After all, it is stealthy, efficient and capable of evading conventional security systems.

As fileless malware attacks surge in popularity and become more sophisticated, organisations must ensure that appropriate security measures are implemented to protect against this rising threat.

Several of these measures are fundamental tenets of basic security hygiene. For example, organisations should apply the latest patches to all systems and software applications; restrict unnecessary scripting; disable non-essential macros, and enforce the principle of least privilege, which restricts the access rights of users to the minimum required to perform their tasks.

Other measures, such as application whitelisting and behavioural analytics to detect anomalous activity, are more advanced and require a degree of maturity that not all organisations enjoy. 

These technical security measures do not, however, address the issue of human fallibility, which is integral to propagating fileless malware. A fileless malware infection can be spread via a phishing email, Malvertising, watering hole or malicious download, containing a link that, once clicked, enables attackers to exploit security weaknesses in the browser or other applications, and use legitimate programs to execute their own commands.

Several of these delivery vectors utilise some form of social engineering. This reinforces the need for organisations to train their users on how to recognise and resist social engineering tactics.

Security training for users should be regular and interactive. The aim is to ensure employees are aware of security risks to the organisation and adopt security-conscious behaviour. Users should be educated not to click on links or download attachments from an unknown sender and, even if the sender is known, to exercise caution by hovering over links and verifying the URL.

Read more about malware

Make the training practical and establish mechanisms to test the security awareness of users – for example, by simulating an email phishing campaign or asking employees to distinguish between legitimate emails and examples of phishing.

In addition, users with administrator credentials should receive specific guidance on administrative security and best practice. This includes enhanced logging, installing only those applications with trusted signatures, and limiting access to functions and tools typically targeted by fileless malware. 

In many ways, defending against fileless malware infections is no different to any other security threat: technical measures are essential, but insufficient on their own to foil an attack. Training users should feature as a core component of efforts to protect against fileless malware.

Read more on Hackers and cybercrime prevention