Software applications designed to perform malicious activities have been making life difficult for small and medium-sized businesses since the dawn of digitalization.
It’s not that SMBs are not aware of this threat or don’t know that they can protect themselves against it. It’s that malware is rapidly evolving, and yesterday’s anti-malware solutions are no longer effective against the most sophisticated malware attacks out there.
One specific type of malware that’s quickly becoming a major threat for all businesses that have yet to upgrade their malware defenses is called fileless malware, and this article explains what it is and how it can be stopped.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
What Is Fileless Malware?
Traditional malware relies on executable files. Such files often have extensions like .exe or .bat, and they contain a set of instructions for the operating system to execute.
Fileless malware doesn’t rely on executable files and instead rely on commonly abused tools like Microsoft PowerShell, Windows Management Instrumentation (WMI), the .NET framework, Office macros, and others to operate malicious instructions on an operating system.
Instead, this threat takes advantage of a technique referred to as living-off-the-land. This technique was first introduced in 2013, and it describes an attack that abuses legitimate, trusted tools for nefarious purposes.
Just like an experienced bouncer can recognize a known troublemaker before they enter the club, an anti-malware solution can tell apart a legitimate file from a malicious one by giving it a quick digital pat-down to see if it carries any harmful code.
A fileless malware attack may start with a phishing email containing a link to an infected website. When an employee visits the website, a vulnerability in a trusted application is exploited to gain remote access to the victim’s system. From there, the attacker can steal credentials, set up a backdoor, and exfiltrate data.
What Makes Fileless Malware Dangerous?
Ponemon Institute estimates that fileless attacks are 10 times more successful than file-based attacks.
It’s no wonder then that this threat is becoming more and more common, growing by 94 percent during the first half of 2018 alone, when the now notorious SamSam fileless ransomware targeted multiple businesses in the healthcare sector.
Fileless malware attacks are so dangerous because the legitimate tools they take advantage of can’t be simply removed, disabled, or isolated. Microsoft PowerShell, for example, is a task automation and configuration management program that IT administrators rely on to accomplish a wide array of different tasks.
Even when a business does decide to block it anyway to stop fileless malware attacks like the Ramnit banking trojan or the Sodinokibi ransomware, cybercriminals can still bypass the restrictions by running PowerShell with dlls only using a readily available tool like PowerShdll.
Likewise, Office macros are at the heart of many day-to-day business functions, and employee productivity could take a nosedive if they were disabled to prevent fileless malware attacks like the GandCrab ransomware.
How to Stop Fileless Malware Attacks?
Fileless malware attacks may be more difficult to detect than their file-based counterparts, but businesses are not defenseless against them.
The key is to shift focus away from malicious files toward malicious activity. In fact, catching fileless malware is a lot like catching an invisible thief. You may not be able to see the thief himself or herself, but you can see which doors the thief is opening, which documents they are reading, and so on.
One set of cybersecurity techniques that can be used to detect malicious activity is called behavioral analytics. Anti-malware solutions that implement behavioral analytics pull data from a variety of sources and use Artificial Intelligence (AI) and Machine Learning (ML) to analyze it in order to reveal anomalous activity across the entire network.
AL- and ML-based behavioral analytics techniques are at the core of endpoint detection and response (EDR) solutions. Such solutions continually monitor all endpoints, looking for anomalous activity. When they detect a potential threat, they evaluate it and automatically respond to it. This way, EDR solutions are able to stop even threats like fileless malware, which tradition signature-based anti-malware software can’t see.
A good example of an anti-malware solution that catches fileless malware red-handed is Microsoft Defender for Endpoint, an enterprise EDR solution designed to help prevent, detect, investigate, and respond to advanced threats. Businesses with up to 300 employees can use Microsoft Defender for Business, which was launched earlier this year to meet the unique needs of SMBs.
Microsoft Defender is often compared with Sentinel One, a popular EDR product that stands out with its high detection rate and support for modern and legacy operating systems, among other things. We at OSIbeyond have experience with both Microsoft Defender and Sentinel One, and we would be happy to help you choose and implement the right solution based on your unique needs.
Final Words on Preventing Fileless Malware
Cybersecurity threats are becoming more advanced, and malware is no exception. In recent years, threat actors have been increasingly moving away from malware that relies on executable files toward malware that takes advantage of trusted software applications and system resources.
Because fileless malware is invisible to traditional anti-malware solutions, businesses need to upgrade their defenses to include behavioral analytics to reliably detect malicious activity before it’s too late to do anything about it. Let’s discuss your current malware protection!