Known by the names of zero-footprint, invisible, or non-malware, these types of attacks are continuing to increase at organizations over time. Is your organization concerned with fileless malware, and malware that is essentially "off the grid"?
What is Fileless Malware?
Fileless malware does not imply there aren't any files utilized within an attack. What is does mean is that the files simply are not used after the attack. They are usually removed or moved to another file altogether. Though this type of malware is not new, there has been an increase seeing this type of malware being utilized, as we saw with Powershell, AdylKuzz and Wannacry in 2017.
It's worth noting Lenny Zelster's point about fileless malware.
"Though initially fileless malware referred to malicious code that remained solely in memory without even implementing a persistence mechanism, the term evolved to encompass malware that relies on some aspects of the file system for activation or presence."
Microsoft notes that the fileless techniques used by attackers can include:
- Memory Exploits
- Script-based techniques
- Reflective DLL injection
- WMI persistence
It is also worth noting that the attack vectors themselves have changed, with legitimate windows-based programs being used for the attack.
Should you be concerned?
Though there are concerns in every industry regarding malware, the healthcare industry was hit hard in 2017 with an increase of more than 200 percent of disclosed security incidents.
The growth of fileless malware should be concerning as it is important to adjust one's security strategy in response to this new threat. The latest form of cryptocurrency mining, GhostMiner, not only uses fileless malware to install within systems, but it also removes other mining that may exist via Powershell.
Since these types of attacks are found mainly within memory, there is not a detectable trace once implemented. However, files are used, configuration settings are altered, and other detectable events occur before the malware goes stealth.
It is important to have software in place to detect the changes that occurred in the short period of time before the malware become invisible. Having the proper security policies and procedures in place can also help prevent these types of attacks from occuring. As we mentioned in 5 Ways to Help Fix Security Vulnerabilities, steps can include:
- Making Security a Company-Wide Culture
- Focusing on Compliance
- Automating of Security Policies
- Addressing Internal Threats
- Prioritizing Threat Intelligence
What policies do you have in place?
In addition to a security policy, an easy way to begin, as noted by Greg Temm, includes focusing on the management of access controls and privileged user accounts. Time after time, the question of who has access to specific files and directories is often left answered. In the Best Practices for Active Directory Monitoring, we discussed best practices that include:
- Mechanisms for Change Control
- Ability to Comprehend the Quality of Changes
- Structured Change Workflows
- Ability to Remediate Negative Changes
- Ability to Understand/Act on Audits in Real-time
What Software should you use?
For comprehensive information security safeguards, next-generation file integrity monitoring (FIM) software provides the real-time change detection, and real-time reversal, necessary to ensure your systems have not been breached.
Some of the most important FIM software characteristics include:
- Flexible and simple to create policies
- Support for a wide range of operating systems
- Real-time detection
- Ease-of use
- Full-change remediation
To learn how CimTrak's file integrity monitoring software can help meet your needs, download our Guide to File Integrity Monitoring today.
April 11, 2018