By Ivan Lee, Director of Sales Engineering, APJ at CounterTack
Fileless malware has been around for a while and continues to be a major headache to CISOs. Ponemon's 2017 State of Endpoint Security Risk study shows that the number of fileless attacks increased by 45% in 2017 and that 77% of successful attacks used fileless techniques.
The major problem is that fileless malware doesn't request files from within your endpoint, making the traditional security protection tools (such as AntiVirus) less useful for detection. Even for the Enterprise Security Protection Gateway, or sandbox solutions, it is not easy for them to detect a fileless attack. Why? Because most fileless malware exploit an application's vulnerability in the endpoint (such as an OS, browser, MS office etc.) to attack the endpoints. Once the application has been compromised, the fileless malware injects malicious code into the endpoint’s memory. The compromised application opens a backdoor for the hackers. Some commonly known fileless malware variants are: Poweliks, SOREBRECHT Ransomware, Dridex, SMB Exploit (WannaCry) and DNSMessenger.
Here's an example: Internet Explorer vulnerability. The screenshots below show a fileless attack based on “MS13-037 Microsoft Internet Explorer Integer Overflow vulnerability” to remotely control the endpoint and steal the endpoint Administrator password. The fileless malware exploits an integer overflow vulnerability on Internet Explorer.
It has successfully migrated to the Window’s services.exe without downloading any files to the endpoint, after which the hacker remotely dumps the password hash.
How can CISOs get a grip on the increasing number of fileless malware attacks? One key is to close/fix most of the security vulnerabilities in your endpoint's operating system and applications. This option means one has to always patch and update ALL of one's applications and software in all endpoints, including servers. However, it always takes time to apply vulnerability fixes to endpoints. It can take a few hours or a few days, or worse, a few weeks. In all cases, depending on your security defenses, hackers have enough time to create and deliver fileless malware to the endpoints, because it is one capability that is not readily detected by most AVs, network security, or even advanced endpoint security solutions. Also, vulnerability patches only help to fix known security issues. For unknown security vulnerabilities, the surface of attack is wide open.
Based on the characteristics of fileless malware, it seems that the better option to detect and stop these is to focus on behaviors of processes running in memory. We need a solution to be able to identify Malicious Behaviors in real time, in OS and live memory rather than matching patterns and signatures in an endpoint's files or on the network. CISOs should be looking for the following to defend themselves against the rising tide of fileless malware:
- Detect: The solution should be able to scan live physical memory to identify threatening behaviors indicative of malware. Due to the fileless malware being a binary code running in memory, the solution should request to "reverse engineer binary code" to determine what it is trying to do and map its capabilities to determine if it acts like malware. The reversed binary code must be able to show in human readable language, so that the SOC operator can be easy understand the filesless behaviors and take actions
- Predict: The solution needs predictive capabilities. A Predictive Analytics engine should able to do continuous monitoring of OS behavior and in-memory analysis together. Then it should define suspicious behavior in context: How bad? Why bad? What actions should the SOC operations team take?
- Prevent: Based on detection and prediction, the solution should be able to determine what is benign and what is malignant via Machine Learning. This is so that it can enhance the predictive accuracy, eliminate false positives, and enable high confidence automated prevention, such as Kill Process and Quaratine of endpoints.
CounterTack's Endpoint Protection Platform provides endpoint OS and live memory suspicious behavior detection, predictive analytics and preventative action to stop fileless threats.
Regarding the MS13-037 Microsoft Internet Explorer Integer Overflow vulnerability fileless malware, You can see how CounterTack's Endpoint Protection Platform picks up the endpoint communication with the Hacker Machine via behavioral analysis of OS events.
Then the live memory behaviour engine detected a Flieless Malware Attack injected code into the endpoint process. It stops the process by killing it
In the SOC Console, the CounterTack live Memory behavior analytics engine is able to reverse engineer binary code and show it in human readable language for the SOC operators.