With the focus on coronavirus, cybersecurity professionals can’t lose sight of virtual viruses. Just as biologically based threats evolve, so do virtual ones. For years, MSPs and cybersecurity experts devised defenses to intercept suspicious attachments harboring dangerous payloads. The attacks weren’t pretty, they were brute force or sloppy attachments, but they worked.
Security professionals and software companies have been successful at coming up with ways to block these old hacking attempts, so hackers have moved to fileless malware with increasing frequency. Fileless malware is sometimes referred to as “living off the land” because hackers are using legitimate tools like a vehicle to attack. Programs like, Microsoft’s PS Exec, Windows Management Instrumentation (WMI), PowerShell, and more are favorites of fileless attacks.
Fileless malware is the new normal
“More than half of attacks last year leveraged fileless or “malware-free” techniques, as hackers increasingly turn to stolen credentials in their efforts to breach corporate networks.”
According to the Ponemon Institute, fileless attacks are ten times more likely to succeed than file-based attacks. It’s little surprise that fileless malware is becoming the tool of choice for hackers because of its stealthy nature. If an attack is weaponizing legitimate channels, traditional detection programs are rendered toothless.
Smarter MSP caught up with Sameer de Alwis for advice on how MSPs can combat the rise of fileless malware. De Alwis is senior principal of Sri Lankan-based Sumathi Information Technologies, an MSP serving the island nation.
De Alwis states that traditional methods of delivering malware into networks are increasingly being caught by more sophisticated detection. A fileless attack can deliver a damaging payload without the issues. But how can fileless attacks be mitigated?
“Sandboxing is absolutely key” emphasizes de Alwis, continuing that the appeal of fileless malware for hackers is that “it can be almost impossible to detect.”
In addition to a robust sandboxing regimen, de Alwis recommends using Registry Guard to help protect against hacker tampering with registry keys and values.
Methods to strengthen cybersecurity
Here is a compilation of advice for MSPs focused on more robust client security that I received from other cybersecurity professionals:
Consider disabling Powershell — For larger enterprises, this may not be a practical step, but hackers often exploit vulnerabilities in it to further their aims. If you need to keep Powershell operating, and many IT-heavy businesses rely on it, then at least upgrade to the latest version, Powershell 5, which features more security tools. The security features need to be set manually because their default settings are off.
Privilege reduction — Reduce the number of administrative privileges in each enterprise. By doing so, you’ll decrease the potential landing surface of a fileless attack.
Implement AI — Fileless malware bypasses old signature-based attacks, so organizations need to think beyond that. AI and software solutions that focus on identifying malicious behavior on the network can go a long way to determining when a fileless malware attack has been successfully initiated. There are plenty of AI-infused software packages available that track the user activity of administrators and network users who have super privileges. If behavioral patterns are being detected that are very unusual, that could be a red flag that there has been a compromised account.
Mind the macros — Macros are an ideal vehicle for hackers to launch fileless attacks. This isn’t to say that there isn’t a place and value in macro, but they should be used sparingly and only when necessary.
Frequent patching — We’ve emphasized the importance of frequent patching, but the rise of fileless malware has only made this step more important. Threat actors are taking advantage of old, outdated, and unpatched systems. Non-existent or ineffective patching can open a wide variety of vulnerabilities. MSPs need to have a patching checklist. Patching is a great example of how some of the most effective tools are also some of the cheapest.
Keep software updated — Microsoft is constantly adding more security features. Microsoft 365’s suite of tools and PowerShell irregularity detector is just one example of how using the newest, updated version of legacy programs can tip the scales in your favor.
Finally, MSPs need to take a holistic approach and implement client training on how to recognize anomalous system behavior and in general institute a robust cyber hygiene regimen.
Just like it takes a coronavirus to remind us of the importance of washing our hands, a fileless attack on your client’s system would serve as a bold reminder to improve cyber hygiene. Fileless attacks are here to stay, so following this advice will allow you to deal with them properly.
Photo: Stokkete / Shutterstock