Defending against fileless attacks means being able to spot anomalous activity, even if attackers inject their code into a host process on the computer
SPONSORED – In 1963, a gang of thieves held up a Royal Mail train and stole $7m (worth $50m today). All but four of the 15 men were caught, arrested and sentenced. The Great Train Robbery has since been made into films, TV shows, books, songs and even video games.
Some 50 years later, researchers from Kaspersky’s Global Research and Analysis Team (GReAT) identified a ransomware-like wiper attack, called NotPetya, which used a modified EternalBlue exploit to propagate within corporate networks.
The total damage from the NotPetya attack is estimated at $10bn – with huge organisations losing hundreds of millions of dollars as a result of the attack. Only one arrest has been made to date.
This comparison – 50 years apart – is just one example of how attacks are more sophisticated, yielding more money for thieves, and inflicting more damage on victims.
But we are not yet at the height of the complexity of cyber-attacks; they’re gaining sophistication ever more quickly. The NotPetya attack may be considered an archaic form of theft in just a few years, as criminals find even better ways to evade corporate IT perimeters without leaving their fingerprints – this is what we call the ‘new stealth’.
“Many APT (Advanced Persistent Threat) threat actors are trading persistence for stealth, seeking to leave no detectable footprint on the target computers and thus seeking to avoid detection by traditional endpoint protection,” says David Emm, Senior Security Researcher, GReAT, Kaspersky.
One of these stealth approaches is the use of fileless attacks. To avoid detection from traditional endpoint protection, the attack involves injecting code into a legitimate process, or using legitimate tools built into the operating system to move through the system, such as the PowerShell interpreter. There are numerous other techniques, including executing code directly in memory without being saved on the disk.
Due to their stealthy nature, fileless attacks are 10 times more likely to succeed than file-based attacks. The damage that they can do is also significant as seen by the breach at American consumer credit agency Equifax in 2017, which led to the theft of 146.6 million personal records.
Why are fileless attacks so hard to defend against?
The day after Kaspersky broke the news of the NotPetya attack, they were able to give very clear instructions to global businesses; prohibit the execution of a file called perfc.dat, using the Application Control feature of the Kaspersky Endpoint Security for Business suite. It’s not as clear cut for fileless attacks because there is no suspicious file to detect.
“Traditional anti-virus solutions rely on identifying code installed on the disk. If malware infects and spreads without leaving any of these traces, fileless malware will slip through the net, allowing the attackers to achieve their goals unimpeded,” Emm says.
The only approach is to detect suspicious behaviour.
“What is required is an advanced product that monitors activities on the computer and employs behavioural mechanisms for dynamic detection of malicious activity on the endpoint,” says Richard Porter, Head of Pre-Sales, Kaspersky UK&I.
Porter explains that this will mean that even if attackers inject their code into a host process on the computer, its actions will be detected as anomalous. Combining this with exploit mitigation techniques to detect attempts to exploit software vulnerabilities, and a default-deny approach will help keep organisations secure.
“The default-deny approach can be used to block the use of all but whitelisted applications, it can also be used to restrict the use of potentially dangerous legitimate programs such as PowerShell to situations where its use is explicitly required by a working process,” says Porter.
Preventing fileless attacks without behaviour detection technology is the equivalent of not securing the 120 sacks of bank notes in the Great Train Robbery. Without it, organisations are hopeless to stop them.
The technology to fight fileless attacks
Kaspersky’s behaviour detection technology runs continuous proactive machine learning processes, and relies on extensive threat intelligence from Kaspersky Security Network’s data science-powered processing and analysis of global, real-time statistics.
Their exploit prevention technology blocks attempts by malware to exploit software vulnerabilities, and adaptive anomaly control can block process actions which don’t fit a learnt pattern – for example, preventing PowerShell from starting.
To find out more, click here