Statistics are pointing to an increasing tendency towards attacks not involving the use of malware, which enables them to evade detection by traditional, file-based security platforms.
Almost two-thirds of security researchers in one poll cited by Network World said they had seen such attacks more often since the start of the year, and weren’t confident that traditional anti-virus software could tackle them.
Another report indicated that non-malware or ‘fileless’ attacks accounted for 13% of all attacks as of November last year, compared to just 3% in January 2016.
Can fileless attacks be protected against?
Almost all of the aforementioned researchers said that businesses were more at risk from non-malware attacks than they were from traditional file-based attacks, with research and advisory firm Gartner stating there was no sure way to block them.
Nonetheless, the firm did urge concerned enterprises to check with their endpoint protection platform (EPP) vendors and specifically ask what they do to protect against such attacks.
Gartner also recommended the use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which protects applications by enforcing restrictions on them. The company said that it supported data execution prevention (DEP), for example, which monitors applications’ memory use and can shut them down if they exceed expected use boundaries.
Such attacks are so problematic precisely because they carry out their malicious activity through legitimate processes and applications that don’t show any obvious signs of being compromised. As they don’t download any malicious files, there is no malware to detect.
The likes of JavaScript, PowerShell and Windows Management Instrumentation (WMI) have all been employed for such attacks. One respondent to the aforementioned survey said of monitoring PowerShell for unusual behaviour: “For instance, if it is trying to access an inordinate amount of files very quickly or trying to communicate outside of your network, then these are some telltale signs of an attack.”
Other measures that have been recommended to protect against such attacks have ranged from the white-listing and black-listing of applications to more general security efforts such as regular patching. Gartner has also suggested that network segmentation can help to contain fileless attacks until they are detected and shut down.
Discuss the best penetration testing approach with us
Would you like to have greater peace of mind about the security of your own firm’s IT infrastructure? If so, simply contact Sec-Tec about the penetration testing in which we have amassed in-depth knowledge and experience, and on which we can therefore advise you to the highest of standards.