More and more attackers are carrying out their work without using malware so they can evade detection by traditional, file-based security platforms, which presents a tough problem for security pros trying to defend against them.
Nearly two-thirds of security researchers polled by Carbon Black say they’ve noted an uptick in these attacks just since the beginning of the year, and aren’t confident that traditional anti-virus software can deal with them.
An earlier Carbon Black report included stats gathered from its customers that indicated these non-malware attacks, also called fileless attacks, had grown from 3% of all attacks to 13% over the course of last year.
Nearly all of the researchers say they pose more of a risk to business than traditional file-based attacks.
That doesn’t mean the problem can’t be dealt with, according to Gartner, but there’s no sure way to block these attacks.
To protect themselves, enterprises should check with their endpoint protection platform (EPP) vendors and specifically ask what they do to protect against this type of attack, Gartner recommends in their report, “Get Ready for 'Fileless' Malware Attacks.”
+More on Network World: FTC warns on “Can you hear me now” robocall: Hang up!+
They also recommend using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which enforces restrictions on applications to protect them. For example, it supports data execution prevention (DEP), which monitors memory use by applications and can shut them down if they go beyond expected use. That’s just one of the protections, and Gartner says to use the EMET list as a minimum set of protections when evaluating EPP products.
Gartner says Chrome, Firefox, Internet Explorer, Microsoft Office, Java VM and Adobe products offer a good base of covered applications.
This type of attack compromises legitimate processes and applications to carry out malicious activity, and because they are legitimate, their activity after they have been compromised doesn’t raise any flags. They don’t download malicious files, so there’s no malware to catch. These attacks have employed Java Script, Windows Management Instrumentation (WMI) (used to spread Stuxnet) and PowerShell.
The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).
Detecting use of these attacks requires vigilance, one respondent to Carbon Black’s questionnaire says., PowerShell should be monitored for unusual behavior, they say. “For instance, if it is trying to access an inordinate amount of files very quickly or trying to communicate outside of your network then these are some telltale signs of an attack,” the researcher says.
They also recommend checking the command line on PowerShell. “[I]f you look at the command line and see text that looks like it is unrecognizable or random instead of just English, that also is a red flag,” they say.
White-listing and black-listing applications can also help, as are general security hygiene chores like regular patching. Network segmentation can help contain these attacks until they are detected and shut down, Gartner says.