Enterprise IT systems are becoming substantially complex, scalable and sophisticated. State of the art technologies are employed to deliver high business value as well as to achieve secure and resilient operations.
At the same time cyber criminals are stepping up their game in an attempt to win the constant battle between the attackers and the defenders. They are constantly evolving and gaining strength to beat and bypass the sophisticated controls organisations have deployed to safeguard their systems, data and information assets.
Attackers always want to infiltrate the cyber defences without being detected – the longer they evade the detection the more objectives they can achieve. Some attacks have now gone to the next level by creating “Fileless Malware”.
This is a relatively new type of malicious software that infects the systems by using legitimate software/ programs such as PowerShell and WMI (Windows Management Instrumentation)
This presents a significant problem, because traditional file-based prevention and detection techniques require a file to analyse. Even “next generation” malware detection products may not detect these attacks until after the payload executes successfully.
Most organisations are vulnerable to fileless of malware as they are using a conventional file-based detection security solution. McAfee and Ponemon Institute research highlights that in 2018 fileless malware accounted for about 35% of all attacks. Attackers are 10 times more likely to penetrate and exploit an organisation with fileless malware than by using conventional file-based attacks alone.
Due to the fact that fileless malware uses programs which are trusted and an essential part of the operating system, it is implied that the executed commands are legitimate due to authorised signatures and reputation of these tools.
Once successfully launched attackers can bypass firewalls, run the scripts or create new PowerShell sessions to load from memory to initiate attacks on the machine which leads to compromise of entire network.
To combat these kind of attacks, Behavioural Detection is the best bet for the organisations to monitor and detect the patterns related to PowerShell executions and systems/ machines invoking remote commands and access.
Recommendations
Cyber security and risk management teams should:
Evaluate anti-exploit protection solutions for fileless attacks. Microsoft has developed exploit mitigations in Microsoft Enhanced Mitigation Experience Toolkit. It can be used as baseline.
Vulnerability Scanning and Patching of end points can provide security to certain degree, Microsoft EMET and ASR can be used as a tactical solution to add another layer of protection.
PowerShell usage should be limited by restricting access through Windows Group Policy or Windows AppLocker. In case of business needs, only authorised users should be allowed to use PowerShell and all activities should be logged and monitored for any suspicious activity.
Application Whitelisting and Microsoft block rules can also be used to prevent certain applications from executing scripts and or ton invoke PowerShell, WMIC and Java. Microsoft block rules also restrict the attacks to circumvent application whitelisting policies, including Windows Defender Application Control.
Windows Defender Application Control (WDAC) can also help mitigate these types of security threats by restricting the applications/ processes that can execute the code in the System Core (kernel). WDAC policies can also block MSIs, unsigned scripts and elevated privileges in PowerShell CLM (Constrained Language Mode).