Why Traditional Endpoint Detection and Response (EDR) Platforms Can’t Detect File-less Malware
This post was last updated on January 22nd, 2020 at 04:21 pm
File-less malware is an extremely difficult-to-detect type of cyber threat and creates a serious problem for modern businesses, even more than ransomware. File-less malware requires no physical payload and creates no discernible or permanent footprint on the targeted machine(s). Instead, file-less threats can compromise and exfiltrate sensitive data from a host by leveraging legitimate system tools like PowerShell. So, how do you defend your IT infrastructure against file-less malware?
In spite of ransomware’s prominence, it still functions in a way that’s familiar to IT security teams and incident responders. Ransomware attacks leave a digital footprint on compromised machines, because in order for ransomware to exfiltrate data and infect the hosts, it requires a payload to be downloaded to the device.
Ironically, there’s a certain level of comfort in that familiarity—knowing you’re compromised because you can quickly identify ransomware within your network.
File-less malware, on the other hand, offers no such comfort. A relatively new type of cyber attack, file-less threats are nearly impossible to mitigate using traditional Endpoint Detection and Response Platforms. This makes file-less attacks one of the most significant threats on the modern web.
The good news is that file-less malware isn’t impossible to defend against. Like any cyber attack, fileless threats can be defeated. It simply requires advanced detection techniques and a different response from other types of malicious threats.
To understand how to respond to file-less attacks, it’s first important to understand how file-less malware functions…
What is File-less Malware?
The most significant difference between file-less malware and traditional malware is how it infects your machine and where it resides. Traditional malware and viruses either create or infect files within a computer’s storage media. They leave a digital footprint in the form of a malicious file or files. Most antivirus software solutions can either detect the malicious changes to your files and/or detect the malicious files created.
File-less malware exists entirely within a machine’s memory. It’s completely ephemeral, stealthily executing malicious code or exfiltrating data without changing your file system. Per Norton Security, there are a few core variants of file-less malware, organized based on what they do:
- Registry Manipulation: This type of file-less malware injects code into the Windows registry. One of the most noteworthy types of registry manipulating file-less threats is the Kovter malware, which resides in the registry and is frequently used in malvertising campaigns.
- Memory Code Injection: Often leveraging known software and application vulnerabilities, memory code injecting malware frequently piggybacks on a trusted software like Microsoft PowerShell and Windows Management Instrumentation. PurpleFox utilizes memory code injection through PowerShell and is frequently used to download cryptocurrency-mining malware to infected systems.
- Script-based Attacks: Technically, script-based cyber attacks are only semi-fileless. For instance, the SamSam Ransomware makes extensive use of operating system (OS) features and network administration tools to compromise infected systems. SamSam leaves a footprint, but by the time that digital footprint is discovered, files are already locked off.
Why File-less Malware Is Difficult to Detect
Traditional antivirus software tools and endpoint detection and response (EDR) security platforms have trouble detecting file-less threats. There are a few factors that make file-less threats particularly difficult to detect and mitigate:
- First, because it has no identifiable code or signature, file-less malware is undetectable by traditional antivirus tools.
- File-less threats live in a system’s memory (RAM) meaning there typically isn’t a digital footprint to trace.
- Lastly, because fileless malware doesn’t follow a set pattern of behaviors and frequently leverages trusted processes to mask malicious behavior, EDR platforms that rely on behavioral analysis cannot hunt and expose file-less threats cannot detect it.
Owing to the fact that file-less attacks are so easy to carry out undetected (compared to traditional malware attacks) the past year has seen a significant surge in their occurrence. Per Trend Micro’s 2019 Roundup Report, detections of file-less threats in the first half of 2019 increased by 265 percent compared to 2018. Criminals understand the tools enterprises most frequently leverage to protect themselves (and their data) from cyber attacks. In response, cyber criminals are turning to attack methods that allow them to circumvent those tools (e.g. file-less attacks).
What To Do About File-less Malware
All is not lost. Although fileless attacks are more complex and difficult to deal with, they can be detected and defeated. Doing so requires a slightly different response from traditional antivirus software and EDR security solutions.
First—and most importantly—keep all systems up-to-date. Many file-less threats rely on unpatched application or hardware vulnerabilities. The fewer vulnerabilities you have in your environment removes potential backdoors and entry points for attackers to exploit.
Second, take the necessary measures to protect your organization against phishing and social engineering attacks. While email data leak prevention and antivirus tools represent a good starting point here, it’s also imperative that you implement some form of cybersecurity awareness training for your staff. Training employees to be more conscientious and mindful when it comes to opening emails or clicking on links can go a long way towards protecting yourself.
Third, consider an EDR platform that includes in its repertoire behavioral antivirus software and realtime monitoring. Such a solution can determine what constitutes normal behavior for a particular set of applications, and can immediately flag a potentially-compromised process. This, in turn, equips your security team with the necessary visibility into their network to detect and mitigate many file-less attacks before they can cause significant damage.
Finally, consider an advanced threat detection platform that leverages forensics, live memory inspections, and real-time behavioral analysis to expose file-less threats—like Infocyte.
Infocyte continually inspects your endpoints and performs memory analysis at scale, enabling it to detect file-less malware which often go undetected by traditional endpoint detection and response (EDR) platforms. In addition to detecting file-less threats, Infocyte exposes malicious processes, zero-day malware, and advanced persistent threats (APTs) quickly and efficiently, without requiring custom scripts or forensics experts to do your threat hunting.
File-less Cyber Threats Require a New Approach
File-less malware is relatively new to the threat intelligence community making fileless threats more difficult to detect, understand, and eliminate. The good news is that knowledge is your best weapon. Equipped with a better understanding of file-less malware and the tools necessary to detect and respond to it, fileless malware is very manageable.
About the Author
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.