InfoSec Risk for fileless malware


Fileless malware can create “the uncertainty” that falls outside of established set of security controls. The potential threat of a fileless attack raises the risk to IT operations beyond level acceptable for most organisations. By challenging traditional security products, fileless malware can be classified as an emerging threat, with potentially significant negative consequences, and for which immediate countermeasure may not be available.

As any other emerging threat that can’t be mitigated by traditional IT controls, it should fall under the umbrella of InfoSec Risk, and be managed according to Risk Control Strategies: Defence, Transferal, Mitigation, Acceptance, Termination.


Intro

Major security vendors started to describe new techniques used by malicious actors: fileless attacks executed only in RAM, that don’t rely on file systems at any stage and leave no trace of its activity on a hard disk – they are not detected by existing security mechanisms like end-points, FIMs, etc. Attacks of this kind were noticed few years ago, but recently they got much more attention, due to number of confirmed breaches, mostly banks and telecom businesses.


Initial analysis

Reports published in recent months by security experts contain investigation of attacks, with most famous tools being: Duqu 2.0 defined in 2015 by Kaspersky Lab, Kovter described in 2016 by Airbus Security, PowerSniff/PowerWare, and latest examples exposed by Kaspersky Lab in 2017:

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE


Correlation of events and used techniques

Although techniques for practical usage of fileless malware exist for years, they don't seem to be mitigated successfully by InfoSec industry (PowerShell/Sc/Netsh, Meterpreter/Msfvenom, Mimikatz). Multiple new announcements from security vendors were made in 2017 uncovering the issue in detail, but so far, no single commercial product or industry solution, was presented that could be regarded as future-proof.

From published results of investigation performed by experts, it can be observed that although the tools used during fileless attack are still evolving, certain general rules/steps can be observed (similar phases to traditional attacks):

1. Initial compromise: phishing or vulnerable machine exposed externally

2. C2 server (command and control)

3. Escalation of privileges

4. Lateral Movement

5. Persistence


The main issue with fileless malware comes from the fact that it directly challenges the key concepts used broadly by the InfoSec industry today, and which form the basis for important “first-line of defence” (end-point security suites, or advanced antiviruses):

• signature analysis that stops initial infection based on past patterns (signatures), used by antiviruses, intrusion detection/prevention tools, etc.

• file integrity monitoring that generates an alert if any of critical file is altered, used by FIM tools, HIDS (host-based intrusion detection system), etc.

Since fileless malware resides only in volatile memory, there are no files to be checked against signature database, and no change is made to file systems (no file is written or amended). Some experts conclude this as “natural evolution” of exploitation tools, that were developed in response to strict file integrity controls implemented by advanced end-point protection suites (signature based controls are not efficient for years)


Risk Control

Given complexity of the risk, appropriate control strategy must be built with the intend to prevent, or discover each step in fileless attacks (mitigation), to reduce the effects of malicious activity and accept the remaining residual risk (acceptance)

1. Risk of initial compromise can be reduced by patching/scanning, implementing web/email gateways, virtual patching from some end-point suites – the residual risk, in the form of zero-day exploits would be accepted based on the actual value, which depends on the overall value of information/data, and is inversely correlated to the value of zero-day exploits

2. Risk of communication with C2 server can be reduced by implementing “IP/web reputation” offered by some web gateways, that should eliminate also new servers setup specifically for the attack, another option is to introduce white-listing of accessible IPs/FQDNs – the residual risk in this case is the potential compromise of any “trusted” destination, that could be used as C2 server

3. Escalation of privileges cannot be efficiently prevented, but detection in the form of detailed central logging can at least generate an alert of ongoing incident – the same logic should be applied to the first step – example of events for monitoring from individual machines can be found, for example at: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

4. Lateral Movement can be prevented by implementing more granular network segmentation, for example with the use of “micro-segmentation” with SDN (software-defined networking) – malicious activity within the segment can be detected by network IDS that should be alerted to ongoing vulnerability scans launched from compromised machine – the residual risk is again the potential usage of zero-day exploits, supplemented by the risk of compromise of network devices that enforce segmentation (firewall, SDN)

5. Persistence in RAM can be obviously eliminated by system reboot, but malware in system registry can be difficult to discover – mitigation may be in the form of anomaly-based IDS (network and/or host based), for example NBAD or UEBA – the residual risk at last stage would be the sum of “risks” from all 5 steps (or monetary value of residual risks from each step)

Alternative to described above “mitigation-acceptance” strategy, could be to transfer the risks associated with fileless malware to external security vendor, which is able to use individual methods targeted to specific type of threats, e.g. scripts searching for common web shell patterns, or analysis of HTTP access logs – the value of residual risk in this case would be directly correlated to practical efficiency in stopping fileless malware by vendor’s product or SOC


Conclusion

Fileless malware certainly poses significant risk to the industry and seems to be only gaining in popularity over recent months. The interim solution that may help with discovery of fileless attacks is to dump periodically the content of RAM to central location for analysis. The ultimate solution, in the form of active “memory scanning” (by end-point suites for example) is being developed, and should add additional protection layer soon – in the meantime we can manage fileless malware, like most emerging threats, with structured approach suggested by risk control strategy