Although the total number of malware attacks went down last year, malware remains a huge problem. While the number of attacks decreased, the average cost of a data breach in the U.S. is rising, signaling that malware developers are building more sophisticated strains meant to avoid detection and provide a bigger payday.
Fileless malware is a strain that, like many other forms, uses phishing to get users to allow it onto their devices. It then uses trusted internal applications to hide its presence and gain access to multiple devices and datasets. How can you protect against something that uses whitelisted applications to its advantage? We’ve put together this guide to help you learn what fileless malware is and how you can protect against attacks.
Fileless malware prevention
- What is fileless malware?
- What kinds of applications does it hijack?
- Look for indicators of attack instead of indicators of compromise
- Use managed threat hunting services
- Phishing prevention rules apply
- Prevention is the best way to protect against fileless malware
What is fileless malware?
With most malware, attackers try to install malicious files onto your computer. However, fileless malware hides within legitimate applications and executes harmful activities while the wanted programs are running. Fileless malware is memory-based, which makes it harder to detect because it doesn’t have a signature like other types of malware.
These attacks work by injecting malicious code into applications you already have installed on your computer. Attackers can do this through phishing and social engineering. Once the code is included in a legitimate application, it can move laterally across your network to gain access to more information.
What kinds of applications does it hijack?
Look for indicators of attack instead of indicators of compromise
Indicators of attack (IOAs) are signs that an attack might be in progress as opposed to indicators of compromise, which are evidence of steps attackers are taking to perpetuate an attack. IOAs on their own don’t necessarily signal an attack, but specific combinations of IOAs would.
For example, before someone robs a store, they may walk through it several times. This alone, of course, is not necessarily a cause for concern. However, should they pair that with returning after the store is closed and disabling a security system, clearly, the store is under attack. Similarly, a phishing email plus a small command execution and communication with someone offsite are often IOAs for cyberattacks.
Use managed threat hunting services
Active threat hunting is time-consuming and labor-intensive because it requires gathering and standardizing large amounts of data. In-house teams can struggle to hunt threats effectively and complete their normal work, meaning you’d need to hire people completely dedicated solely to threat hunting. However, you can also outsource this job to a managed threat hunting service. These services monitor networks 24/7 and proactively look for anything that might go unnoticed by traditional security systems.
Phishing prevention rules apply
When looking to protect your business from fileless malware, it’s important to train your team on the steps they should take to prevent phishing attempts from succeeding. Don’t click on links in emails when you don’t know the sender, and double-check email addresses before opening any attachments. Also, legitimate businesses will never ask you for login credentials over email. Just trust your instincts. If something feels suspicious, it likely is.
Prevention is the best way to protect against fileless malware
Fileless malware is very difficult to detect once it’s gotten onto your device, so prevention is the best way to protect against it. Teach your employees to be cautious about the links they click both from their email and online and to report suspicious activity to your IT team immediately. Consider employing managed threat hunting services to look for indicators of attack and proactively protect your network. By following these steps, your business can avoid a catastrophic breach.