How MSPs Can Protect Their Clients from Fileless Malware
A new(ish) type of malware is on the rise. To date, fileless malware hasn’t been a big topic of conversation. But according to vendors and partners alike, it’s going to be a big focus in 2019.
What is fileless malware? In short, it’s malicious code or data that only exists in memory. Instead of coming as malicious files that first have to reside on the drive, the code lives in a running process that doesn’t exist in a true file, often making it invisible to traditional antivirus software and endpoint security solutions. Then attackers leverage legitimate programs to work their way into the network, coupling with other attacks such as ransomware.
“Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense,” says Chris Goettl, director of product management and security at solution provider Ivanti. “It has prompted security teams to take a multifaceted approach to detecting threats and preventing new attacks.”
Because fileless malware doesn’t leave an immediate trace that enables managed service providers (MSPs) to detect it using traditional antivirus solutions, malware is able to execute and cause damage on systems that aren’t prepared to defend against such attacks.
What’s an MSP to Do?
Traditional defense tactics don’t work against fileless malware, so MSPs have to up their security game, Goettl says.
We recently compiled a list of 20 antivirus software providers you should know.
“’Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users; and understanding baseline endpoint activity of applications and users to detect suspicious activity,” he says.
That means additional solutions that cost clients even more money. Since they’re in many cases already balking at the higher price that comes with an effective cybersecurity solution, it can be a hard sell.
Michael Stolarczyk, vice president, cloud managed services at MSP Veristor, says as 2018 progressed, even customers that acknowledged an increasing number of endpoint threats wouldn’t face the possibility that their businesses would be hit by an attack. In many cases, customers would fall back on their insurance policies as a defense tactic. Even organizations that saw the threat for what it was were slow to implement solutions to protect against advanced cyberattacks.
“Once some of them embraced the realization that it is not if, but when, they tasked their CIO to make it happen within the existing budget,” said Stolarczyk with frustration. “Not possible, as annual budgets were spent by midyear on hardware, maintenance licensing and legacy infrastructure that is already too old to effectively cover with a real data resiliency program and platform.”
So how do MSPs convince their clients that the threat is immediate and sell them on additional solutions? It isn’t easy, said our partners. Paul Breitenbach, CIO at CompassMSP, compares the malware to a document that hasn’t yet been saved to the hard drive.
“Fileless malware is like that, where it’s present on your system just residing in a temporary space in memory and, if allowed to run from that temporary space, can do just as much damage or more than a piece of malware that was in a file that had been saved to your device first,” explains Breitenbach. “Hackers have exploited this tactic and now commonly use this to breach systems.”
Once a client is sold on the need for extra layers of security, then it’s time for MSPs to bring their value proposition into the conversation. There are products specifically geared toward fileless malware, as well as features within Windows that can lock down applications, scripts and commands. But though this type of attack is different from the usual type of malware, the best prevention method is the same: Be proactive in your security strategy and train clients in user behavior.
How to Repel Fileless Malware Attacks
Stolarczyk says that blockchain applications will be the new targets of bad actors because of their “surgical strike” capabilities. Blockchain is still a foreign concept to many end users, and attackers can leverage this ignorance to hide in little-known protocols and platforms. These “sharpshooter” techniques can also take advantage of IoT devices, not just PC hard drives. While Stolarczyk says there’s a possibility that threat detection keeps pace with attackers’ capabilities, the only way to combat these blockchain attacks is with backup and disaster recovery (BDR) solutions that provide journaling and replication of systems.
But perhaps the first line of defense is to lock down the Windows applications and protocols that allow bad actors to worm their way into a machine’s RAM in the first place. Goettl advises the following best practices to combat fileless malware.
- Patch management is critical to preventing attacks of all kinds. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! Given there are known exploits, you should give these fixes top priority.
- Advanced application control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
- Disable macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
- Advanced antivirus technology gives you the most powerful means of addressing the threat at the kernel level in most cases.
- Privilege management is essential to limiting threats by giving users the exact level of rights they need to get their jobs done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cybercriminals access to OS tools that will introduce a fileless infection.
- Isolation policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
- Insight tools can afford a better view into your most vulnerable systems, using techniques such as web application firewalls (WAFs) to protect potentially exposed systems.
- Enforce policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.
The important takeaway is that MSPs – and their clients – need to be proactive and vigilant when it comes to malware of any kind. Yes, technology must be pulled together to build as comprehensive of a cyberdefense as possible, but service providers can’t overestimate the critical nature of end-user security awareness training. As long as users are clicking on that unverified link, MSPs have little hope of protecting against fileless malware.