SlideShare ist ein Scribd-Unternehmen logo

The Rising Threat of Fileless Malware

Chelsea Sisson
Chelsea Sisson

Threat actors are increasing their use of fleless malware for one simple reason: most organizations aren't prepared to detect it. Education is the frst step in determining what threat these new attacks pose and what you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io

Internet
1 von 11
Downloaden Sie, um offline zu lesen
i© 2018 BluVector, Inc. Threat actors are increasing their use of fileless malware for one simple reason: most organizations aren't prepared to detect it. Education is the first step in determining what threat these new attacks pose and what you can do to detect and stop fileless malware attacks. READ THIS PAPER to understand how fileless malware is quickly evolving to avoid detection, the techniques currently employed to prevent infection and the strategies security teams need to consider when determining how to stop future fileless breaches. The Rising Threat of Fileless Malware
ii© 2018 BluVector, Inc. Contents Executive Summary: The Rising Threat of Fileless Malware 1 Understanding File-based vs. Fileless Attacks 2 Traditional Host- and Network-Based Defense Strategies 3 Four Common Defense Solutions (Why They Fail Against Fileless) 4 Challenges to Finding Fileless Attacks 5 Solutions to the Challenge of Fileless Malware 6 A Network-Based Approach to Detecting Fileless Attacks 7 Examples of Recent Fileless Attacks 8 Conclusion 8 About BluVector 9
1© 2018 BluVector, Inc. Executive Summary: The Rising Threat of Fileless Malware Fileless malware is a significant and increasing threat. While awareness of that fact is growing, there’s still confusion among security practitioners and vendors about the nature of the threat and the requirements for a successful defense strategy. Part of that confusion is because most of the security methods, solutions and routines used to detect and prevent cybersecurity threats remain firmly grounded in addressing file-based attacks. As with any new type of cyber threat, many security-focused professionals need a point of reference, or newsworthy attack, as their driver for altering, updating or replacing their current security workflows. The goal of every security organization is not to be the first victim of that attack. A recent survey by Ponemon, The 2017 State of Endpoint Security Risk, showed that fileless attacks rose, as a percent of all malware attacks, from 20% in 2016 to 29% in 2017. It estimated that in 2018, fileless attacks would rise to 35%. Of the 54% of respondents that indicated they were compromised by at least one attack, 77% said those successful breaches were from fileless attacks. The goal of this white paper is to empower you, the security professional, with knowledge you can use to better understand, prepare for and detect fileless threats. In time, fileless malware threats will be commonplace. Educating yourself early can significantly enhance your security readiness today for better security tomorrow.
2© 2018 BluVector, Inc. Understanding File-based vs. Fileless Attacks True fileless attacks exploit the target system without any file being resident. The entirety of the attack occurs in memory, leaving no trace of the attack on the file system. These attacks have been used in the delivery of all types of malicious content. To date, fileless attacks primarily focus on the exploitation of web browsers and their plug-ins. The exploit is introduced by leveraging obfuscated JavaScript or HTML code. This obfuscated code either directly exploits the browser or downloads additional content, such as Flash, that exploits common browser plugins. After exploitation, additional malicious payloads could include ransomware, espionage tools, banking Trojans or destructive malware. Since the systems are already compromised, retrieval of the payloads can be performed using custom encryption protocols to bypass security inspection. These payloads may exhibit full memory-residence and use PowerShell for reconnaissance and lateral movement. Combining advanced fileless attack techniques with memory-resident malware and living-off-the-land methods represents major challenges for traditional defensive techniques at both the network and host level. Once the target is compromised, fileless attacks typically load their malicious payloads into already running system processes, where they can operate invisibly until the system is powered down or rebooted. In most cases, fileless malware operates exclusively in RAM and leaves no artifacts for post-event forensic analysis. However, other fileless strains attempt to achieve persistence by writing files to hidden directories or by modifying the operating system registry. Fileless attacks are often used as the initial vector for entering a system, disabling or circumventing tools used to detect more malicious file-based attacks. Once completed, these fileless attacks may move to a new stage which utilizes file-based methods. Thus, tools created to detect file-based attacks might incorrectly report that the initial attack was file-based, if they catch the attack at all. There is some confusion around what is and isn’t a fileless attack. Attacks should not be characterized as fileless if critical phases are transported within a file, such as a Word or Excel document containing a malicious macro or a zip file containing malicious code. File-based threats like these are commonly associated with phishing exploits and weaponized attachments, which cannot infect a host unless the file is opened by an unwary user. The resulting malware may operate entirely in RAM or write and modify system files to achieve persistence or to compromise system resources. Some of these attacks may also leverage common system utilities, such as PowerShell, to move laterally within an organization without leaving evidence on the host file system. These file-based attacks are sometimes miscategorized as fileless attacks because they do not produce files on the victim's machine. However, they are better categorized as memory- resident malware or living-off-the-land attacks.
3© 2018 BluVector, Inc. Tradtional Host- and Network-Based Defense Strategies There are a range of different defenses that organizations have adopted to protect their networks from malicious attacks. These include signature-based solutions including anti-virus (AV) and firewalls, file sandboxes, host-based systems and anomaly detection. Many of these were designed to detect files or traditional threat attributes. Therefore, most don’t work against fileless attacks, and others only provide a partial or after-the-fact solution. This section goes into detail about each of these types of defense and the capabilities and limitations of each. These solutions generally use a combination of signatures for files, called hashes, and URLs or IPs of known malicious or compromised systems. Fileless malware is designed to bypass these traditional defenses. First, the lack of an actual file bypasses file signature-based detection as there is no file on which to base a signature. Therefore, even once the attack becomes known, it still bypasses signature-based detection. Second, attackers utilize different registered and compromised points as the location to start their attack, bypassing the value of IP or URL signatures. This means the exact same attack can bypass these defenses again and again, just by changing the point of origin. UNDERSTANDING THE THREAT FILE-BASED FILELESS File Types: » Executable File » Script embedded in a format that executes scripts (PDF, Word, Excel) Targets: » Executable file with single targeted OS / patch level combination Obfuscation Methods: » Encrypt file » Archive file » Executable file disguised as another type of file » Executable file embedded in another file Scripts / Methods: » JavaScript » Windows Management Instrumentation (WMI) » PowerShell » Flash » WScript / CScript Targets: » Can target many different OS / patch level combinations Obfuscation Methods: » Encoding » Escaped ASCII/Unicode values » String splitting » Encryption » Randomization » Data obfuscation » Logic structure obfuscation » White space
4© 2018 BluVector, Inc. Four Common Defense Solutions (Why They Fail Against Fileless Attacks) Anti-virus detection. Anti-virus was designed to detect malicious, known threats through signatures. Fileless malware has no file to compare a signature to, and fileless attacks do not conform to a given signature. This combination allows fileless malware to slip right past AV detection. File sandboxes. Sandboxes are often included in traditional defenses as a second line for detecting threats missed by signatures. However, sandboxes are not effective against fileless attacks because they are only sent suspicious files. Since fileless attacks don’t have files, there is nothing to send for analysis. Behavior-based heuristics and unsupervised machine learning. These technologies can be effective at detecting anomalous behavior in systems that have already been compromised. However, these approaches generally fail to prevent the initial compromise and require significant abnormal activity in order to detect a breach. Part of the failing of these systems is that fileless attacks are designed to look like normal traffic, so they often don’t show up as an anomaly. The detections from these solutions can also be lost in the noise as they alert on all abnormal activity. Abnormal activity could be someone shopping for their spouse's birthday on a company computer, introduction of a new process or tool, or even a new hire. Endpoint-based detection. This strategy relies on host-based defenses to protect the infrastructure. Many of these host solutions have started adding methods to detect fileless malware, but they have serious limitations: 1 2 3 4 • Only work on systems that have them loaded. Systems without a host-based solution are vulnerable. Many assets do not support host-based products or are often overlooked, including network infrastructure like switches, cloud-based resources, mobile and IoT, all of which may have access to corporate information. • Impact system performance, which means an impact to user productivity. This can often drive end-users to turn off their security systems entirely. • Many fileless attacks utilize standard system protocols to exploit systems. These are designed explicitly to bypass host-based protections. • Management on all endpoints in an environment can mean managing thousands or even tens of thousands of devices.
5© 2018 BluVector, Inc. Challenges to Finding Fileless Attacks Without signatures to detect fileless malware attacks, security systems fail to find these critical attack vectors early enough in the kill chain to prevent damage. Detecting fileless malware requires a very different kind of defense strategy. There are five major challenges that a solution needs to address in order to detect fileless attacks: 1. Environment: Analyzing fileless code in an OS-agnostic method. Malicious attacks are often designed to operate on a specific OS and product patch level configuration. For example, the attack might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses. 2. Obfuscation: Identifying and recovering concealed and obfuscated code for analysis. Fileless exploits often attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. The true intent of a script will not become visible unless the targeted execution environment includes the software components the malware is designed to compromise. Exploit kits typically target a limited set of execution environments, so malware may self-terminate if they encounter an incompatible system. 3. Performance: Detecting a broad spectrum of fileless attacks with no impact on host and network performance. Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed, and almost all webpages employ some JavaScript. This represents an enormous challenge for network-based detection of fileless attacks. The network intrusion detection system must examine tens to hundreds of transactions per second if it attempts to detect fileless attacks. 4. Analysis: Determining what the recovered code can do if executed and whether these are benign operations or typical of malicious intent. Many benign applications and processes use scripts. These same scripts write cookies and perform other operations which involve making changes to the host. This is the same for other types of scripts and methods used by fileless attacks. Distinguishing these normal operations from malicious ones is the core of fileless detection. 5. Real Time: Detecting threats in real time, not minutes, hours, or days after the compromise. Post-processing systems are designed to look for malicious activity after the event. These include sandboxes and anomaly detection. While these may eventually find the threat, they often don’t discover the attack until one or more systems have already been compromised.
6© 2018 BluVector, Inc. Solutions to the Challenge of Fileless Malware Finding fileless malware before the breach is not a simple task. A solution must be capable of detecting fileless malware regardless of OS, handle code obfuscation, operate at network speed, perform true analysis of the code, and do all of this in real time. Let’s take a second look at these five challenges, while defining the requirements necessary to address them. 1. Environment. While files and executables are often OS-dependent, scripting languages are designed to be cross-platform. This capability is what fileless malware providers use as their method of targeting a range of hosts, servers and network devices. Scripts can be part of standard network traffic, included in emails or embedded in files. Solutions must be capable of detecting and extracting any scripts from the network traffic in order to protect against these cross platform threats. 2. Obfuscation. Unconcealed fileless attacks are in the minority as obfuscation techniques are common and easy to apply. Another capability required by solutions for fileless malware is the ability to detect when obfuscation is present, to remove that obfuscation and to understand the intent beneath. As there are many methods of obfuscation, this capability can’t be limited to a single method of deobfuscation. If the code is capable of being executed at the endpoint, or if it can be run in conjunction with code at the endpoint, it needs to be deciphered and analyzed before it executes and infects the target. 3. Performance. Any solution needs to operate at the same speed as the network that it is protecting. Any solution that only handles a percentage of the traffic that it inspects can potentially miss fileless attacks. Fileless malware solutions must be capable of analyzing all network traffic (including email). 4. Analysis. As malware actors sell their successful attack tools on the black market, techniques to hide malicious activity are becomeing more ubiquitous. Also, the practice of sandbox evasion has become common, as attackers discover methods to avoid standard evaluation via execution. Solutions must include methods that look at all the execution paths and options of code in order to find the malicious code hidden among the benign. 5. Real Time. Some solutions find attacks after the point of compromise. Those solutions are focused on limiting, not eliminating, the damage and expense caused by a compromise. The issue with solutions focused on this strategy is that they start from the assumption of failure and try to limit the hemorrhage of money and reputation. Solutions should combine detection of fileless threats before the point of compromise with detection of compromised systems to truly limit the impact to the organization.
7© 2018 BluVector, Inc. A Network-Based Approach to Detecting Fileless Attacks BluVector’s Speculative Code Execution (SCE) engine was designed to detect fileless malware. SCE considers what code can do if executed and evaluates whether these operations constitute a potential threat. Heuristics are used over potential execution paths to determine if the behaviors are malicious or benign. The detailed process used by SCE is: • SCE translates scripts into an abstract syntax tree, data flow graph and control flow graph. Together these are compiled into machine executable bytecode. • The bytecode is then emulated in an appropriate environment such as a JavaScript engine. Emulation allows for multiple paths and for controlled inspection of the execution engine at critical times. SCE can emulate a different environment than the actual physical environment. Therefore, regardless of the threat’s target environment, SCE can emulate an environment to meet it. Emulation startup happens within milliseconds versus full traditional execution tools that take several seconds to initiate. • Functions associated with the deobfuscation of data within scripts are hooked so that emulation can be paused and a record made of the state of key variables when these functions are encountered. • The emulator can see every sequence and can interrupt it at any time. So when certain activities occur, like changes to system memory or other string manipulation, the emulation is halted, and the process is handed over to inspect that operation to determine if malicious or benign. Once all execution chains have been evaluated, SCE applies sophisticated rules and behavioral heuristics to determine if the observed behaviors are benign or malicious. • If code is found to be malicious, BluVector sends an alert to the SOC team to investigate the threat and populates the BluVector dashboard with the applicable network metadata. • BluVector can also help quarantine systems, drop connections or prevent malware execution through its integration with Next-Generation Firewalls (NG-FW) and Endpoint Detection and Response (EDR) systems. • Thanks to its very targeted emulation-based approach, BluVector's SCE can analyze huge quantities of network traffic for a broad spectrum of fileless threats while operating at network speed.
8© 2018 BluVector, Inc. Examples of Recent Fileless Attacks MALWARE DESCRIPTION UIWIX Launched shortly after WannaCry, this attack exploited the same vulnerabilities as WannaCry, but was completely fileless. Additionally, UIWIX was found to terminate itself if it detected a virtual machine or sandbox, allowing it to evade traditional sandbox detection. Cobalt Kitty This espionage campaign was seen targeting an Asia-based global corporation. The attack vector was a spearphishing campaign and resulted in the compromise of many senior executives’ computer systems. BadRabbit A ransomware campaign that utilized fileless malware as the attack vector, compromising machines, encrypting them and then holding them ransom, all without any file-based malware required. Conclusion Fileless malware is continuing to evolve at a rapid pace, and most organizations lack the proper detection solutions required to detect these threats. As identified earlier, it is expected that over one-third of malware attacks in 2018 will utilize fileless malware. Organizations need to invest in solutions that will detect these attacks. However, even with the growth of fileless malware, security budgets are not increasing and the number of trained cybersecurity professionals is not growing at a rate to fill the open positions. Powered by BluVector SCE, an organization can quickly add fileless malware detection to their security stack. BluVector, as a passive detection solution, can be added to a network without any impact to the existing network or host performance. The solution can be installed and fully operational in under 30 minutes, drastically improving an organization’s security profile from day one. BluVector integrates into an organization’s existing infrastructure and acts as a part of the security fabric, requiring very little management and reducing the overall workload from detection to remediation.
9© 2018 BluVector, Inc. About BluVector BluVector is revolutionizing network security with state-of-the-art AI, sensing and responding to the world's most sophisticated threats in real time. With the unmatched advantage of 8 years of work with the US Intel Community and their threat data, only BluVector has the proven ability to protect against emerging threats on average 13 months in advance. Stop waiting for breaches to happen. Get ahead of the threat. BLUVECTOR MLE BluVector MLE is a patented supervised Machine Learning Engine that was developed within the defense and intelligence community to accurately detect zero-day and polymorphic malware in real time. Unlike unsupervised machine learning, which is leveraged by most security vendors today, BluVector MLE algorithms were pre- trained to immediately identify malicious content embedded within common file formats like Office documents, archives, executables, .pdf, and system updates. The result: 99.1%+ detection accuracy upon installation. BLUVECTOR SCE BluVector SCE is the security market’s first analytic specifically designed to detect fileless malware as it traverses the network. By emulating how the malware will behave when it is executed, the Speculative Code Execution engine determines, at line speed, what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the analytic technology vastly reduces the number of execution environments and the quantity of analytic results that must be investigated. The result: 99%+ detection accuracy of this otherwise “invisible” threat. www.bluvector.io • 571.565.2100 Learn more about BluVector © 2018 BluVector, Inc.

Empfohlen

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]sumit saurav
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
mimikatz @ phdays
mimikatz @ phdaysmimikatz @ phdays
mimikatz @ phdaysBenjamin Delpy
 

Empfohlen

Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]Fileless Malware [Cyber Security]
Fileless Malware [Cyber Security]sumit saurav
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
mimikatz @ phdays
mimikatz @ phdaysmimikatz @ phdays
mimikatz @ phdaysBenjamin Delpy
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Presentatie Klaas van Egmond
Presentatie Klaas van EgmondPresentatie Klaas van Egmond
Presentatie Klaas van EgmondMVO Nederland
 
Introduction to Computer Virus
Introduction to Computer VirusIntroduction to Computer Virus
Introduction to Computer VirusImtiaz Ahmed
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Nuova ECDL - Word Processing n.1
Nuova ECDL - Word Processing n.1Nuova ECDL - Word Processing n.1
Nuova ECDL - Word Processing n.1I.S.I.S. "Antonio Serra" - Napoli
 
Nuova ECDL - Word Processing
Nuova ECDL - Word ProcessingNuova ECDL - Word Processing
Nuova ECDL - Word ProcessingI.S.I.S. "Antonio Serra" - Napoli
 
XSS and How to Escape
XSS and How to EscapeXSS and How to Escape
XSS and How to EscapeTyler Peterson
 
Les virus
Les virusLes virus
Les virusAbdeltif LOUARDI
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.gmorelli78
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaSimone Onofri
 
Pe Format
Pe FormatPe Format
Pe FormatHexxx
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Green Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation SlidesGreen Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation SlidesSlideTeam
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & AntivirusAnirudh Kannan
 
Go language presentation
Go language presentationGo language presentation
Go language presentationparamisoft
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 
Fileless malware
Fileless malwareFileless malware
Fileless malwaressuser1eca7d
 
Malware Detection and Prevention
Malware Detection and PreventionMalware Detection and Prevention
Malware Detection and Preventionkamranrazzaq8
 

Weitere ähnliche Inhalte

Was ist angesagt?

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Presentatie Klaas van Egmond
Presentatie Klaas van EgmondPresentatie Klaas van Egmond
Presentatie Klaas van EgmondMVO Nederland
 
Introduction to Computer Virus
Introduction to Computer VirusIntroduction to Computer Virus
Introduction to Computer VirusImtiaz Ahmed
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.gmorelli78
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaSimone Onofri
 
Pe Format
Pe FormatPe Format
Pe FormatHexxx
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Green Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation SlidesGreen Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation SlidesSlideTeam
 
Go language presentation
Go language presentationGo language presentation
Go language presentationparamisoft
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Bibek Sharma
 

Was ist angesagt? (20)

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Presentatie Klaas van Egmond
Presentatie Klaas van EgmondPresentatie Klaas van Egmond
Presentatie Klaas van Egmond
 
Introduction to Computer Virus
Introduction to Computer VirusIntroduction to Computer Virus
Introduction to Computer Virus
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security Controls
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Nuova ECDL - Word Processing n.1
Nuova ECDL - Word Processing n.1Nuova ECDL - Word Processing n.1
Nuova ECDL - Word Processing n.1
 
Nuova ECDL - Word Processing
Nuova ECDL - Word ProcessingNuova ECDL - Word Processing
Nuova ECDL - Word Processing
 
XSS and How to Escape
XSS and How to EscapeXSS and How to Escape
XSS and How to Escape
 
Les virus
Les virusLes virus
Les virus
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.La sicurezza dei sistemi di elaborazione e delle reti informatiche.
La sicurezza dei sistemi di elaborazione e delle reti informatiche.
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaHackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
 
Pe Format
Pe FormatPe Format
Pe Format
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Green Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation SlidesGreen Business Model Implementation Proposal PowerPoint Presentation Slides
Green Business Model Implementation Proposal PowerPoint Presentation Slides
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & Antivirus
 
Go language presentation
Go language presentationGo language presentation
Go language presentation
 
Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?Key logger,Why? and How to prevent Them?
Key logger,Why? and How to prevent Them?
 

Ähnlich wie The Rising Threat of Fileless Malware

Malware Detection and Prevention
Malware Detection and PreventionMalware Detection and Prevention
Malware Detection and Preventionkamranrazzaq8
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...IJNSA Journal
 
An analysis of how antivirus methodologies are utilized in protecting compute...
An analysis of how antivirus methodologies are utilized in protecting compute...An analysis of how antivirus methodologies are utilized in protecting compute...
An analysis of how antivirus methodologies are utilized in protecting compute...UltraUploader
 
virus vs antivirus
virus vs antivirusvirus vs antivirus
virus vs antivirussandipslides
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
virus vs antivirus
virus vs antivirusvirus vs antivirus
virus vs antivirussandipslides
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityAliyuMuhammadButu
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Application'sand security
Application'sand securityApplication'sand security
Application'sand securityarun nalam
 
Poly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docxPoly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docxrtodd884
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptxlochanrajdahal
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malwareaspiretss
 
Contending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelContending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelIRJET Journal
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Malware in penetration testing 1
Malware in penetration testing 1Malware in penetration testing 1
Malware in penetration testing 1Arbab Usmani
 

Ähnlich wie The Rising Threat of Fileless Malware (20)

Fileless malware
Fileless malwareFileless malware
Fileless malware
 
Malware Detection and Prevention
Malware Detection and PreventionMalware Detection and Prevention
Malware Detection and Prevention
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
Malware Detection Module using Machine Learning Algorithms to Assist in Centr...
 
An analysis of how antivirus methodologies are utilized in protecting compute...
An analysis of how antivirus methodologies are utilized in protecting compute...An analysis of how antivirus methodologies are utilized in protecting compute...
An analysis of how antivirus methodologies are utilized in protecting compute...
 
virus vs antivirus
virus vs antivirusvirus vs antivirus
virus vs antivirus
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
virus vs antivirus
virus vs antivirusvirus vs antivirus
virus vs antivirus
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Application'sand security
Application'sand securityApplication'sand security
Application'sand security
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Poly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docxPoly-meta-morphic malware looks different each time it is stored on di.docx
Poly-meta-morphic malware looks different each time it is stored on di.docx
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malware
 
Contending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelContending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security Model
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Malware in penetration testing 1
Malware in penetration testing 1Malware in penetration testing 1
Malware in penetration testing 1
 

Kürzlich hochgeladen

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...kumargunjan9515
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...gragchanchal546
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 

Kürzlich hochgeladen (20)

一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 

The Rising Threat of Fileless Malware

  • 1. i© 2018 BluVector, Inc. Threat actors are increasing their use of fileless malware for one simple reason: most organizations aren't prepared to detect it. Education is the first step in determining what threat these new attacks pose and what you can do to detect and stop fileless malware attacks. READ THIS PAPER to understand how fileless malware is quickly evolving to avoid detection, the techniques currently employed to prevent infection and the strategies security teams need to consider when determining how to stop future fileless breaches. The Rising Threat of Fileless Malware
  • 2. ii© 2018 BluVector, Inc. Contents Executive Summary: The Rising Threat of Fileless Malware 1 Understanding File-based vs. Fileless Attacks 2 Traditional Host- and Network-Based Defense Strategies 3 Four Common Defense Solutions (Why They Fail Against Fileless) 4 Challenges to Finding Fileless Attacks 5 Solutions to the Challenge of Fileless Malware 6 A Network-Based Approach to Detecting Fileless Attacks 7 Examples of Recent Fileless Attacks 8 Conclusion 8 About BluVector 9
  • 3. 1© 2018 BluVector, Inc. Executive Summary: The Rising Threat of Fileless Malware Fileless malware is a significant and increasing threat. While awareness of that fact is growing, there’s still confusion among security practitioners and vendors about the nature of the threat and the requirements for a successful defense strategy. Part of that confusion is because most of the security methods, solutions and routines used to detect and prevent cybersecurity threats remain firmly grounded in addressing file-based attacks. As with any new type of cyber threat, many security-focused professionals need a point of reference, or newsworthy attack, as their driver for altering, updating or replacing their current security workflows. The goal of every security organization is not to be the first victim of that attack. A recent survey by Ponemon, The 2017 State of Endpoint Security Risk, showed that fileless attacks rose, as a percent of all malware attacks, from 20% in 2016 to 29% in 2017. It estimated that in 2018, fileless attacks would rise to 35%. Of the 54% of respondents that indicated they were compromised by at least one attack, 77% said those successful breaches were from fileless attacks. The goal of this white paper is to empower you, the security professional, with knowledge you can use to better understand, prepare for and detect fileless threats. In time, fileless malware threats will be commonplace. Educating yourself early can significantly enhance your security readiness today for better security tomorrow.
  • 4. 2© 2018 BluVector, Inc. Understanding File-based vs. Fileless Attacks True fileless attacks exploit the target system without any file being resident. The entirety of the attack occurs in memory, leaving no trace of the attack on the file system. These attacks have been used in the delivery of all types of malicious content. To date, fileless attacks primarily focus on the exploitation of web browsers and their plug-ins. The exploit is introduced by leveraging obfuscated JavaScript or HTML code. This obfuscated code either directly exploits the browser or downloads additional content, such as Flash, that exploits common browser plugins. After exploitation, additional malicious payloads could include ransomware, espionage tools, banking Trojans or destructive malware. Since the systems are already compromised, retrieval of the payloads can be performed using custom encryption protocols to bypass security inspection. These payloads may exhibit full memory-residence and use PowerShell for reconnaissance and lateral movement. Combining advanced fileless attack techniques with memory-resident malware and living-off-the-land methods represents major challenges for traditional defensive techniques at both the network and host level. Once the target is compromised, fileless attacks typically load their malicious payloads into already running system processes, where they can operate invisibly until the system is powered down or rebooted. In most cases, fileless malware operates exclusively in RAM and leaves no artifacts for post-event forensic analysis. However, other fileless strains attempt to achieve persistence by writing files to hidden directories or by modifying the operating system registry. Fileless attacks are often used as the initial vector for entering a system, disabling or circumventing tools used to detect more malicious file-based attacks. Once completed, these fileless attacks may move to a new stage which utilizes file-based methods. Thus, tools created to detect file-based attacks might incorrectly report that the initial attack was file-based, if they catch the attack at all. There is some confusion around what is and isn’t a fileless attack. Attacks should not be characterized as fileless if critical phases are transported within a file, such as a Word or Excel document containing a malicious macro or a zip file containing malicious code. File-based threats like these are commonly associated with phishing exploits and weaponized attachments, which cannot infect a host unless the file is opened by an unwary user. The resulting malware may operate entirely in RAM or write and modify system files to achieve persistence or to compromise system resources. Some of these attacks may also leverage common system utilities, such as PowerShell, to move laterally within an organization without leaving evidence on the host file system. These file-based attacks are sometimes miscategorized as fileless attacks because they do not produce files on the victim's machine. However, they are better categorized as memory- resident malware or living-off-the-land attacks.
  • 5. 3© 2018 BluVector, Inc. Tradtional Host- and Network-Based Defense Strategies There are a range of different defenses that organizations have adopted to protect their networks from malicious attacks. These include signature-based solutions including anti-virus (AV) and firewalls, file sandboxes, host-based systems and anomaly detection. Many of these were designed to detect files or traditional threat attributes. Therefore, most don’t work against fileless attacks, and others only provide a partial or after-the-fact solution. This section goes into detail about each of these types of defense and the capabilities and limitations of each. These solutions generally use a combination of signatures for files, called hashes, and URLs or IPs of known malicious or compromised systems. Fileless malware is designed to bypass these traditional defenses. First, the lack of an actual file bypasses file signature-based detection as there is no file on which to base a signature. Therefore, even once the attack becomes known, it still bypasses signature-based detection. Second, attackers utilize different registered and compromised points as the location to start their attack, bypassing the value of IP or URL signatures. This means the exact same attack can bypass these defenses again and again, just by changing the point of origin. UNDERSTANDING THE THREAT FILE-BASED FILELESS File Types: » Executable File » Script embedded in a format that executes scripts (PDF, Word, Excel) Targets: » Executable file with single targeted OS / patch level combination Obfuscation Methods: » Encrypt file » Archive file » Executable file disguised as another type of file » Executable file embedded in another file Scripts / Methods: » JavaScript » Windows Management Instrumentation (WMI) » PowerShell » Flash » WScript / CScript Targets: » Can target many different OS / patch level combinations Obfuscation Methods: » Encoding » Escaped ASCII/Unicode values » String splitting » Encryption » Randomization » Data obfuscation » Logic structure obfuscation » White space
  • 6. 4© 2018 BluVector, Inc. Four Common Defense Solutions (Why They Fail Against Fileless Attacks) Anti-virus detection. Anti-virus was designed to detect malicious, known threats through signatures. Fileless malware has no file to compare a signature to, and fileless attacks do not conform to a given signature. This combination allows fileless malware to slip right past AV detection. File sandboxes. Sandboxes are often included in traditional defenses as a second line for detecting threats missed by signatures. However, sandboxes are not effective against fileless attacks because they are only sent suspicious files. Since fileless attacks don’t have files, there is nothing to send for analysis. Behavior-based heuristics and unsupervised machine learning. These technologies can be effective at detecting anomalous behavior in systems that have already been compromised. However, these approaches generally fail to prevent the initial compromise and require significant abnormal activity in order to detect a breach. Part of the failing of these systems is that fileless attacks are designed to look like normal traffic, so they often don’t show up as an anomaly. The detections from these solutions can also be lost in the noise as they alert on all abnormal activity. Abnormal activity could be someone shopping for their spouse's birthday on a company computer, introduction of a new process or tool, or even a new hire. Endpoint-based detection. This strategy relies on host-based defenses to protect the infrastructure. Many of these host solutions have started adding methods to detect fileless malware, but they have serious limitations: 1 2 3 4 • Only work on systems that have them loaded. Systems without a host-based solution are vulnerable. Many assets do not support host-based products or are often overlooked, including network infrastructure like switches, cloud-based resources, mobile and IoT, all of which may have access to corporate information. • Impact system performance, which means an impact to user productivity. This can often drive end-users to turn off their security systems entirely. • Many fileless attacks utilize standard system protocols to exploit systems. These are designed explicitly to bypass host-based protections. • Management on all endpoints in an environment can mean managing thousands or even tens of thousands of devices.
  • 7. 5© 2018 BluVector, Inc. Challenges to Finding Fileless Attacks Without signatures to detect fileless malware attacks, security systems fail to find these critical attack vectors early enough in the kill chain to prevent damage. Detecting fileless malware requires a very different kind of defense strategy. There are five major challenges that a solution needs to address in order to detect fileless attacks: 1. Environment: Analyzing fileless code in an OS-agnostic method. Malicious attacks are often designed to operate on a specific OS and product patch level configuration. For example, the attack might require a specific version of Windows and that Firefox be installed, both at a specific patch level. This specificity is one method by which attackers can target individual systems and avoid detection by sandboxes or other environment-restricted defenses. 2. Obfuscation: Identifying and recovering concealed and obfuscated code for analysis. Fileless exploits often attempt to conceal malware code using obfuscation techniques such as XOR or string encoding. The true intent of a script will not become visible unless the targeted execution environment includes the software components the malware is designed to compromise. Exploit kits typically target a limited set of execution environments, so malware may self-terminate if they encounter an incompatible system. 3. Performance: Detecting a broad spectrum of fileless attacks with no impact on host and network performance. Fileless attacks are hidden within the web-based transactions going on within a network. To isolate them from the majority of benign activity, all web traffic using JavaScript must be analyzed, and almost all webpages employ some JavaScript. This represents an enormous challenge for network-based detection of fileless attacks. The network intrusion detection system must examine tens to hundreds of transactions per second if it attempts to detect fileless attacks. 4. Analysis: Determining what the recovered code can do if executed and whether these are benign operations or typical of malicious intent. Many benign applications and processes use scripts. These same scripts write cookies and perform other operations which involve making changes to the host. This is the same for other types of scripts and methods used by fileless attacks. Distinguishing these normal operations from malicious ones is the core of fileless detection. 5. Real Time: Detecting threats in real time, not minutes, hours, or days after the compromise. Post-processing systems are designed to look for malicious activity after the event. These include sandboxes and anomaly detection. While these may eventually find the threat, they often don’t discover the attack until one or more systems have already been compromised.
  • 8. 6© 2018 BluVector, Inc. Solutions to the Challenge of Fileless Malware Finding fileless malware before the breach is not a simple task. A solution must be capable of detecting fileless malware regardless of OS, handle code obfuscation, operate at network speed, perform true analysis of the code, and do all of this in real time. Let’s take a second look at these five challenges, while defining the requirements necessary to address them. 1. Environment. While files and executables are often OS-dependent, scripting languages are designed to be cross-platform. This capability is what fileless malware providers use as their method of targeting a range of hosts, servers and network devices. Scripts can be part of standard network traffic, included in emails or embedded in files. Solutions must be capable of detecting and extracting any scripts from the network traffic in order to protect against these cross platform threats. 2. Obfuscation. Unconcealed fileless attacks are in the minority as obfuscation techniques are common and easy to apply. Another capability required by solutions for fileless malware is the ability to detect when obfuscation is present, to remove that obfuscation and to understand the intent beneath. As there are many methods of obfuscation, this capability can’t be limited to a single method of deobfuscation. If the code is capable of being executed at the endpoint, or if it can be run in conjunction with code at the endpoint, it needs to be deciphered and analyzed before it executes and infects the target. 3. Performance. Any solution needs to operate at the same speed as the network that it is protecting. Any solution that only handles a percentage of the traffic that it inspects can potentially miss fileless attacks. Fileless malware solutions must be capable of analyzing all network traffic (including email). 4. Analysis. As malware actors sell their successful attack tools on the black market, techniques to hide malicious activity are becomeing more ubiquitous. Also, the practice of sandbox evasion has become common, as attackers discover methods to avoid standard evaluation via execution. Solutions must include methods that look at all the execution paths and options of code in order to find the malicious code hidden among the benign. 5. Real Time. Some solutions find attacks after the point of compromise. Those solutions are focused on limiting, not eliminating, the damage and expense caused by a compromise. The issue with solutions focused on this strategy is that they start from the assumption of failure and try to limit the hemorrhage of money and reputation. Solutions should combine detection of fileless threats before the point of compromise with detection of compromised systems to truly limit the impact to the organization.
  • 9. 7© 2018 BluVector, Inc. A Network-Based Approach to Detecting Fileless Attacks BluVector’s Speculative Code Execution (SCE) engine was designed to detect fileless malware. SCE considers what code can do if executed and evaluates whether these operations constitute a potential threat. Heuristics are used over potential execution paths to determine if the behaviors are malicious or benign. The detailed process used by SCE is: • SCE translates scripts into an abstract syntax tree, data flow graph and control flow graph. Together these are compiled into machine executable bytecode. • The bytecode is then emulated in an appropriate environment such as a JavaScript engine. Emulation allows for multiple paths and for controlled inspection of the execution engine at critical times. SCE can emulate a different environment than the actual physical environment. Therefore, regardless of the threat’s target environment, SCE can emulate an environment to meet it. Emulation startup happens within milliseconds versus full traditional execution tools that take several seconds to initiate. • Functions associated with the deobfuscation of data within scripts are hooked so that emulation can be paused and a record made of the state of key variables when these functions are encountered. • The emulator can see every sequence and can interrupt it at any time. So when certain activities occur, like changes to system memory or other string manipulation, the emulation is halted, and the process is handed over to inspect that operation to determine if malicious or benign. Once all execution chains have been evaluated, SCE applies sophisticated rules and behavioral heuristics to determine if the observed behaviors are benign or malicious. • If code is found to be malicious, BluVector sends an alert to the SOC team to investigate the threat and populates the BluVector dashboard with the applicable network metadata. • BluVector can also help quarantine systems, drop connections or prevent malware execution through its integration with Next-Generation Firewalls (NG-FW) and Endpoint Detection and Response (EDR) systems. • Thanks to its very targeted emulation-based approach, BluVector's SCE can analyze huge quantities of network traffic for a broad spectrum of fileless threats while operating at network speed.
  • 10. 8© 2018 BluVector, Inc. Examples of Recent Fileless Attacks MALWARE DESCRIPTION UIWIX Launched shortly after WannaCry, this attack exploited the same vulnerabilities as WannaCry, but was completely fileless. Additionally, UIWIX was found to terminate itself if it detected a virtual machine or sandbox, allowing it to evade traditional sandbox detection. Cobalt Kitty This espionage campaign was seen targeting an Asia-based global corporation. The attack vector was a spearphishing campaign and resulted in the compromise of many senior executives’ computer systems. BadRabbit A ransomware campaign that utilized fileless malware as the attack vector, compromising machines, encrypting them and then holding them ransom, all without any file-based malware required. Conclusion Fileless malware is continuing to evolve at a rapid pace, and most organizations lack the proper detection solutions required to detect these threats. As identified earlier, it is expected that over one-third of malware attacks in 2018 will utilize fileless malware. Organizations need to invest in solutions that will detect these attacks. However, even with the growth of fileless malware, security budgets are not increasing and the number of trained cybersecurity professionals is not growing at a rate to fill the open positions. Powered by BluVector SCE, an organization can quickly add fileless malware detection to their security stack. BluVector, as a passive detection solution, can be added to a network without any impact to the existing network or host performance. The solution can be installed and fully operational in under 30 minutes, drastically improving an organization’s security profile from day one. BluVector integrates into an organization’s existing infrastructure and acts as a part of the security fabric, requiring very little management and reducing the overall workload from detection to remediation.
  • 11. 9© 2018 BluVector, Inc. About BluVector BluVector is revolutionizing network security with state-of-the-art AI, sensing and responding to the world's most sophisticated threats in real time. With the unmatched advantage of 8 years of work with the US Intel Community and their threat data, only BluVector has the proven ability to protect against emerging threats on average 13 months in advance. Stop waiting for breaches to happen. Get ahead of the threat. BLUVECTOR MLE BluVector MLE is a patented supervised Machine Learning Engine that was developed within the defense and intelligence community to accurately detect zero-day and polymorphic malware in real time. Unlike unsupervised machine learning, which is leveraged by most security vendors today, BluVector MLE algorithms were pre- trained to immediately identify malicious content embedded within common file formats like Office documents, archives, executables, .pdf, and system updates. The result: 99.1%+ detection accuracy upon installation. BLUVECTOR SCE BluVector SCE is the security market’s first analytic specifically designed to detect fileless malware as it traverses the network. By emulating how the malware will behave when it is executed, the Speculative Code Execution engine determines, at line speed, what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the analytic technology vastly reduces the number of execution environments and the quantity of analytic results that must be investigated. The result: 99%+ detection accuracy of this otherwise “invisible” threat. www.bluvector.io • 571.565.2100 Learn more about BluVector © 2018 BluVector, Inc.