News

Non-malware attacks grow – there are tools for IT security to fight back with

Patching, segmentation, other precautions can help block them

Senior Editor, Network World |

malware infection cyberattack
Credit: Symantec
More like this

More and more attackers are carrying out their work without using malware so they can evade detection by traditional, file-based security platforms, which presents a tough problem for security pros trying to defend against them.

Nearly two-thirds of security researchers polled by Carbon Black say they’ve noted an uptick in these attacks just since the beginning of the year, and aren’t confident that traditional anti-virus software can deal with them.

+More on Network World: IBM says cybercriminals are starting to grab unstructured data, spam has rebloomed 400% and ransomware has just gone nuts+

An earlier Carbon Black report included stats gathered from its customers that indicated these non-malware attacks, also called fileless attacks, had grown from 3% of all attacks to 13% over the course of last year.

Nearly all of the researchers say they pose more of a risk to business than traditional file-based attacks.

That doesn’t mean the problem can’t be dealt with, according to Gartner, but there’s no sure way to block these attacks.

To protect themselves, enterprises should check with their endpoint protection platform (EPP) vendors and specifically ask what they do to protect against this type of attack, Gartner recommends in their report, “Get Ready for 'Fileless' Malware Attacks.”

+More on Network World: FTC warns on “Can you hear me now” robocall: Hang up!+

They also recommend using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which enforces restrictions on applications to protect them. For example, it supports data execution prevention (DEP), which monitors memory use by applications and can shut them down if they go beyond expected use. That’s just one of the protections, and Gartner says to use the EMET list as a minimum set of protections when evaluating EPP products.

Gartner says Chrome, Firefox, Internet Explorer, Microsoft Office, Java VM and Adobe products offer a good base of covered applications.

This type of attack compromises legitimate processes and applications to carry out malicious activity, and because they are legitimate, their activity after they have been compromised doesn’t raise any flags. They don’t download malicious files, so there’s no malware to catch. These attacks have employed Java Script, Windows Management Instrumentation (WMI) (used to spread Stuxnet) and PowerShell.

The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).

Detecting use of these attacks requires vigilance, one respondent to Carbon Black’s questionnaire says., PowerShell should be monitored for unusual behavior, they say. “For instance, if it is trying to access an inordinate amount of files very quickly or trying to communicate outside of your network then these are some telltale signs of an attack,” the researcher says.

They also recommend checking the command line on PowerShell. “[I]f you look at the command line and see text that looks like it is unrecognizable or random instead of just English, that also is a red flag,” they say.

White-listing and black-listing applications can also help, as are general security hygiene chores like regular patching. Network segmentation can help contain these attacks until they are detected and shut down, Gartner says.

This story, "Non-malware attacks grow – there are tools for IT security to fight back with" was originally published by Network World.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:

Tim Greene covers security and keeps an eye on Microsoft for Network World.

How much is a data breach going to cost you?
You Might Like
Most Popular
turbotax deal
40% off TurboTax Deluxe 2016 Tax Software Federal & State - Deal Alert

No Tax Knowledge Needed. TurboTax will ask you easy questions to get to know you and fill in all the...

amazon kindle
Amazon Prime Members Get Up To $75 off Kindle E-Reader Bundles Through 4/3 -

Amazon is offering up to $75 off various popular Kindle e-reader bundles, but the deal is only good...

broken key
API flaws said to have left Symantec SSL certificates vulnerable to compromise

Over the weekend, Chris Byrne, an information security consultant and instructor for Cloud Harmonics,...

BrandPosts
Learn more
Popular Resources
Featured Stories
1 picture that key
7 sexy high-tech enterprise ‘surveillance engineering’ techniques that

7 ways criminal hackers use high-tech surveillance—sometimes with a social engineering element—to tap...

kaboom election hacking
Russian hacking goes far beyond 2016 pro-Trump effort

As the Senate Intelligence Committee begins the public phase of its investigation, experts warn of the...

laptop fan
74% off TekHome Laptop Cooling Fan - Deal Alert

This highly efficient fan cools your laptop down in seconds. Lowering the surface and internal GPU/CPU...

iot energy
Report: Criminals find profit rates of up to 95 percent with DDoS attacks

The emergence of the DDoS-as-a-service industry has lowered the costs for attacks to $25 or less,...