pogonici - Fotolia

How can I detect fileless malware attacks?

Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns.

Malwarebytes reported a recent spike in fileless malware attacks and suggested that enterprises monitor process memory to combat these threats. How can monitoring process memory stop fileless attacks and what are the best ways for enterprises to do this?

Having something on an endpoint that can perform as a security monitor -- a system component that enforces authorized access policies and which is referred to as a reference monitor in the U.S. Department of Defense Orange Book -- is critical to protecting the endpoint.

An endpoint security monitor is independent of the operating system and keeps track of any insecure configurations or malicious activity that could affect an endpoint. Windows antivirus software is used to monitor most endpoints; the software is designed to protect users against a wide variety of threats, including malware, adware, Trojans and file-based attacks.

Endpoint system memory monitoring -- although it can produce an overwhelming amount of data -- is a security tool enterprises should consider when assessing fileless malware attacks.

By monitoring memory, a security monitor can determine what commands were executed on a system, including the detection of fileless malware attacks that use PowerShell. Monitoring memory for a certain action being performed on a system -- regardless of the program that started executing the malicious code -- could be used to identify potentially harmful actions like configuring a program or script to execute on login or changing other aspects related to persistence on an endpoint. For example, memory monitoring could detect activities related to a Microsoft Word macro executing a complex PowerShell downloader as one of the stages in an attack.

Again, system memory monitoring can generate a tremendous amount of data. But enterprises can use tactics -- including behavioral rules or signatures -- to flag action sequences or attempts to access memory that are likely to be malicious. At that point, the system can generate an alert for an analyst to investigate.

Eventually, malware developers will find ways to overcome this line of defense, in part by avoiding detection by altering the APIs used to access memory in the same way they have tried to manipulate disk-access APIs. Endpoint security vendors will need to improve their anti-tampering protections to prevent these attacks from disabling or bypassing antivirus tools.

Malwarebytes Labs released a report examining the evolution of these fileless malware attacks. It recommends that endpoint security tools include functionality to monitor memory, as well as the ability to diagnose PowerShell-based attacks. If your endpoint security tool can't combat these types of attacks, determine when your vendor plans to add those capabilities or switch to a new product.

Next Steps

Applus inspection systems still down following malware attack

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing