In a previous article on minimizing fileless malware infections, we looked at some of the ways threat actors attack systems and how to best protect your enterprise from infection. We also discussed behaviors common to fileless malware, to aid in identifying systems that may potentially be affected by malicious code so that they can be remediated before the infection spreads.
This article will address additional security measures that can—and frankly should—be performed according to best practices to minimize the threat of exposure and to limit the attack surface of the devices on your network.
As with the previous article, this is by no means an exhaustive list, nor will performing every measure presented here insulate your network from the risk of compromise. Risk can't be eliminated, especially given the dynamic nature of technology, but it can be managed or mitigated to levels that organizations will find acceptable—and that is the key goal moving toward a security-focused policy.
1: Restrict account access using the principle of least privilege
When a user authenticates on a computer, they can work based on the privileges that have been assigned to their account by the administrator. The more rights they are given, the greater control they have in making changes to the operating system, which could affect other users on that same computer. Malware typically will execute at the same level as the user's account. If they're admins, malware infections will have admin access to the device allowing it to run unrestricted.
Conversely, if the user's account lacks administrative privilege over the host, malware could still theoretically execute—however, it will do so within the context of that user's limited access. As a result, it will not have access to the system files or any restricted directories that malware has come to rely upon to fully take over a host.
2: White-list authorized applications
Taking a note from the previous article's recommendation to disable unnecessary services, disabling applications (or not installing them in the first place) is a good way to protect against attacks that specifically target a type of application or a file type that the app uses, such as Adobe Flash, which is known to be a vector for an assortment of attacks. But what can be done about applications that are native to the system and can't be removed?
In scenarios where an application or framework, like PowerShell, can't be uninstalled because it's part of the Windows OS, enabling application white-listing can allow administrators to control which apps are available to users. White lists act as a sort of guest list for the operating system, which enables admins to define which apps are okay for end users. Only the applications on that list will be accessible by users; all others will be restricted. This can be implemented through third-party software applications or managed centrally through Microsoft's Group Policy Management Console for granular control over users and groups and the apps available to them. After all, if a non-admin user can't even launch PowerShell, attacks running in that context will fail to execute commands targeting PowerShell.
3: Implement email gateway security filtering
Despite the popularity of text messaging and social media, thanks to smartphone market growth, email is still number one for collaborating on all levels in the enterprise. And in the last decade, it has also been the number one source for malware delivery. Even though administrators around the globe have worked to limit the delivery of unsolicited email, infected attachments, spam, and phishing campaigns are still delivered to millions of users each day.
One of the ways to stop these types of mail from entering your enterprise's network is through the use of spam filters that work to cut down on some of the bogus incoming mail. A second, more powerful solution is a dedicated email gateway filtering appliance. These stand-alone devices sit on your private network between the firewall and email server and inspect each incoming message destined for your email server. Using signature, behavioral, and heuristics-based scanners, the appliance works to effectively drop rogue messages that are found to be a match in any of the multiple databases used to query for threats.
4: Train users to deal with modern security threats
Training, believe it or not, is one of the most effective prevention tools that actually helps make IT's job a little easier. This isn't a technical solution, but a practical strategy. End users who are aware of threats and understand how to respond and interact during suspected attacks can contribute significantly to your security efforts.
Consider a trained end user versus one who is unaware of existing threats. The latter will typically perform behaviors that leave systems open to compromise, such as clicking links in emails from untrusted sources or leaving their computers unlocked while they're away. In contrast, a user who has been trained will know how to identify potential threats and understand their role in properly documenting and reporting this issues to IT in a timely manner. After all, Cybersecurity is everyone's responsibility.
5: Monitor servers for unauthorized services, shares, and process threads
By default, most computing devices include some sort of logging activity. Many times, the type of logging that occurs can be set, including frequency, detail, and just as important, retention periods. Computers are certainly no exception, and let's face it, Windows logs just about everything. So how will pouring through hundreds or even thousands of pages of log files help prevent fileless malware infections?
Prevention isn't the key, but minimizing the impact of a possible infection is. Fileless malware infections have been known to include the creation of new services for threat persistence, file shares to store downloaded scripts, shells, and/or payloads on infected systems for ease of spreading the infection. And of course they can hide in plain sight by keeping commands executed on infected hosts in resident memory or nested among process threads.
In fact, actively monitoring servers and clients for anomalous behaviors could yield indicators of compromise (IOC) on local or remote systems early enough to enable IT to remediate any issues before additional devices become compromised or payloads become much more devastating to the organization and their data.
Has your organization been the target of fileless malware? What methods do you use to protect against it? Share your advice and experiences with fellow TechRepublic members.