It was bright and early – 8:00 AM – on the first day at Enfuse. I had just arrived at my first session, How to Combat Fileless Malware; I was a little nervous, but just as excited to be in Las Vegas to learn everything I could from professionals in my field of study. The audience was greeted by Lior Ben-Porat, a security researcher from a company called Hexadite. Over the next hour, Mr. Ben-Porat took us through exactly what fileless malware is, why it’s an increasing problem and how to combat it.
What is Fileless Malware?
Fileless malware, I learned, is essentially a system breach that doesn’t require any malicious files to reach the victim’s computer. Usually the attacker will use a convincing spam message or email that initiates a connection once a user accesses it. Once this connection is established, programs like Powershell are used to run commands that extract information without the user knowing. During the session we learned about Kovter, which is a (nearly) fileless malware that can maintain a connection for long periods of time through persistence. We even got to see Kovter in action through a live demonstration; it was eye-opening to see how much damage it can do without being noticed by the operating system.
Mr. Ben-Porat also talked about why fileless malware is such a problem. Since it is not technically malware – due to the fact that it doesn’t rely on any kind of software to work – most antivirus programs cannot detect it. Another issue is that it can go unnoticed for such a long time. A user will most likely not know they have been attacked as the scripts sit in their registry and remain undetected by antivirus software.
How to Combat Fileless Malware
Finally, we come to the solution: how do we actually combat fileless malware? Mr. Ben-Porat was able to summarize the solution into three categories: Suspect, Incriminate, and Remediate. The first step, suspecting, is probably the most difficult: in essence, you are trying to locate malware that wasn’t ever downloaded in the first place. The best thing you can do is learn your machine. Know what’s good and what’s supposed to be there. Also look at processes and compare their normal properties: it’s a big red flag if there is more than one of the same process running at one time.
Incrimination can be done with thorough analysis of the machine. Look at antivirus signatures and maybe try sandbox analysis to try and detect the offender. Unfortunately, each memory instance that you examine may be different from the last: to solve this, you can use distance metrics or hashing to find identical instances.
Finally, remediation: since the malware is in memory, you can terminate processes that you believe are infected, but don’t forget to look in the registry or NTFS for persistence.
After the Session
I learned so much from this session and I’m glad to have the opportunity to share my experience in this blog. It really opened my eyes to what other invisible threats are out there that we know nothing about. Unfortunately, fileless malware doesn’t seem like something that is very preventable at the moment; however, the information gained will give me and hopefully others the ability to catch it as soon as possible.
I decided to do some research about Hexadite after the conference and found some really cool things: they’re currently using artificial intelligence to help respond to attacks so the employees have more time to research and develop better ways to mitigate threats. Using AI for antivirus capabilities is great because it might someday be able to respond to attacks instead of just identifying them after they happen. Hexadite has also joined forces with Microsoft to remediate attacks even faster and to minimize the time that attacks affect companies all over the world.
I had an amazing time at Enfuse. I learned a ton of information from people who use Cybersecurity and Digital Forensics every single day. I was able to talk to a lot of digital forensics professionals about their careers and how they got there. I was able to get hands-on with new software that Guidance is introducing soon as well as valuable EnCase skills which I hadn’t been able to practice in the past. I’m very grateful for Champlain College and Guidance Software for giving me the opportunity to attend the conference; it was an experience that I will never forget and hope to see again. I encourage you to get yourself involved with the Leahy Center for Digital Investigation at Champlain if you want to gain great work experience and have the opportunity to attend Enfuse.