According to recent reports, system administrators and cybersecurity personnel have a new threat to worry about: so-called “fileless malware.” Kaspersky Lab first became aware of this new threat in 2015 and published detailed findings in early February, 2017 as the technique has become more widespread. Not only is this new kind of malware a very different type of threat to online security, but it also emphasizes the need for better security authentication methods than are widely used in the industry.
What It Is
Traditional malware is simply malicious software designed to compromise a system, collect information or disrupt operations. By its very nature, most malware to-date has resided on a computer or device in the form of files, either embedded in or masquerading as non-malicious files. Because malware assumed such a standard form, it was a relatively easy matter to keep a system malware-free by keeping anti-malware software up-to-date with the latest definitions and parameters to scan for.
In contrast, fileless malware is designed to hide itself outside the normal filesystem in parts of the computer not normally scanned, such as the random access memory or even the operating system kernel itself. As a result, unlike its traditional counterparts, fileless malware doesn’t rely on files to run, propagate and accomplish its purpose, making it virtually impossible to detect using standard means.
How It Was Discovered
One of the most recent incidents of fileless malware were discovered when a bank approached Kaspersky Labs after finding malware in the memory of one of their domain controllers. The malware was collecting administrator credentials in an effort to gain higher-security access to the bank's network, with the eventual goal of being able to withdraw money from ATMs.
Once Kaspersky Labs started investigating the malware, they discovered no fewer than 140 financial institutions, telecomm companies and government networks in 40 countries that had been infected by fileless malware.
How to Protect Your Organization
With the increasing deployment of fileless malware—security firm Carbon Black reported an increase in fileless malware from three to 13 percent in an 11-month period of 2016—finding a way to find and combat this new kind of malware is critical to ongoing security efforts.
The key to dealing with fileless malware lies in how the bank discovered it in their domain controller. The malware was not discovered by scanning files, but rather by observing aberrant behavior—the bank’s security personnel noticed administrator credentials being captured.
Commenting on what security personnel need to look for, Kurt Baumgartner, a principle security researcher at Kaspersky Lab, told Wired:
“Security teams could monitor for the unexpected creation of services on their systems, watch for unexpected tunneling traffic within their network, attempt to observe outbound traffic, and disable the use of PowerShell on their networks if it is unused.”
This is where behavioral biometrics comes in to play, and demonstrates yet another advantage over traditional authorization and security schemes. Rather than a never-ending cyber arms race of new malware being released, followed by new anti-malware definitions, followed by yet newer malware that circumvents them, behavioral biometrics completely changes the rules of the game.
By passively and transparently monitoring a system’s usage, looking for any suspicious behavior or activity, behavioral biometrics catches things that traditional anti-malware is simply not designed to look for. Already companies are reaping the benefits: one Latin American e-commerce site was able to prevent $500,000 in losses during last year’s Black Friday weekend, while one of the largest banks in the UK, NatWest, has used BioCatch to stop fraudulent transfer attempts, identify trojans, stop multi-vector attacks and protect its 14 million customers. In each of these cases, BioCatch was able to identify threats more efficiently than traditional anti-malware software—provided traditional software could identify the threat at all.
The growing battle against fileless malware will be no different, with behavioral biometrics proving to be an invaluable tool. By continuously and discretely doing exactly what Mr. Baumgartner has described above, behavioral biometrics will give system administrators and security personnel early warning and the ability to find and eliminate these threats.