What Are Encrypted and Fileless Malware?
Malware is a significant, and continuing, problem. A 2019 Verizon study shows that 28% of all data breaches involve malware, and new forms of malware and ransomware are emerging into the wild almost daily.
The challenge of fighting malware is that hackers are finding new ways to inject programs into systems. Even with advanced compliance and security guidelines in private and public markets, these hackers are working every technical and social angle possible to attack industrial, commercial and defense systems. And, unfortunately, it only takes one malicious program to completely bring a system to its knees. We’ve seen this most recently and publicly with the Colonial Pipeline ransomware attack, which cost the company $2.3M.
In the past 5 years, new forms of malware have emerged. Two of these, encrypted and fileless malware, have become more sophisticated and, thus, more dangerous. These attacks are harder to detect, using our existing security measures and assumptions about malware against us.
What is Encrypted Malware?
The notion of encrypted web traffic isn’t new, and thankfully so. A recent Google transparency report shows that up to 90% of all internet traffic is encrypted–great news for security-conscious organizations. However, encryption is only part of the battle against cyber attacks.
One sly way that attackers are getting malware into systems is by using the very thing that we trust to keep us secure: encryption.
Most malware will enter a given system like any other piece of information: through network connections, downloaded into servers or workstations, and so on. Malware will often be injected into a system through trust means, either by piggy-backing off of trust connections or by fooling users to download files they should trust. In both cases, however, the files are typically detectable by anti-malware programs due to things like code signatures or other identifying markers or behaviors.
Encrypted malware complicates detection by literally masking the code of a malware program behind cryptography. Classic techniques like content scanning will miss encrypted malware because the source data is entirely different from what is expected. Likewise, malware traveling over encrypted channels is more likely to be trusted by scanners because it is encrypted.
Once the malware is in a system, it’s just a matter of decrypting it and executing it. At that point, the damage is done.
This approach isn’t new, but during COVID-19 experts noticed a spike in encrypted malware across the board. A study from cloud security provider Zscaler showed a 260% spike in encrypted malware attacks in 2019 alone.
What is Fileless Malware?
Another form of malware, fileless , is also proving an increasing challenge for compliance and security experts.
Unlike traditional malware, which uses an external program to infect a system, fileless malware uses native or other legitimate OS tools to launch itself. Through this technique, the attacker doesn’t need to install a program or even any code onto a system–they can infect that system simply by using utilities already installed.
There are several types of fileless malware in the wild today:
- Registry Residence: This malware installs itself into the Windows Registry. The registry is a database of system configuration settings for a given Windows system and includes controls for default behaviors, hardware configurations and file-application associations. Traditional registry attacks install malicious code into the registry to do its work. Under a fileless attack, a hacker uses a mechanism to rewrite registry code. This malicious code is considered part of the operating system and as such is launched every time the computer starts.
- Memory Malware: Traditional malware programs will operate like an executable file: its runtime components will operate in RAM but the file itself will make changes and store information in the local hard drive storage. Modern memory-only attacks will only operate in RAM and this remains undetected by hard disk scanners.
- Fileless Ransomware: Using one of the above-listed forms of attack, hackers can accordingly launch fileless ransomware attacks that lock a system’s data behind encryption to demand payment.
Fileless malware has also exploded, particularly in response to the increasing use of Software-as-a-Service (SaaS) programs and increasingly sophisticated phishing websites that can execute software like Adobe Flash and PowerShell.
How Are Organizations Addressing New Malware?
As cyber threats advance, enterprise businesses and organizations in the U.S. supply chain are quickly looking for ways to mitigate these problems. Furthermore, as these organizations form tighter vendor relationships with government agencies, the risk of attack is that much greater, placing even more pressure on companies to address security issues.
The problem with encrypted and fileless malware is that they attempt to circumvent traditional security. Since they are so hard to track, new forms of mitigation and prevention are necessary to stop them.
Some of the steps that security firms and organizations are taking to address these issues are:
- Machine Learning: Plain-Jane malware scanners and human security experts are quickly being left behind these sophisticated programs. New advances in machine learning and AI, however, are shedding new light on how pattern recognition, behavior analysis and dynamic system monitoring can mitigate cyber threats.
- Encryption Scanning: As malware moves into encrypted channels, security programs must turn to encryption scanning. This means giving scanning programs the ability to decrypt network traffic, scan content and re-encrypted before transmission.
- Threat Hunting and Red Team Exercises: Threat detection and elimination cannot rely only on passive detection. Organizations must either implement internal practices or outsource penetration testing, red team exercises and other bug hunting programs to stay ahead of threats.
- Application Whitelisting and Zero-Trust: More and more systems must operate through zero-trust principles, and that includes creating whitelists of applications rather than assuming they are trustworthy by default.
Combat Malware and Other Threats with Continuum GRC
Compliance goes a long way towards preventing malware attacks. Modern frameworks include measures to detect, prevent and mitigate such attacks–but only if you commit your organization to the strictest tenets of the regulations. No cutting corners, no skimping on implementation.
But, as we all know, compliance can be a costly undertaking. The costs in terms of time, work hours and money can take a significant chunk of your resources, especially if you have to undergo audits every 1-3 years.
Continuum GRC helps you reduce those costs without sacrificing critical security practices. Our ITAM’s cloud platform can automate compliance reporting and documentation across your entire organization. A process that traditionally took weeks or months can be reduced to days, all while making that process more sustainable and reliable year after year.
Are You Ready to Streamline Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.
Related Posts