Fileless malware is the newest trend, but EDR can stop it in its tracks.

Since the COVID-19 inspired lockdown, there’s been a significant increase in the number of malware alerts coming through our Security Operations Centre (SOC), says Jan Prinsloo, systems engineer at CyberTech, a division of Altron. “We’ve seen an uptick in alerts around malware – but the nature of that malware has evolved. These attacks typically start out as a phishing e-mail or a fake Web site where someone clicks on something that automatically triggers a script to download. This then starts infecting the machine.”

The challenge is that there’s no actual file download that a normal anti-virus solution could identify as malicious; this type of attack executes scripts on the machine when the user clicks on a link. Stopping this type of attack from spreading requires an endpoint detection and response (EDR) solution that is able to quarantine that machine on the network, preventing lateral movement of the malware before it can exploit another machine.

The COVID-19 pandemic has seen the rise of a plethora of fake Web sites aiming to take advantage of people wanting to find out more about coronavirus or even download content – such as films or series – online. These sites use a typo URL – also known as typosquatting – where the site name is spelt incorrectly, so Netfl!x instead of Netflix, for example.

Prinsloo explains: “The minute a user clicks on the site, the malware starts harvesting their data. Even if the user moves their mouse over a Java application, their machine will be infected. Once it has a foothold, unless you have an active detection and response system in place, you won’t even know about it.”

Jan Prinsloo, systems engineer, CyberTech

Zea Silva, Key Account Manager, CyberTech

Zea Silva, Account Manager at CyberTech, adds: “These attacks, being global in nature, means there is no set time pattern as to when they may occur. This is where having a security managed service, inclusive of EDR, comes into its own, detecting the malware and alerting the analysts so that they can take immediate preventative and remedial action.”

Businesses won’t pick up these types of attacks without a detection tool because there’s nothing to be seen on the machine, it’s just a process that runs in the background as the malware digs in deeper and deeper. “Next-generation solutions look at behaviour of processes running on the machine instead of focusing on the files, so anything that executes on a machine will be an indicator of compromise,” explains Prinsloo. “Today’s EDR solutions incorporate machine learning. No human being can effectively watch all the machines in the company’s environment all of the time – or stay abreast of all of the unknown exploits that appear daily.”

Commenting on this last point, Silva says: “With increasing numbers of people working from home and consuming media and content from a variety of sources, hackers are identifying increased opportunities to exploit this scenario. This leads to increased vulnerability across a variety of devices used from home and affords a potential route into company’s corporate network infrastructure. This could enable the attacker to masquerade as a legitimate employee and gain unfettered access.”

Many companies don’t have good security practices in place as everyone is normally protected by the company firewall. And even if they have endpoint protection, it’s also generally limited in terms of what it can do for remote workers, says Silva.

She goes on to list three key factors in defending a company’s data against this novel type of malware attack:

  1. If the software wants to update, let it. It’s for your protection. Otherwise you remain vulnerable to cyber attacks. This is the first line of defence against any issue and it’s irresponsible not to keep patches and the like updated. This applies to application and operating system updates.
  2. Have EDR that is linked to an SOC so that you can respond to attacks 24/7. It’s one thing to have an EDR system in place, but you must also be able to respond to it.
  3. A key factor to the success of defending against attacks is security solutions as a service; this would include EDR as-a-service. The benefits of the as a service business model are manifold, including affordability, not having to pay upfront for the product (capex vs opex), not having to monitor it and not having to employ the right skills to understand and maintain the solution. Outsourcing means security experts will ensure systems are monitored 24/7 and attacks are escalated to the right kind of analysts for response and remediation.

Asked to comment on what the future is going to look like, Prinsloo predicts an increasing number of companies are going to look at endpoint protection as it’s unlikely that remote working is just going to stop when lockdown ends. “Everyone realises that it’s possible to work from home and be productive, so it’s likely to become the norm going forward. However, remote workers need VPN access, which requires the company trusting employees with access to certain information. The business will have to deploy products or services that can monitor this access. Users might not intentionally download malware, although training and awareness are vital to make people aware of the dangers that are out there.”

He points out that education around IT security is pretty much the same as that around COVID-19. “As much as people needed to be told to social distance and refrain from touching their faces, employees need to be taught not to click on links and other basic security measures. It might sound logical and self-evident, but sometimes you need to state the obvious.”