"We see it every day," says Steven Lentz, CSO at Samsung Research America. "Something coming through, some exploit type, unknown ransomware. We've stopped several things with our defenses, either network-wise or at the end point."
The attacks that Lentz is worried about are fileless attacks, also known as zero-footprint attacks, macro, or non-malware attacks. These types of attacks don't install new software on a user's computer, so antivirus tools are more likely to miss them.
Fileless attacks also evade whitelisting. With whitelisting, only approved applications are allowed to be installed a machine. Fileless attacks take advantage of applications that are already installed and are on the approved list. However, the terms "fileless," "zero-footprint," and "non-malware" are technically misnomers since they often depend on users downloading malicious attachment files, and they do leave traces on the computer if you know what to look for.
"Fully zero-footprint malware doesn't truly exist, as there are ways to detect malware even if it doesn't install itself on hard drives," says Cristiana Brafman Kittner, senior threat intelligence analyst at FireEye, Inc. In addition, they don't evade antivirus completely, since antivirus might still be able to spot the malicious attachment or malicious link, even if there's no executable installed.
Attackers know that with a fileless attack, they stand a higher chance of getting in. "That's where the real threat is," says Lentz. To catch the ones that do slip through, Samsung Research relies on behavior-based systems, including endpoint protection from Carbon Black. For example, when visitors connect to the company's network, the defenses are able to spot malware that the users' antivirus tools had missed. "We found keyloggers and password-stealing programs on visitor laptops," says Lentz.
Fileless malware a growing threat
The rate of fileless malware attacks increased from three percent at the beginning of 2016 to 13 percent last November, according to Mike Viscuso, CTO at Carbon Black, Inc. "And we have continued to see it increase," he says. "We see as many as one in three infections have a fileless component."
Since not all Carbon Black customers choose to block attacks, but opt for alerts instead, Viscuso can see that fileless attacks actually have an even bigger impact. "More than half of all attacks that are successful are fileless," he says.
Some customers also use honeypots, or even leave parts of their network without advanced behavior-based protections, he says, so they can watch for attacks and then track what the attackers are after, and how they're spreading. "They can make sure the rest of their environment is ready for the attacks," he says.
Sign up for Computerworld eNewsletters.