“Clueless.” That’s the name of a 1995 teen comedy that became a surprise box-office hit and a cultural touchstone for an entire generation of Americans. It’s also a pretty good description of an insidious new malware threat that possesses none of the customary indicators of a network intrusion.
File-less malware is stripped of all the clues that would normally suggest an attack. As the name suggests, file-less malware leaves no files or artifacts on the infected system, making it nearly impossible to detect with traditional signature-based security and forensics tools.
Instead, these infections use tiny but malicious PowerShell scripts that are stored in memory or in the computer’s registry. The scripts perform reconnaissance, collect sensitive information and then disappear without a trace when the infected computer is rebooted.
Some cybersecurity experts suspect a file-less attack was used to hack the Democratic National Committee. Kasperky Lab researchers say file-less malware has been used to carry out attacks on nearly 140 enterprises this year.
The rise of threats that leave few clues is one reason why Gartner anticipate a shift in security spending. The firm’s analysts expect organizations to focus more detection and response rather than prevention-only approaches. They predict growth in new security product segments, such as software-defined segmentation, cloud access security brokers, and user behavior analytics.
This shift does not mean that prevention has become unimportant or that organizations should wave a flag of surrender. It’s just an understanding that breaches have become almost inevitable, even with the best defenses. When a security incident happens, the key is how quickly you can identify the intrusion, take steps to minimize the damage, and begin the process of pinpointing the source of the attack.
For most organizations, this represents a significant change from the cybersecurity tactics that have been common for decades. While analysts suggest new technologies, the shift will also require a cultural change. A good place to start is with the development of an incident response plan.
Incident response begins with proper preparation and planning so that key personnel know the procedures they should follow when a breach occurs. The plan should define what constitutes an “incident,” which could range from malware infection to a denial-of-service attack to a data breach. The response may vary depending upon the type of data involved, the scope of the event, and any legal or regulatory requirements that must be met.
Identifying security incidents is more difficult that it sounds, particularly with hacking techniques designed to avoid detection. If an incident is suspected, the response team should conduct an investigation as quickly as possible and involve digital forensic experts at an early stage. It’s important to document everything and preserve as much evidence as possible.
After the investigation is complete, the IT team can begin working to contain and eradicate the problem and recover systems, applications and data. As a final step, the response team should assess the incident and how it was addressed, and look for ways to improve the process.
In our next post, we’ll look at the role of threat intelligence and sandboxing in incident response, and tools from WatchGuard Technologies that can help facilitate the process.
