Corporate Endpoint Security: How to Protect Yourself from Fileless Threats and Detect Insiders

Corporate endpoint security technologies for mid-sized companies struggle to surprise us with something brand new. They provide reliable protection against malware and, when combined with the relevant policies, regular updates, and employee cyber-hygiene, they can shield a business from the majority of cyber-risks. For some, it may seem like you don’t need more security than this...but is that really the case?

The answer, in short, is no. In fact, in most medium company’s cybersecurity strategies, even with an endpoint solution, there is likely to still be gaps that can and should be closed. In this article, we look at what those gaps are and how to fill them.

Legitimate Software Can Hide Risks

Detecting an exploit or Trojan that explicitly runs on a device is not a problem for an anti-virus solution if, for example, a user occasionally downloads a file from internet. However, when a malicious script is launched through a legitimate application, for example, Microsoft Office, this can be a challenge.

Such authorized software is often used on a large number of devices, and it is not feasible to simply ban access to it. Anti-virus solutions will also recognize these files as ‘trusted,’ so may be unable to quickly ‘understand’ that the piece of office software is executing atypical processes initiated by malicious code. Moreover, sometimes such activity can be started by administrators themselves as part of system maintenance. This further complicates the threat detection process.

What it Can Lead to: Fileless Malware, Insider Threats, Miners and Ransomware

Downloaders are one type of malware that use this legitimate software cover. It doesn’t actually perform any direct malicious actions on the device. Instead, it gets on the machine, for example, through a phishing email, and then independently downloads the real malicious code onto it.

There is a specific type of malware – fileless malware – that is often used as a downloader. It doesn’t store itself on the hard disk, therefore tracking it with an ordinary anti-virus solution is not easy. Due to that, fileless malware is often used in advanced targeted attacks, such as Platinum APT, whose victims were state and diplomatic organizations. Another example is the advanced PowerGhost cryptominer, which used trusted software for cryptocurrency mining. According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation processes (WMI), two-thirds (67%) were fileless downloaders of the Emotet banking Trojan and WannMine cryptominer.

Malware families running in WMI
Malware families running in WMI

Now, some might think that simply tightening policies and scaling down user privileges is the solution to stop the malware from starting any process on the device. However, this is not an option, because the fileless malware does not need administrator privileges to perform its malicious actions.

Another possible risk of authorized software exploitation occurs when malicious activity is initiated by someone inside the network. At best, it’s just an employee who decided to mine coins using their corporate computing power. However, in this case, since the actions are performed by a trusted user, administrators and a security solution may not detect them.

Last but not least, some forms of malware, such as the Cryptowall ransomware, can use legitimate processes to disguise themselves. Cryptowall, for example, can hide under a filename similar to the important, and legitimate, process svchost.exe which makes it difficult to detect.

What Can Help?

You need a Little Red Riding Hood 2.0, who detects the wolf through external signs and calls lumberjacks before being eaten

To eliminate these threats, IT security teams need technology that allows them to detect not just specific malware by signatures, but any suspicious application activity. Spotting anomalies in trusted software helps to identify threats at the very early stages – when malware is already on a device but before the anti-virus reacts to it. This technology, developed by Kaspersky, is called Adaptive Anomaly Control.

To make anomaly detection work, several problems need to be solved. First, how does the Adaptive Anomaly Control know which activity is abnormal and which is not? Secondly, if the control notifies an administrator about each deviation, many notifications will most likely turn out to be just false positives for scripts launched as part of a workflow. In that situation, a user would immediately want to disable the control.

To resolve that, the technology should first be ‘trained’ to recognize how applications work and what actions are performed regularly by employees as part of their job responsibilities. This minimizes the number of false positives and doesn’t drive administrators crazy. Most importantly, Adaptive Anomaly Control notifies IT security managers of suspicious activity to ensure they understand when action needs to be taken immediately. Thus, the technology will turn from ‘the boy who constantly shouted wolf’ into an improved version of Little Red Riding Hood, who manages to recognize early the wolf in the guise of her grandmother and call for help from the lumberjacks before she gets eaten.

How Adaptive Anomaly Control Works

Adaptive Anomaly Control works on the basis of rules, statistics and exceptions. Rules cover three groups of programs: office programs, Windows Management Instrumentation and script engines and frameworks, as well as the abnormal program activity category. The rules are already developed in the product, so there is no need to write them manually.

List of rules for office applications
List of rules for office applications

At first, the control has a training mode activated for about two weeks. During this time, it monitors the network and collects statistics on application use. The technology marks regular anomalies, which indicate that processes are started by employees for work purposes. Based on the data received it then sets exceptions to the rules. If administrators use scripts that could potentially trigger the control’s rules, they can create exceptions before turning on the component, which will improve the quality of the training process.

The training period avoids false positives, but also helps not to miss important anomalies. If a false positive occurs within a rule, administrators can choose not to block the entire network with the exception, but instead configure it for just the particular script that triggered the rule. This mitigates the risk of throwing a global exception that makes the component useless.

The policies can be individually tuned for different groups of users and inherited within user profiles. For example, financial department employees would never legitimately need to execute JavaScript, but it can be done by the development team. Therefore, for the software development department, some rules may be disabled or provided with numerous exceptions, while for the financial department, they may be turned on while in maximum mode. Adaptive Anomaly Control identifies the user group in which the rule is triggered to block or allow the execution accordingly.

After the training period, when the control enters combat mode, the component notifies an IT security manager about any anomaly outside the exceptions specified during the training period. It provides information for investigation, such as which process triggers the operation, on which computer and under which user.

Example of anomaly activity of Microsoft Word and possible actions
Example of anomaly activity of Microsoft Word and possible actions

For example, a PowerShell script trying to start a Windows Command Processor, HTML Application Host, or Register Server from office software may be considered suspicious. The launch of these activities is technically possible, but not typical for the regular operation.

Similarly, with Windows Management Instrumentation: Adaptive Anomaly Control may react if the HTML Application Host or the PowerShell script is launched from WMI. In addition, according to Kaspersky research, most malicious activity (62%) is detected in the WMI group. WMI is a common tool among malware developers because of its convenience. It allows for the easy start of PowerShell and performs a wide range of actions, such as system intelligence collection.

The number of unique users attacked, by detection group
The number of unique users attacked, by detection group

In the group of script engines and frameworks, activities such as running dynamic or obfuscated code may be suspicious. As part of the abnormal program activity category, files with anomalous names or locations are tracked, for example, a third-party program which has the name of a system file but is not stored in the system folder.

The detailed log of Adaptive Anomaly Control rules applied to different user groups
The detailed log of Adaptive Anomaly Control rules applied to different user groups
‘Process action blocked’ notification
‘Process action blocked’ notification

The Adaptive Anomaly Control algorithm shows how the decision-making process has performed during the training period. If a rule was not triggered at all during the training, the technology will consider the actions associated with this rule as suspicious and block them. If a rule is triggered, an administrator receives a report and decides what the technology should do: to block the process or allow it and inform a user. Another option is to extend training to monitor how the rule is working further. If the user does not take any action, the control will also continue to work in smart training mode. The training mode time limit is then reset.

Adaptive Anomaly Control training algorithm
Adaptive Anomaly Control training algorithm

So, if this technology is so effective, then what are all the other protection features needed for?

Adaptive Anomaly Control solves the specific task of early threat detection. It does this automatically and does not require special administration skills or proactive actions. This means that the technology cannot detect the malware itself, just its delivery to the network, as well as the potentially dangerous actions launched by the insider, or the malicious activity of programs that have the status ‘not a virus.’ It is always easier to treat the disease at an early stage, so early detection of threats helps to get rid of them faster with less load on IT and information security departments.

However, it is equally important to use the entire range of protective measures, including signature-based malware detection, behavioral analysis, vulnerability detection and patch management, and exploit prevention. These technologies help in the prevention of most generic attacks, which means that advanced protection mechanisms such as Adaptive Anomaly Control are offloaded to detect really complex evasive threats. Adaptive Anomaly Control is used to close this specific risky area and it is effective in its role, while other endpoint technologies have to address their areas of expertise. This way the complete cybersecurity solution will be efficient to protect a business from cyber-threats.

Shadow IT is so common because it’s human nature to always look for the easiest and the most convenient way to do something, including our work. It should be treated carefully, and these simple recommendations just show that organizations can manage them. This will not only reduce the exposure to data protection risks but also encourage better communication between the IT department and other employees. It also leads to another positive outcome: the trust of a company in its employees, and vice versa. 
Explore Kaspersky Security Solutions for Enterprise to predict, prevent, detect and respond to cyber-attacks.

Brought to You by

What’s Hot on Infosecurity Magazine?