April 4, 2019

By the mid-2000s antivirus software had reached mythical status in the history of computing. It was an unusual person who did not have antivirus software installed on their computer, especially if running a Microsoft Windows machine.

Then something happened – in 2014, the Vice President of Symantec, made an announcement – antivirus software was “dead”. He went on to explain that antivirus software was only catching about 45% of malware threats leaving the other 55% free to wreak havoc on our IT infrastructures. A scary announcement like that, from an antivirus vendor, sent shock waves through the industry.

So, why was this? What changed? How was this new pesky malware evading capture?

How Antivirus Software Met Its Match

You may have noticed that there is a lot of talk about antibiotic resistance in the world, bacteria evolving resistance. This is nicely analogous to the fall of traditional antivirus software. Like its bacterial equivalent, malware is updated by the programmers who create it, to thwart its attacker – the antivirus scanner.

Traditional antivirus software uses something called a ‘signature’ to detect malware activity. This signature is a few bytes within the code that is unique to that malware. Traditional antivirus scans would look for this signature, if they found it, they used tools to isolate the find and quarantine it in your system, further destroying it, as required.

Another technique used by antivirus software is called “heuristic detection”. This technique uses rules that look for specific types of activity, like command methods to install software; hit a threshold of suspicious activity and a virus alert appears.

But life is never simple is it. Cybercriminals were able to update their software to obfuscate the very signatures that made malware visible to antivirus scanners.

Damn their cunning ways.

The Perfect Cybercrime – Fileless Malware

Fileless malware – the clue is in the name, is the enemy of traditional antivirus software because it does not leave any traces of itself on your hard drive after execution of the malware – it is only ever resident in computer memory (RAM). It is like the perfect crime; the trick being to leave no evidence for the ‘cops’ to find.

Fileless attacks have the same end result as their file cousins, malware infection to control, steal, and expose. They use the same processes too – a phishing email link may take you to a site that then executes a fileless attack. Security solutions that need a signature or a set of behavioural rules to spot malware are of no any use in fileless-attacks. So, a fileless malware attack will go under the radar of any organisation using traditional antivirus software.

Because of this sneaky feature, fileless malware attacks were up by 94% in 2018 according to SentinelOne. And The Ponemon Institute identified a similar scenario predicting 35% of cyber-attacks in 2018 having a fileless basis.

Antivirus Software is Dead, Long Live Antivirus Software

But cybercriminals are not the only ones who can evolve. Antivirus vendors have seen the fileless bet and raise the cybercriminal an intelligent solution. There are now solutions that specifically look for fileless attack smoke signals. I have identified a few of the vendors who specialise in this area below, but most use a principle of automated monitoring across a network which looks for patterns of behaviour associated with these types of attacks.

And, of course, malware attacks are not always fileless. So modern antivirus/anti-malware solutions are still an important part of your cybersecurity measures – as they also use traditional signature and heuristic-based scans.

Layering Technology and Humans to Stop Fileless Attacks in Their Invisible Tracks

Having software that monitors your network is only part of the solution of modern-day cyber-warfare. The use of technical security measures is only one part of a wider scope of protection. Because many cyber-threats have an origin in social engineering by taking advantage of human behaviour, they need a human-centred approach too.

Many cyber-attacks, including those that are fileless, need a human being to initiate the sequence of events that lead to malware infection. Phishing is the perfect and ubiquitous example. Phishing relies on a human operator to click a link or download a document. The infection followed by fileless or traditional methods of code execution. It is the perfect storm of human and technology being used to exploit your organisation.

Security awareness training is the most effective way of stopping the early part of the process of malware infection. Security awareness training is your first layer of protection against cyber-attacks including malware infection – your staff are like your filter before anything even gets to the point of being caught by antivirus software.

Five Examples of Endpoint Security Vendors

Once you have your staff ready and cyber-safe, you can look at the right vendor to provide your next layer of defence – the antivirus/anti-malware solution often included in more comprehensive ‘endpoint’ security solutions. There are lots of offerings in this area, for both home and business use; we’ve only shown a few here to whet your appetite:

Malwarebytes  – Endpoint Protection and Response: Malwarebytes offer solutions for home and business. Their home anti-malware product installs on a machine and acts like traditional antivirus solution by performing regular scans for known viruses and malware. It also prevents ransomware infection, and exploit kits running if you go to a spoof website. They have a more comprehensive kit that brings several security options together under one agent.

Trend Micro – Apex One: An endpoint solution that uses a number of techniques to spot malicious behaviour. This is based on collation of threat knowledge. It helps to prevent fileless attacks as well as ransomware. It has lots of bolt-on pieces to add more features.

BitDefender – Antivirus Plus: The Home edition offers advanced antivirus features and ransomware prevention. For full features you have to upgrade to the Bitdefender, more comprehensive, ‘Security Suite’.

Kaspersky – Antivirus: Uses scans to locate virus infection and quarantine any found files. Protects against ransomware and crypto-mining bots.

Panda Labs – Antivirus: Described as “next gen” antivirus software. It uses continuous monitoring based on behavioural intelligence to spot fileless attacks as well as more traditional malware infection.

A Virus Free Future?

It is unlikely that malware will disappear. It is a highly effective way to take control of IT resources, steal login credentials, expose data, and cause outages.

So, we have to work out ways to keep our organisation safe from this ever-present threat. Antivirus solutions have evolved to stay in line with the changing nature of malware threats, but they are not a solution on their own. We have to put layers of protection in place to thwart the sophisticated methods used to circumvent technical measures.

Making sure that our staff are security aware is the most fundamental thing we can do to protect our company against a cyber-attack. Our staff are our foot soldiers. Well-trained, many of the ways into our network will be closed off.

Want to learn more about empowering your employees’ security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: