Lessons on Fileless Malware from McAfee

During the recent AFCEA Defensive Cyber Operations Symposium in Baltimore, I finished my technical presentation duties just after lunch on one of the days – so I decided to take a nice stroll around the exhibition floor. For some of you, this is a tedious decision, given the overwhelming number of vendors at such an event (almost RSA-scale). But for me, touring a conference floor is like a ten-year old scouting the Wonka Factory. It’s pure fun.

Now, it didn’t take long to sense a new buzzword emanating from the cyber security vendors present: Fileless. Virtually every vendor hawking a solution related to endpoint security, malware detection, and even IoT security – was touting their advanced capability for preventing fileless exploits that evade traditional anti-virus solutions. “The industry leaders in anti-virus simply don’t know how to deal with this,” I was told over and over. “They just don’t get it.”

Well, I had two problems with this: First, my experience with the industry leaders is that they typically do understand exploits, including new ones. Companies like McAfee and Symantec, for example, employ more software security researchers than most endpoint security start-ups have employees in their entire company. But second, I never got a decent explanation for how fileless exploits work from any of the vendors present. No one could clearly describe the issues.

My solution: I called McAfee. And before long, I was having a detailed discussion with my new friend, Prabhat Singh, Vice President of Engineering for the Company. Prabhat was the perfect person to explain this topic, simply because he has held senior technical and software threat research positions for both Symantec and now McAfee. I was certain that if anyone could explain fileless security to me, Prabhat was the person. Here is what I learned:

“The optimal strategy for mitigating these so-called fileless attacks involves something called attack behavior blocking,” Prabhat said. “The general idea is that capable intruders will find some means for attacking their victims, and whether they do this using a malicious file, or an existing tool such as PowerShell, or code executed directly from memory, the common threat is that the observed malicious behavior itself can detected and blocked.”

This sounded fair enough, so I asked Prabhat for some use-case examples, and I must say that he had more than I could handle. Apparently, McAfee has been focused on developing and improving their technology for endpoint customers in this area, so examples were fresh at hand. All of them were presented in the context of the well-known cyber kill-chain, but I’ll try to explain a couple of them in simple, non-technical terms:

Equation Editor: The first simple case involves a user inadvertently launching an equation editor that contains a vulnerability which might then initiate a PowerShell script to execute a malicious script for target payload download (see CVE 2017-11882). The security strategy Prabhat outlined was simple: “The goal is to insert attack behavior blocking into the chain to prevent PowerShell scripts from executing,” he said. “This is straightforward, but powerfully effective.”

Readers should keep in mind that the earliest, traditional anti-virus solutions simply did not employ any means for detecting behaviors this way. By extending their solutions to observe PowerShell usage, which is the perfect target for attackers since they gain access to system administrative utilities such as Windows Management Instrumentation (WMI), the AV becomes more dynamic. McAfee has apparently embedded such capability into their own solutions.

WannaCry/Petya: The recent and well-known WannaCry attack and Petya variant involved ransomware being used for financial gain and destruction, respectively. In both cases, attack behaviors could be detected and blocked under the right security conditions. Prabhat used these as a use-case which provided multiple opportunities in the kill-chain for security mitigation to have stopped the exploit via attack behavior blocking.

First, if a user opens a document infected with WannaCry, and it tries to drop and execute malicious code via PowerShell, then this behavior can be detected and blocked. Later in the chain (assuming you get there), if the malicious code tries to administratively share or remotely execute (i.e. dual use tool execution), then this behavior can also be detected and blocked. Exploit payload execution (e.g., EternalBlue) can also be detected and blocked dynamically.

This is serious gearhead stuff, certainly – but for security engineers trying to source-select the optimal endpoint protection software, a working knowledge of fileless exploits is now quite necessary. My view is that this progression from static-investigation-of-objects to dynamic-observation-of-behaviors is a natural evolution for software security vendors. And I’m glad McAfee and others are all over it.

A remaining challenge: Since behavioral security is now mired in the details of how to feed observed details into machine learning algorithms, one must wonder how accurately this attack behavior blocking can become in the presence of artificial intelligence-based labeling, matching, and categorizing. If the best vendors – and McAfee is one of them – can make this work, then endpoint security will see a renaissance no one in our industry might have ever expected.

My thanks to Prabhat Singh and the entire McAfee team for helping me understand fileless security issues a bit more deeply – and I hope this brief note has been helpful to you. And as always, please let us know your own thoughts.