top of page

Fileless Malware and the Demise of Anti-Virus


One of the most common questions we get at Jigsaw Security is routinely the question as to whether or not Anti-Virus protection is enough. When we tell our customers that we don't run Anti-Virus, some ask why and other tell us were crazy. In fact we have not run persistent Anti-Virus products since 2012. The reason being is that Anti-Virus will not detect several types of malware and is in our opinion wholly outdated. This is why vendors such as Symantec and OpenText use endpoint protection to detect threats. Anti-Virus can detect roughly 70% of the threats that are out there but in most cases these infections are typical run of the mill virus attacks. What about the other 30%?

If you read the Ponemon Institute Study: Key Findings, The 2017 State of Endpoint Security Risk you would have seen that nearly half of the IT alerts that security teams responded to are false positives. This is in part because fileless malware and the methods of detecting this type of infection leave a lot to be desired in the accuracy department. In 2017, 29% of attacks have been fileless. Which means if your Anti-Virus products are using signatures and looking at files, that 29% of the attacks would get through your defenses. What you need to be doing is looking at actions occurring on the workstation (what is the malware doing?), what is it communicating with outside your network (Where is it going?) and what series of events occurred when the malware became active (What did it try and accomplish?).

It's a matter of flexibility

In reviewing our data for this article, we noted that methods of the attacker are changing much faster than the methods used to detect it. The reason we keep adding new modules to the Jigsaw FirstWatch sensor so quickly is because attackers are changing their methods and we have to change our detection methods to keep up with evolving threats. Checking just files (Anti-Virus) is only part of the solution. We also have to be monitoring the network (Jigsaw Security Endpoint Protection and FirstWatch Sensor), we have to look at the actions occurring over multiple devices in our environment (Jigsaw Analytic Platform) and we have to be modular in our design of our products (All Jigsaw Products) so that as new threats are discovered, we can quickly adapt to the methods, tactics, techniques and procedures (TTPs) of our attackers.

Most products do one thing and do that one thing well. We have all heard of a defense in depth strategy where you have multiple safeguards to provide the best detection. While this is a great way to describe the problems faced by security teams, it is also the biggest issue in providing security services. You have to have multiple safeguards in place to ensure that if your Anti-Virus fails you, that your endpoint protection, proxy servers, big data logging and packet capture products, firewalls or IDS catch the bad actor and prevent the attack from being successful.

In short we need to be a more flexible security industry to get better at defeating malicious actors. One of the biggest problems is that as an industry many companies rely solely on IOCs (Indicators of Compromise) to protect their devices and networks. Jigsaw Security believes that IOC's are useful but IOC's are also outdated and a reactive protection means instead of a proactive way to defeat attacks. If you are discovering IOC based issues, chances are the infection has already occurred and you are already infected.

Jigsaw Security products work differently by looking for patterns of activity in network traffic and stopping those (using network flexible response reset) to break the connection all without signatures that rely on IOCs at all. This is why our company does not run Anti-Virus and why we have not incurred an infection since we stopped using this technology years go. We also afford this same protection to our customers using the same techniques in our products.

Targeted Malware - Maintaining a foothold and time to detection

We have said it before that one time use, targeted malware will never be detected with signatures. This is the most damaging of all malware and is being seen on a much more frequent basis in the last 2 years. Threat actors realize that once a piece of malware is detected, that its lifespan has effectively been limited as security vendors create (signature based) defenses against this known piece of malware. A piece of malware that has never been used before and was written specifically for a single attack is much harder to detect and will rarely be detected with most AV products.

Smaller firms that outsource their security rely on AV and endpoint protection products to catch and stop these attacks. When a targeted operation is launched against non technical, smaller targets, the threat actor will usually get a foothold in the network and be able to maintain it much longer than if they were attacking a more technical target with more diversified detection methods such as analytics, heuristics and big data based detection systems.

Targeted malware if successfully deployed, will get into a targets devices and remain there for longer periods of time without detection due to the fact that the smaller and non technical targets typically do not have the means to detect the activity the same is a larger more seasoned security team that specializes in detecting customized one time use malware.

How we make endpoint and network protection products better

If an endpoint product has the ability to see data in network traffic and contained within files. We can easily incorporate the Jigsaw Security Threat Intelligence library into the products thereby making the product detect more malicious activity that it would have out of the box. The Jigsaw Security Threat Intelligence library can be used with Carbon Black, Symantec Endpoint Protection, Peerblock and similar endpoint products. As you notice we mentioned a free option for you in the list because we believe that many of these features can be realized without having to spend a lot of money on expensive solutions. Our data set also works with your ArcSight, Log Rhythm, Elasticsearch or Hadoop based big data platforms, and other security devices such as Palo Alto Firewalls, Cisco Firewalls, proxy servers, mail servers, DNS servers, etc. Our solutions can be deployed in physical networks or virtual environments such as AWS or Azure.

Do we really think Anti-Virus is dead?

In short yes we do because unless endpoint and network monitoring solutions are employed, you will have misses and great harm can be realized if you are attacked with fileless or customized one time use/targeting malware. Sure your AV products will pick up some infections but the most damaging will be missed.

21 views0 comments
bottom of page