wonderfully unique software solutions

User restrictions not the answer to fileless threats: Kaspersky

Companies can protect themselves from downloader, miner, fileless and insider threats without tightening up user policies, according to Kaspersky technical writers Oleg Zaitsev, Rodion Gadyrshin and Evgeny Lopatin.

“When a malicious script is launched through a legitimate application, this can be a challenge. For example, when a phishing email document is opened in Microsoft Office, all actions will be performed by the office application,” they write on the Kaspersky security blog.

“Such authorised software is often used on a large number of devices, and it is not feasible to simply ban access to it. Antivirus solutions will also recognise these files as ‘trusted’.”

Legitimate software can typically simply go ahead and execute atypical processes initiated by malicious code. Even administrators performing system maintenance aren’t immune to this tactic.

“In most medium-sized companies’ cybersecurity strategies, even with an endpoint solution, there are likely to still be gaps that can and should be closed,” the Kaspersky writers note.

According to Kaspersky statistics, of all the anomalous activity detected in legitimate Windows Management Instrumentation (WMI) processes, 67% were fileless downloaders of the Emotet banking trojan and the WannMine cryptominer, they wrote.

Fileless malware does not need administrator privileges to perform its malicious actions. Another risk is when malicious activity is initiated by an employee on the network. Some malware can use legitimate processes as a disguise, such as svchost.exe.

That’s why Kaspersky developed Adaptive Anomaly Control, a module in Kaspersky Endpoint Security.

The technology is ‘trained’ over about two weeks to recognise how applications work and which actions are performed regularly by staff on the job. It also operates using sets of rules, statistics and exceptions covering office programs, WMIs, script engines and frameworks as well as abnormal program activities.

“The policies can be tuned for different groups of users individually and inherited as part of user profiles. For example, financial department employees would never legitimately need to execute JavaScript, but the development team will,” say the Kaspersky team.

“However, it is equally important to use the entire range of protective measures including signature-based malware detection, behavioural analysis, vulnerability detection and patch management, and exploit prevention. These technologies help to block most generic attacks.”

Read the full blog with examples.

(Photo by Mimi Thian on Unsplash)

Recent Articles

Usecure builds security awareness focus, adds platform functionalities

MSP-focused security vendor Usecure is continuing to expand the capabilities of its human risk management focused software for partners.

Phishing attacks still plague common file types, Hornetsecurity warns

Phishing via archive, HTML, Excel or PDF files remain the leading email-based cyber attack on organisations, according to cybersecurity specialists at Hornetsecurity.

How TechSmith video-based learning can boost diversity and inclusion

When Hillsborough Community College in the USA wanted to create a remote-learning platform to assist students who use sign language, it turned...

Opswat uprates security for AWS partners in the cloud

Operations tech (OT) and industrial cybersecurity vendor Opswat, maker of MetaDefender, has been expanding and deepening its relationships with Amazon Web Services...

TeamViewer and Siemens to collaborate on augmented, mixed reality

TeamViewer is teaming up with Siemens on augmented and mixed reality (AR/MR) for the product lifecycle management space. The...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox