The latest malware threats are being called “non-malware”. I’ll explain why in a minute, but for right now, these new intrusion tactics pose a very high level of risk to both public and private organizations. It’s going to get worse. The trend is that they are being used for stealing data or establishing persistent attacks on networks to support ongoing espionage objectives or to enable future acts of sabotage. Not only is this a problem for business but it’s a serious national security issue. Most organizations are not equipped to defend themselves against these subversive tactics. As a result, all organizations need to reevaluate efficacy of their current cybersecurity posture ad well as the ability of their staff to effectively manage and reduce the risk of data breaches and disruptive or destructive attacks conducted using file-less methods.

The precise definitions of “file-less” and “non-malware” are sometimes used interchangeably, file-less intrusions generally involve the injection of malicious code into a targeted system’s memory or registry and does not require the installation of any files on the system’s hard drive. Non-malware or “malware-free” or “malwareless” embed malicious code into legitimate software already present on the targeted system. These include as web browsers and Microsoft Office programs or other legitimate programs, processes or functions within the computer’s operating system.

Windows PowerShell and Windows Management Instrumentation (WMI) are two of the most commonly exploited programs. The overwhelming majority of Microsoft Windows-based enterprise system administrators to use them to manage and automate tasks internally and for their clients. They are both are easily manipulated by an unauthorized, remote user to gain control of a system and steal, manipulate, or delete data. Mimikatz (don’t I know her, from Boro Park?) and Meterpreter are examples of file-less tools frequently used by what we call “malicious actors” to compromise plaintext administrator credentials, escalate privileges, and establish control over a system to advance their objectives.

According to the well-respected cybersecurity firm, Carbon Black, non-malware attacks leveraging PowerShell and WMI grew substantially in 2016, spiking 93.2 percent in the second quarter and growing to the highest level of the year in the fourth quarter. Despite all the political speculation and innuendo surrounding it, the fact is that the hack of the Democratic National Committee, as detailed in a report by CrowdStrike, is an example of PowerShell and WMI being used to establish persistence, move laterally within a network, and remain completely undetected while siphoning off everything connected to it. How do you prevent this?

For starters, to address the new risks posed by file-less and non-malware tactics, organizations must finally adopt a comprehensive cyber risk management framework and implement robust cybersecurity best practices and defensive measures, including, but not limited to, the bulleted items I’ve presented, time and time again, below. Additionally, organizations will need to employ enhanced logging, monitoring, and analysis of all network, host, and user activity to identify file-less tactics. To do so, enterprises may need to procure third-party products (like DHS R&D CyVision Cauldron) and managed services that include capabilities such as full system endpoint protection with memory and registry monitoring, behavioral analytics, next-generation firewalls, and email content inspection. You can’t say I haven’t been telling you so. So here I go again…

1. Implement the Principle of Least Privilege for all user accounts and enable User Access Control (UAC).  You did this, correct?
2. Regularly audit and verify all administrator accounts; remove those that are no longer required. You do this, right?
3. Enforce a tiered administrative model with dedicated workstations and separate administrator accounts that are used exclusively for each tier to prevent tools, such as Mimikatz, from harvesting domain-level credentials. You have this in place for your staff and remote support of course?
4. Instruct administrators to use non-privileged accounts for standard functions such as web browsing and email. No brainer, done?
5. Configure Group Policy to restrict all users to only one login session, where possible. It’s a hassle but things could get much worse.
6. Ensure your enterprise is running the latest version of PowerShell (version 5.1.14393), or disable the use of PowerShell if it is unneeded; enable enhanced logging features, including module and script block logging. Not much effort, do it.
7. Monitor both inbound and outbound network traffic for anomalies and proactively block known malicious IPs. You’ll need a good tool for this to automate it. (Hint)
8. Turn on and monitor event logging (applications, events, login activities, service creation, security attributes). You must feed the tool with the data. Batteries not included.
9. Secure logs, preferably in a centralized location, and protect them from modification. Time to consolidate those folders and drives and get rid of the outdated stuff.
10. If possible, configure system-wide transcription to send a log of all activity per user, per system to a write-only share and ingest the transcript text files into a centralized platform for regular analysis and understandable reports. That’s where a tool like DHS spawned Cauldron comes into play to automate it. It’s too much of a draining effort to do by hand. A waste of your staff time and a financial burden.

With all the local breaches going on, I wonder if anybody is listening? It costs way less to implement the protection than deal with fines, lawsuits, reputational damage and going out of business. I mean, you can do this in a week at less than one-fourth of what you pay an average techie who will need months to do all this. There’s no more excuses and you don’t need high-priced third-parties. Don’t you think you should at least look into it?

The information in this article is labeled TLP WHITE and I am authorized, as a member of CERT, NJCCIC, NYNJECTF, InfraGard and DHS to distribute it as a public service.

Ron Benvenisti CyVisionTechnologies.com