FILELESS MALWARE DETECTION Fileless malware is particularly hard to detect because it resides in system RAM and exploits authorized system and administrative tools in ways that elude whitelisting and other common threat mitigation strategies. BluVector Advanced Threat Detection ™ includes the capability to rapidly analyze potential fileless threats before they could infect end-user systems or begin moving laterally throughout the enterprise network. BluVector’s analytic fileless malware tool, called the Speculative Code Execution (SCE) engine, identifies suspicious fileless code sequences and is the only solution capable of detecting fileless malware at the perimeter. What is fileless malware? Fileless malware is a malicious script that gets loaded into a system’s memory (RAM) by a legitimate application resident on the end-user’s system. Fileless malware can be unintentionally read off a remote server and, unlike file- based malware, will not leave any files on a storage drive that can be detected by signature-based anti-virus (AV) software. Furthermore, fileless malware can operate under the guise of a legitimate process and persist in memory until the infected system is rebooted or powered down, leaving very little evidence of its activity or that it was ever present. All this makes fileless attacks significantly more difficult to detect and remediate. Why has detection of fileless malware become important? Fileless malware has been around for years but was relatively rare and posed a limited threat. This changed in 2014 with Poweliks, a click-fraud Trojan that got the attention of cyber-criminals since it was the first fileless malware to demonstrate persistence. Today, fileless techniques are much more common, with fileless attacks serving as the basis for more sophisticated incursions. A 2018 survey, conducted by the Ponemon Institute, of over 600 cybersecurity security professionals responsible for managing their organization’s security strategy, found that fileless malware accounted for over one-third of all malware attacks and was on the rise. What happens once fileless malware infects? Once the malware is in memory, attackers can launch administrative tools such as PowerShell or Windows Management Instrumentation (WMI) to steal or elevate credentials, inspect network assets, or to establish backdoor connections to remote command and control (C2) servers. These activities appear as legitimate processes to the end-user unless their behavior comes under very close inspection. Fileless attacks are often used as a first step into a more sophisticated file-based infection. In the second step of the infection, the device downloads and installs malicious programs directly to system memory or to hidden directories. Once installed, the threat actor can also employ a variety of tactics, such as hiding a start-up script inside the Windows registry, to remain in control of the system after a shut down or reboot. BLUVECTOR FEATURE REVIEW