Hey, Linux fans! Microsoft has got your back over fileless threats. Assuming you've bought into the whole Azure Security Center thing.
Hot on the heels of a similar release for Windows (if by "hot" you mean "nearly 18 months after") comes a preview aimed at detecting that breed of malware that inserts itself into memory before attempting to hide its tracks.
A fileless attack tends to hit via a software vulnerability, inject a stinky payload into an otherwise fragrant system process and then lurk in memory. The malware also attempts to remove any trace of itself on disk, which makes disk-based detection tricky.
Since the malware hides in RAM, a reboot generally gets rid of the thing. However, Linux servers tend to not to be rebooted as frequently as certain other operating systems and so, once infected, the malware can linger in memory, performing its nefarious activities.
An example of such an infection would be an attacker spotting a vulnerable service on an exposed port, copying a malware package and executing it. A few hops, skips and jumps later, and the malware could be listening for TCP instructions, having ensured any trace of itself in the file system has been removed.
A properly locked-down server would, of course, also mitigate things somewhat.
Only security-relevant metadata
Microsoft's detection feature scans the memory of all processes for the tell-tale footprint of a fileless toolkit, shrieking a warning in the Azure Security Center along with some details of the nasty. An admin can then decide what action to take (and what further investigation is needed).
The scan, according to the Windows giant, is not invasive and the "vast majority" take less than five seconds to run. More importantly for the those fearful of slurpage, memory analysis is performed on the host itself and the results only contain "security-relevant metadata and details of suspicious payloads".
Unsurprisingly, once signed up for the preview, you'll need the Log Analytics Agent for Linux installed, along with a supported distribution (the usual suspects: Red Hat Enterprise Server, SUSE, Ubuntu and Debian are all included in the list). You will also need to be in Standard or Standard Trial Pricing tier to play.
Microsoft isn't the only outfit squaring up to fileless threats. Kaspersky has been quick to trumpet its effectiveness and Trend Micro points to some alarming statistics concerning the surge in threats as criminals seek different means to compromise systems.
However, as its continued love-in with Linux continues (heck, a large chunk of Azure is running the OS), Microsoft has decided that maybe, just maybe, the lessons learned monitoring its proprietary OS could be extended elsewhere. ®