|
* 25.04.2017: Nvidia publishes it's paper on: "Explaining How a Deep Neural Network Trained with End-to-End Learning Steers a Car" <ref>{{cite web|title=Explaining How a Deep Neural Network Trained with End-to-End Learning Steers a Car|url=https://arxiv.org/pdf/1704.07911.pdf|website=Arxiv|publisher=Arxiv|accessdate=17 July 2017}}</ref>
* 13.07.2017: Accenture recommends, "Responsible AI: Why we need Explainable AI" <ref>{{cite web|title=Responsible AI: Why we need Explainable AI|url=https://www.youtube.com/watch?v=A668RoogabM|website=YouTube|publisher=Accenture|accessdate=17 July 2017}}</ref>
Fileless malware is an evolutionary strain of malicious software that has taken on a steady model of self-improvement/enhancement with a drive towards clearly defined focused attack scenarios, whose roots can be traced back to the [[Terminate and stay resident program|Terminate Stay Resident]]/Memory resident viral programs,<ref>{{cite web|title=The Art of Computer Virus Research and Defense: Memory-Resident Viruses|url=http://computervirus.uw.hu/ch05lev1sec2.html|accessdate=20 February 2017}}</ref> how, once they were launched, would reside in memory awaiting a system interrupt before gaining access to their control flow; examples of which were seen in viruses such as [http://virus.wikia.com/wiki/Frodo Frodo], [[Dark Avenger|The Dark Avenger]], [https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html Number of the Beast].
These techniques evolved by way of Temporary Memory Resident viruses<ref>{{cite web|title=The Art of Computer Virus Research and Defense: Temporary Memory-Resident Viruses|url=http://computervirus.uw.hu/ch05lev1sec3.html|accessdate=20 February 2017}}</ref> and were seen in famous examples such as: [http://malware.wikia.com/wiki/Anthrax Anthrax], [http://antivirus.downloadatoz.com/615,monxla.html Monxla] and took on their truer ‘fileless’ nature by way of in-memory injected network viruses/worms such as [[Code Red (computer worm)|CodeRed]] and [[SQL Slammer|Slammer]].
More modern evolutionary incarnations of which have been seen in viruses such as [[Stuxnet]], [[Duqu]], [https://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99 Poweliks], [http://securityaffairs.co/wordpress/36206/cyber-crime/phasebot-fileless-malware.html Phasebot] etc.
== Recent developments ==
On February 8, 2017 Kaspersky Lab's Global Research & Analysis Team published a report titled: “Fileless attacks against enterprise networks”<ref>{{cite web|title=Fileless attacks against enterprise networks|url=https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/|website=Secure List|publisher=Secure List|accessdate=20 February 2017}}</ref> which implicates variants of this type of malware, and its latest incarnations, effecting 140 enterprise networks across the globe with banks, telecommunication companies and government organisations being the top targets.
The report details how a variant of fileless malware is using [[PowerShell]] scripts (located within the Microsoft Windows Registry system) to launch an attack against a suspect’s machine leveraging a common attack framework called [[Metasploit Project|Metasploit]] with supporting attack tools such as [https://github.com/gentilkiwi/mimikatz Mimikatz] and leveraging standard Windows utilities such as ‘SC’ and ‘NETSH’ to assist with lateral movement.
The malware was only detected after a bank identified the Metasploit Meterpreter code operating in physical memory on a central ___domain controller (DC).<ref>{{cite web|title=Fileless attacks against enterprise networks|url=https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/|website=Secure List|publisher=Secure List|accessdate=20 February 2017}}</ref>
More details of this attack will be published later this year (April 2–6, 2017).
Kaspersky Labs is not the only company to have identified such emerging trends, with most of the principle IT security anti-malware companies coming forward with similar findings: [https://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99 Symantec], [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_phase.a Trend Micro], [https://www.mcafee.com/hk/resources/solution-briefs/sb-quarterly-threats-nov-2015-1.pdf McAfee Labs], [https://www.cybereason.com/fileless-malware-an-evolving-threat-on-the-horizon/ Cybereason], etc.
== Digital forensics ==
The emergence of malware that operate in a fileless way presents a major problem to digital forensic investigators, whose reliance on being able to obtain digital artifacts from a crime scene is critical to ensuring [[chain of custody]] and producing evidence that is admissible in a court of law.
Many well-known digital forensic process models such as: Casey 2004, DFRWS 2001, NIJ 2004, Cohen 2009,<ref>{{cite book|last1=Casey|first1=Eoghan|title=Digital evidence and computer crime : forensic science, computers and the Internet|date=2010|publisher=Academic|___location=London|isbn=0123742684|page=189|edition=3rd}}</ref> all embed either an examination and/or analysis phase into their respective models, implying that evidence can be obtained/collected/preserved by some mechanism.
This point is enforced further when considering the standard operating procedures of digital investigators and how they should deal with a running computer at a crime scene. Traditional methods direct the investigator to:
* Do not, in any circumstances, switch the computer on
* Make sure that the computer is switched off – some screen savers may give the appearance that the computer is switched off, but hard drive and monitor activity lights may indicate that the machine is switched on.
* Remove the main power source battery from laptop computers.
* Unplug the power and other devices from sockets on the computer itself
(Taken from [[Association of Chief Police Officers|ACPO]]_guidelines_computer_evidence<ref>{{cite web|title=ACPO: Good Practice Guide for Computer-Based Electronic Evidence|url=https://www.cps.gov.uk/legal/assets/uploads/files/ACPO_guidelines_computer_evidence%5b1%5d.pdf|website=The Crown Prosecution Service|publisher=Association of Chief Police Officers|accessdate=20 February 2017}}</ref>)
Fileless malware usurps this model as evidence acquisition can only take place against a memory image that has been obtained from a live running system that is to be investigated. This method, can itself, compromise the acquired hosts' memory image and render legal admissibility questionable, or at the very least, instill enough reasonable doubt that the weight of the evidence presented may be drastically reduced, increasing the chances that [[Trojan horse defense|Trojan Horse]] or [[Mistaken identity#SODDI Defense|SODDI]] defences may be used more effectively.
As regulators, official bodies and general users dependency on AI-based dynamic systems, clearer accountability will be required for decision making processes to ensure trust and transparency. The evidence of this requirement gaining more momentum is evident in the first global conference exclusively dedicated to this emerging discipline:
This renders this type of malware extremely attractive to adversaries wishing to secure a foothold in a network, perform difficult to trace lateral movement and do so in a quick and silent manner, rendering standard forensic investigatory practices ill-prepared for this threat.<ref>{{cite web|title=POWELIKS Levels Up With New Autostart Mechanism|url=http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/|website=Trend Micro|publisher=Trend Micro|accessdate=20 February 2017}}</ref><ref>{{cite web|title=Anti-Forensic Malware Widens Cyber-Skills Gap|url=https://www.infosecurity-magazine.com/news/antiforensic-malware-widens/|website=InfoSecurity Magazine|publisher=InfoSecurity Magazine|accessdate=20 February 2017}}</ref><ref>{{cite web|title=Without a Trace: Fileless Malware Spotted in the Wild|url=http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/|website=Trend Micro|publisher=Trend Micro|accessdate=20 February 2017}}</ref><ref>{{cite web|title=New Invisible 'File-Less' Cyber Malware Poses 'Unique Worldwide Threat'|url=https://sputniknews.com/science/201702111050581359-file-less-cyber-virus-poses-threat/|website=Sputnik news|publisher=Sputnik news|accessdate=20 February 2017}}</ref>
* 20.08.2017: International Joint Conference on Artificial Intelligence: Workshop on
== Legal admissibility ==
Explainable Artificial Intelligence (XAI) <ref>{{cite web|title=IJCAI 2017 Workshop on
As this form of malware can undermine the capability of a digital investigator to ensure rigorous adherence to evidence collection and the securing of a crime scene, fileless malware will present a significant problem to legal prosecutions when trying to ensure data hasn’t had its integrity compromised during acquisition.
Explainable Artificial Intelligence (XAI)|url=http://home.earthlink.net/~dwaha/research/meetings/ijcai17-xai/|website=Earthlink|publisher=IJCAI |accessdate=17 July 2017}}</ref>
== External links ==
* [https://www.computerworld.com.au/article/617359/explainable-artificial-intelligence-cracking-open-black-box-ai/ ‘Explainable Artificial Intelligence’: Cracking open the black box of AI]
* [https://www.cybereason.com/fileless-malware-an-evolving-threat-on-the-horizon-2/ Fileless malware: An evolving threat on the horizon]
* [https://arxiv.org/pdf/1612.04757v1.pdf/ Attentive Explanations: Justifying Decisions and Pointing to the Evidence]
* [https://www.cybereason.com/defending-against-the-fileless-malware-pandemic-thats-infecting-banks-around-the-globe/ Defending against the fileless malware pandemic that’s infecting banks around the globe]
* [https://www.wired.com/2017/02/say-hello-super-stealthy-malware-thats-going-mainstream/ Say Hello to the Super-Stealthy Malware That’s Going Mainstream]
* [http://www.darkreading.com/vulnerabilities---threats/fileless-malware-takes-2016-by-storm/d/d-id/1327796 Fileless Malware Takes 2016 By Storm]
* [https://threatpost.com/new-fileless-attack-using-dns-queries-to-carry-out-powershell-commands/124078/ New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands]
== References ==
| 