Fileless malware represents "a rapid evolution in the threat landscape" and its incidence increased by 819% between August 2017 and December 2018, Skinner observed.
One reason for the rapid increase in fileless malware was because most organisations had managed to get ransomware under control, so "the attackers have shifted to something new".
The technique generally involves using legitimate software such as PowerShell to perform unauthorised actions on victim systems. This makes it effectively invisible to older types of endpoint security software, he said.
But simply scanning files is not going to be effective against fileless malware, so endpoint security software needs to look at the way the system is behaving. For example, is PowerShell being launched by another application? Is there an unusual pattern of memory activity?
This means administrators need to ensure that their incumbent security product is being used to its full potential, said Skinner, and to consider other options if they are using a product that isn't up to the job in 2019.
Email is currently the most common method of launching attacks, and while Trend Micro says the traditional shotgun approach (blasting an email to millions of addresses in the hope that even a small percentage of recipients will be taken in) is still in use and relatively easy to spot, carefully targeted emails are being used for spearphishing and BEC (business email compromise) attacks.
In both cases, the messages show a good command of English, address the recipient by name, and indicate a degree of research (eg, using information drawn from sites such as LinkedIn), Skinner said.
Around a year ago, Trend Micro introduced Writing Style DNA to help determine how likely it is that a particular email actually originated from the apparent sender.
More recently, it has begun rendering the destination pages of the links in an email and applying machine vision to the resulting image to help detect spoofed login pages designed to steal the victim's credentials (phishing). The advantage of this approach is that it doesn't require knowledge of domains used for phishing: if the page resembles (say) the Office 365 login page but isn't part of the relevant Microsoft domain(s), then it is highly suspicious.
Ideally, email-borne threats should be detected before they are delivered. But the growing tendency for people to work off-site (at clients' premises, at home or in cafes, for example) coupled with the use of personal email accounts, means that the software on the device must be kept up-to-date (or at least subject to virtual patching) and equipped with endpoint security software that is capable of detecting and blocking relevant threats when the organisation's servers and firewalls haven't had the opportunity to inspect the traffic.
"The endpoint has to defend itself," Skinner said.
Another consideration is the requirement to adequately report data breaches. While older endpoint products lack forensic capabilities, newer products incorporate (often as an optional extra) endpoint detection and response technology, providing customers with an investigative toolset that can, for example, show where malware came from, whether or not it was blocked before it could take any action, which files (if any) were accessed by the malware, and whether any data was exfiltrated.
In addition, Trend Micro offers managed EDR. Unlike incident response services, managed EDR is an ongoing service that reports any detected improper activity and identifies when data breaches have occurred.
Trend Micro's cloud-based platform uses a variety of techniques including machine learning to process telemetry data from customers' systems before bringing exceptions to the attention of the company's international team of security analysts. This scale and automation means the service is "eminently affordable", he said.
With all these issues in mind, it is really important that organisations refresh their approach to endpoint security, whether they choose to stay with their incumbent vendor or move to a new provider, Skinner said.