5 Things You Need to Know About the New (and Scary) Wave of 'File-less' Cyber Attacks
In the wake of the Equifax breach and the global WannaCry ransomware outbreak earlier this year, tensions around cybersecurity are at an all-time high. Companies are feeling more pressure to invest in new policies and products that can keep their sensitive data safe.
Yet even as they increase their security budgets, many organizations harbor real concerns as to whether any existing technology can help them keep up with the rapidly evolving nature of today’s threats.
In particular, they’re worried about the steadily growing number of attacks designed to gain access to their systems and silently infect them silently, without ever downloading malicious programs or leaving behind any obvious trace.
These attacks can go by several names. "Fileless attacks” is a common one, but “non-malware attacks and” “living-off-the-land attacks” are also used. The bottom line is these malicious actions are specifically designed to evade detection, primarily by using a victim company's trusted software and system tools against it. As a result, these attacks are quickly becoming the number-one threat keeping IT and security professionals up at night.
To clarify what actually constitutes a fileless attack and explain how it can work, here are five things every business leader should know:
1. Fileless attacks exploit a fundamental gap in traditional endpoint security.
Traditionally, cyber attacks involving malware have revolved around attackers gaining access to a victim’s computer (typically by either exploiting a software vulnerability or tricking the victim into downloading something he or she shouldn’t), and then installing an executable file (the "payload") that does the damage.
The problem with this approach from an attacker’s perspective is that antivirus solutions are built to scan and block any suspicious files that land on the computer. By not installing malicious files, however, attackers can simply bypass these solutions. All they need to do is hijack otherwise legitimate system tools and trusted applications to do their dirty work for them.
2. There are a variety of fileless techniques attackers can use.
At a high level, attacks can be broken down into two primary stages: the initial compromise that gives attackers access to a target system, and the post-exploitation activities they conduct once those attackers are there. Attackers can utilize fileless techniques during one or both of these stages to accomplish their goals even as they evade traditional and even next-generation, machine-learning-powered antivirus software.
To gain initial access, attackers will often utilize exploits designed to take advantage of flaws in the software the victim is already running. The Equifax breach is a recent example. Attackers were able to exploit a vulnerability in the company’s unpatched version of Apache Struts and use it to execute malicious commands.
Exploiting vulnerable applications and injecting code into normal system processes are both popular fileless techniques for gaining access and execution on machines without getting noticed.
Once the initial compromise is complete, attackers can continue avoiding detection by abusing powerful system administration tools like PowerShell, PsExec and Windows Management Instrumentation (WMI). Because these tools have legitimate use cases, they allow attackers to hide in plain sight while they escalate privileges, move laterally throughout the network and achieve persistence by making changes to the registry.
3. A fileless attack can involve files.
Before going any further, we should dispel one of the most common misunderstandings surrounding fileless attacks -- they often do involve files, especially in the initial compromise stage of the attack. The primary difference is that these files aren’t malicious executables, but instead files like Microsoft Office documents.
The challenge from a traditional endpoint security perspective is that there is nothing inherently malicious about these files on their own, so scanning them won’t necessarily raise any red flags. That makes them the perfect vehicles to kick off an attack.
For example, an attack may begin with an employee being tricked into opening a Word document received in a phishing email; the employee thus inadvertently activates a macro or script embedded inside.
That macro or script then launhes PowerShell, a legitimate framework built into Windows for automating system-administration tasks. From there, the attacker uses PowerShell to execute malicious code directly in memory, making the attack from this point forward truly fileless.
Because the individual components of the attack aren’t malicious, security solutions need to be able to observe how they are behaving together, and recognize when a chain of behaviors from otherwise legitimate programs constitutes an attack.
4. Fileless attacks are on the rise.
In truth, many of the techniques that fileless attacks utilize have been around for some time. In-memory exploits, for example, date back to the prolific Code Red and SQL Slammer worms of the early 2000s. But the creation and widespread distribution of easy-to-use attack tools and exploit kits has made them far more prevalent. In particular, penetration-testing frameworks like Metasploit and PowerSploit are being abused since they provide ready-made fileless exploits that can be added to any attack.
As a result, these techniques aren’t limited to sophisticated hackers and nation-state espionage groups anymore. They’re readily available for the average cyber criminal to use, and the number of fileless attacks on companies has risen dramatically. Once considered fringe cases, according to the SANS 2017 Threat Landscape survey, fileless attacks have been reported by nearly a third of the organizations polled.
5. Fileless attacks can be stopped.
While fileless techniques can be extremely difficult to detect, there are things you can do to protect your business and reduce your risk. A good first step is to disable admin tools that your organization isn’t actively utilizing, or, at the least, restrict their permissions and functionality. Because so many fileless techniques rely on it, PowerShell should be at the top of your list to consider limiting or disabling altogether.
Likewise, disabling Office macros can take away one of the most common launching points for fileless attacks. Operating systems and applications should be patched as religiously as possible, and when patching isn’t feasible, those systems should be isolated to prevent potential attacks from spreading.
With no files to scan, detecting and blocking fileless attacks ultimately comes down to your IT department's ability to identify malicious activity and behaviors on the end point -- ideally before any damage is done. There are new end-point solutions that can accomplish that task and stop fileless attacks in real time and before they are able to compromise the device. IT and security leaders should investigate their options to determine the right solution for keeping their organizations safe.