Key Characteristics of Modern Fileless Attacks

Photograph Depicts Security Scan Identifying A Computer Expoit In A String Of Binary Code.

One of the findings in the 2017 Verizon Data Breach Investigations Report (DBIR) is that only 51 percent of cyberattacks involve malware. The remaining 49 percent represent a major vulnerability concern for organizations: the growing incidence of fileless, malware-free attacks that can bypass standard security tools.

Even though organizations are investing in security solutions at a record pace — IDC projects global spending on cybersecurity will increase to $101 billion by 2020 — outbreaks and breaches continue to plague companies in every market sector. This underscores the impact of threats that have been specifically designed and crafted to evade most security solutions, primarily by employing fileless attacks. In this blog and in a new white paper, we’ll explain how and why these exploits are so effective.

The three major elements that characterize a modern malware-free attack are as follows:

First, it begins with a fileless infection, which is an attack that doesn’t write anything to disk. This allows it to bypass most legacy antivirus (AV) solutions because they rely on scanning for malicious files – no file, no detection. Instead, an attacker can use an exploit, which leverages a trusted system, application or process to gain a foothold in the target machine. Effective and reliable exploits used to be hard to create, but the advent of exploit kits has made it easy for almost anyone to use exploits in their attacks and dispense with the more easily detected malware-based tactics.

Next, once the attacker has control over the system they can use the built-in tools that are part of the operating system’s administration functions, such as PowerShell or Windows Management Instrumentation (WMI), to evade detection. This is a blind spot for legacy AV, whitelisting and even sandboxing solutions because those built-in tools are trusted and allowed to run in most environments. Rather than the attacker trying to download and execute a malicious file that could be detected at any time by a legacy AV solution, everything he needs to accomplish his tasks is readily available on the target system itself.

Finally, the attacker can establish persistence in the environment by creating “back doors” that are so hidden, they can’t be detected by most security tools. These back-door techniques can range from adding pertinent registry keys — such as a “Sticky Key,” which is a Windows feature that enables onscreen keyboard shortcuts — to simply creating a new user account for the attacker. This is an obvious and popular choice because it allows attackers to easily bypass AV, firewalls, whitelisting and even sandboxing solutions, giving them access to the compromised system at will, while remaining completely undetected.

A new approach is needed

The rise of these stealthy malware-free attacks that render legacy security solutions ineffective reveals the need for a completely new approach. That’s why the cloud-native CrowdStrike Falcon® platform was created: to offer a revolutionary approach that combines all the security capabilities required to protect against both legacy and modern attacks in a single lightweight agent that’s powered by artificial intelligence rather than signatures, delivering anti-malware protection without the need for daily signature updates. That same agent also uses next-generation protection mechanisms such as machine learning, behavioral analytics and continuous monitoring, to protect organizations from today’s most sophisticated malware-free attacks.

Falcon defends against fileless attacks with these innovative features:

  • Application inventory helps you understand if you have vulnerable applications running in your environment, allowing you to patch or update them so they can’t be the target of exploits.
  • Exploit blocking stops the execution of fileless attacks via exploits that take advantage of unpatched vulnerabilities.
  • Indicator of attack (IOA) behavioral analysis identifies and blocks unknown ransomware in the early stages of an attack before it can fully execute and inflict damage. This capability also protects against new categories of ransomware that don’t use files to encrypt victim systems.
  • Managed hunting proactively searches your environment around the clock for malicious activities that are generated as a result of fileless techniques.

To learn more about fileless attacks and how to protect against them, download the white paper, “Who Needs Malware? How Adversaries use Fileless Attacks to Evade Your Security.”

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial