A new webcast, “Understanding Fileless Attacks and How to Stop Them,” explains the rise in fileless attacks and why this stealthy approach is enjoying such renewed interest among today’s adversaries. Fileless threats have not only gotten the attention of security professionals, but of the public at large. To illustrate, the webcast points out that Google analytics indicates a surge in searches on “fileless malware” over the last eight months by a factor of 20.
Even though fileless attacks have been around for 10 or more years, they are currently enjoying a renaissance with new and improved techniques to enhance lateral movement, establish persistence and ultimately steal your data. Fileless, malware-free attacks are becoming so prevalent that according to the recent Verizon Data Breach Investigation Report (DBIR), only 51 percent of breaches reported were malware-based.
What is a Fileless Attack?
Although there has been debate in the industry over what constitutes a fileless attack, there now seems to be agreement that as the name implies, they are cyberattacks that don’t include any executable files. This means standard signature-based AV solutions, used by a vast majority of organizations, are ineffective against them. AV products that scan for suspicious files may be necessary security tools, but they are blind to attacks where no file is present.
However, as the webcast points out, it’s important to understand that a dedicated adversary will not necessarily stick to one mode of attack. These attacks are being perpetrated by human beings who are capable of improvising. Though many adversaries may begin with a malware attack, if that fails they can quickly switch to a fileless approach. It’s also been observed that attackers often will use malware to gain a foothold in an environment and then switch to fileless techniques to establish persistence and lateral movement.
Common Fileless Attack Techniques
The webcast includes a detailed, end-to-end demonstration of a fileless attack, allowing viewers to see how each step of an attack might unfold. It also discusses the most common fileless attack techniques security analysts are observing in the field, including:
- Spear phishing for credentials: An attacker emails an employee and manages to get his credentials. This is often preceded by social media research of the target to gain familiarity. Despite the training most organizations conduct to prevent this from happening, a certain percentage of employees will fall for these tactics.
- “Living off the land”: This occurs when the attacker gains entry and uses tools easily available on the targeted system, such as PowerShell and WMI, to perform whatever nefarious tasks he wants without using malware that might get him detected.
- Registry persistence: This occurs when the attacker hides code in the registry, making it much more challenging to detect.
- Webshell: This tactic uses the functionality of an organization’s own web server, which is externally facing and therefore easy to access. A webshell file can be dropped on the server to create a backdoor that the attacker can use later.
How to Protect Against Fileless Attacks
The webcast includes a demonstration of how the CrowdStrike Falcon® platform protects against fileless attacks, showing how Falcon not only records adversaries’ tools, techniques and procedures (TTPs) during an attack, but also has the capacity to stop an attack at any stage. This means that depending on how users configure their prevention policies, Falcon can stop a fileless attack at any point: from initial compromise, to command and control, privilege escalation, persistence and exfiltration.
The presentation puts a particular focus on the Falcon platform’s indicator of attack (IOA) capability, which uses behavioral analysis to identify and stop threats. As the presenter explains using an analogy to a physical crime, “Rather than detect whether a club or a knife is being used, IOAs look at the intention of the intruder — what is he trying to accomplish?”
Key takeaways from the presentation that are well worth remembering:
The threat is real: The Verizon statistic cited earlier shows that fileless attacks will continue to be a dangerous threat to organizations for the foreseeable future. New TTPs that involve behavioral approaches are critical to mounting an adequate defense.
Traditional AV is not enough — legacy defenses don’t work: Organizations shouldn’t assume they are prepared for a fileless attack. Some surveys have shown that as much as 85 percent of organizations rated their AV solution as “good” or “excellent” protection against fileless attacks, but that’s simply not true. Another survey of webcast attendees showed that 45 percent consider their protection to be average, while 25 percent believe their organization has subpar protection against fileless attacks — likely, a much more realistic assessment.
Think beyond malware and focus on stopping the breach: Organizations need to not only dispense with legacy security, they need to let go of legacy ideas about stopping malware. Switching your focus to stopping the breach allows your approach to encompass every form of attack — whether an adversary is using a tried and true malware-based threat, a fileless technique or a combination of tactics.
Watch the on-demand webcast “Understanding Fileless Attacks and How to Stop Them.”
Read the white paper, “Who Needs Malware? How Adversaries Use Fileless Attacks to Evade Your Security.”