[BreachExchange] 5 Things You Need to Know About the New (and Scary) Wave of 'File-less' Cyber Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Oct 20 15:15:51 EDT 2017


https://www.entrepreneur.com/article/303399

In the wake of the Equifax breach and the global WannaCry ransomware
outbreak earlier this year, tensions around cybersecurity are at an
all-time high. Companies are feeling more pressure to invest in new
policies and products that can keep their sensitive data safe.

Yet even as they increase their security budgets, many organizations harbor
real concerns as to whether any existing technology can help them keep up
with the rapidly evolving nature of today’s threats.

In particular, they’re worried about the steadily growing number of attacks
designed to gain access to their systems and silently infect them silently,
without ever downloading malicious programs or leaving behind any obvious
trace.

These attacks can go by several names. "Fileless attacks” is a common one,
but “non-malware attacks and” “living-off-the-land attacks” are also used.
The bottom line is these malicious actions are specifically designed to
evade detection, primarily by using a victim company's trusted software and
system tools against it.  As a result, these attacks are quickly becoming
the number-one threat keeping IT and security professionals up at night.

To clarify what actually constitutes a fileless attack and explain how it
can work, here are five things every business leader should know:

1. Fileless attacks exploit a fundamental gap in traditional endpoint
security.

Traditionally, cyber attacks involving malware have revolved around
attackers gaining access to a victim’s computer (typically by either
exploiting a software vulnerability or tricking the victim into downloading
something he or she shouldn’t), and then installing an executable file (the
"payload") that does the damage.

The problem with this approach from an attacker’s perspective is that
antivirus solutions are built to scan and block any suspicious files that
land on the computer. By not installing malicious files, however, attackers
can simply bypass these solutions. All they need to do is hijack otherwise
legitimate system tools and trusted applications to do their dirty work for
them.

2. There are a variety of fileless techniques attackers can use.

At a high level, attacks can be broken down into two primary stages:  the
initial compromise that gives attackers access to a target system, and the
post-exploitation activities they conduct once those attackers are there.
Attackers can utilize fileless techniques during one or both of these
stages to accomplish their goals even as they evade traditional and even
next-generation, machine-learning-powered antivirus software.

To gain initial access, attackers will often utilize exploits designed to
take advantage of flaws in the software the victim is already running. The
Equifax breach is a recent example. Attackers were able to exploit a
vulnerability in the company’s unpatched version of Apache Struts and use
it to execute malicious commands.

Exploiting vulnerable applications and injecting code into normal system
processes are both popular fileless techniques for gaining access and
execution on machines without getting noticed.

Once the initial compromise is complete, attackers can continue avoiding
detection by abusing powerful system administration tools like PowerShell,
PsExec and Windows Management Instrumentation (WMI). Because these tools
have legitimate use cases, they allow attackers to hide in plain sight
while they escalate privileges, move laterally throughout the network and
achieve persistence by making changes to the registry.

3. A fileless attack can involve files.

Before going any further, we should dispel one of the most common
misunderstandings surrounding fileless attacks -- they often do involve
files, especially in the initial compromise stage of the attack. The
primary difference is that these files aren’t malicious executables, but
instead files like Microsoft Office documents.

The challenge from a traditional endpoint security perspective is that
there is nothing inherently malicious about these files on their own, so
scanning them won’t necessarily raise any red flags. That makes them the
perfect vehicles to kick off an attack.

For example, an attack may begin with an employee being tricked into
opening a Word document received in a phishing email; the employee thus
inadvertently activates a macro or script embedded inside.

That macro or script then launhes PowerShell, a legitimate framework built
into Windows for automating system-administration tasks. From there, the
attacker uses PowerShell to execute malicious code directly in memory,
making the attack from this point forward truly fileless.

Because the individual components of the attack aren’t malicious, security
solutions need to be able to observe how they are behaving together, and
recognize when a chain of behaviors from otherwise legitimate programs
constitutes an attack.

4. Fileless attacks are on the rise.

In truth, many of the techniques that fileless attacks utilize have been
around for some time. In-memory exploits, for example, date back to the
prolific Code Red and SQL Slammerworms of the early 2000s. But the creation
and widespread distribution of easy-to-use attack tools and exploit kits
has made them far more prevalent. In particular, penetration-testing
frameworks like Metasploit and PowerSploit are being abused since they
provide ready-made fileless exploits that can be added to any attack.

As a result, these techniques aren’t limited to sophisticated hackers and
nation-state espionage groups anymore. They’re readily available for the
average cyber criminal to use, and the number of fileless attacks on
companies has risen dramatically. Once considered fringe cases, according
to the SANS 2017 Threat Landscape survey, fileless attacks have been
reported by nearly a third of the organizations polled.

5. Fileless attacks can be stopped.

While fileless techniques can be extremely difficult to detect, there are
things you can do to protect your business and reduce your risk. A good
first step is to disable admin tools that your organization isn’t actively
utilizing, or, at the least, restrict their permissions and functionality.
Because so many fileless techniques rely on it, PowerShell should be at the
top of your list to consider limiting or disabling altogether.

Likewise, disabling Office macros can take away one of the most common
launching points for fileless attacks. Operating systems and applications
should be patched as religiously as possible, and when patching isn’t
feasible, those systems should be isolated to prevent potential attacks
from spreading.

With no files to scan, detecting and blocking fileless attacks ultimately
comes down to your IT department's ability to identify malicious activity
and behaviors on the end point -- ideally before any damage is done. There
are new end-point solutions that can accomplish that task and stop fileless
attacks in real time and before they are able to compromise the device. IT
and security leaders should investigate their options to determine the
right solution for keeping their organizations safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171020/c9ba2ce0/attachment.html>


More information about the BreachExchange mailing list