Cybercriminals take the path of least resistance—which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.
Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don’t need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.
“Our focus in this industry is still on traditional attack vectors we’ve been dealing with for most of our careers,” says Heath Renfrow, CISO at Leo Cyber Security.
It’s time for businesses to take a closer look at how these threats work, how they can be detected, why they’re predicted to grow, and the steps they can take to protect themselves.
Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.
“What’s different about today is not the fact of fileless—both Code Red and Slammer used this—it’s the fact that the bulk of the attack chain, the steps of the attack, are all fileless,” she says. “If they do involve a payload it often looks legitimate and therefore, it’s very hard to detect.”
The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.
Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.
All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they’re not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.
Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can’t monitor their full ecosystem. Many are “drowning in data” and are unable to bring account and user activity into a single place for analysis.
The challenge escalates when employees don’t adopt basic security practices. Lovejoy points out that phishing attacks are popular means of delivering attacks and obtaining credentials.
Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.
Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking “significantly increases the risk to the infrastructure,” he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.
Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. “Think about a cloud environment,” he says. “How much insight does a CISO have into who’s logging in and where?” Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned—legitimate creds within attackers’ reach.
While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. “The sad reality is we’re seeing an increase in the number of destructive attacks that are being leveraged,” she points out.
Protecting against phishing starts with employee education. “Trick them, test them, teach them,” says Lovejoy. “The goal is to immunize enough people so the disease can’t take hold.” Employees should also have a means to report activity they feel is suspicious.
