Things to know about fileless attacks

Fileless attacks are particularly tricky because they don't require anything to be installed before causing harm. Here are the basics you should know about this type of threat.

Securing your company does mean stopping malware. But in the ever evolving security war, bad actors are turning to what are called fileless attacks that don't require a payload or tricking someone into installing them.

Easy for the bad people, but harder for you.

Here are five things to know about fileless attacks:

1. They masquerade inside trusted software. According to Carbon Black's 2017 Threat Report, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52 percent of all attacks for the year.

2. They work by stealing user names and passwords, especially using phishing attacks.

Once they have those especially from high level users, they don't need malware running. The bad folks just log in on domain accounts or as an IP administrator and take what they want.

3. Personal accounts and local admin accounts are the easiest.They're often not tied to a person and ignored. Once a bad actor gets one, they can work privilege escalation from there.

4. Abandoned credentials are a gold mine. If an attacker can get a former employee or client's account that was never decommissioned, nobody may ever notice. Map out your credentials across your networks, and make sure you know who has access and why.

5. They're not new. Like most attack vectors they've been around for a while. Code Red and Slammer both made use of fileless attacks. What is new is the steps taken in the attack are all becoming fileless.

Not all security threats are wares of any kind, spy mal or otherwise. Education and training are your best defense here. Make sure your people know what these threats are and how they can be used as a vector. They may be fileless, but they aren't harmless.

How do you minimize fileless malware infections? The first half of 2017 has already seen a large number of attacks that have compromised major networks worldwide. Ransomware has led the charge in viral infections, but other infections have taken hold of networks quietly while hiding in plain sight. 

In these types of attacks, fileless malware secretly invades networks and takes hold of systems using the host’s native tools and applications to exfiltrate data, deliver additional malware payloads, and remain a persistent threat, which allows attackers to exploit the systems again during future campaigns. 

How do you fight an enemy you don’t see? Well thankfully, fileless malware isn’t truly undetectable—but you definitely need to know where to look and what to look for to reduce your chances of getting infected—or in the event of a compromise, to limit the spread of the exposure. 

While the measures below are not by any means all encompassing, they do provide a good foundation to build on, using layered security practices, and they’re peppered with customized solutions that should meet (or exceed) your organizations specific needs. 

Restrict unnecessary scripting languages. One of the key factors that fileless malware relies on to carry out its attacks on hosts are management frameworks and tools that are native to the system’s operating system. In many of these types of attacks, PowerShell and Windows Management Instrumentation (WMI) frameworks are utilized to secretly execute commands on the host while the infection resides in resident memory. 

If your organization doesn’t use these applications, one of the best protections is to disable them altogether. This will harden the system against using PowerShell to manipulate the host or WMI to enumerate system variables, which in turn can be used to attack the host. But if the hole is closed, attackers won’t be able to rely on this vector.

For comments or assistance in CyberSecurity contact me at Schumacher@eitsc.com

Show comments