Responding to the Rise of Fileless Attacks

Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance -- which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.

Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don't need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.

Yet businesses still aren't paying attention.

"Our focus in this industry is still on traditional attack vectors we've been dealing with for most of our careers," says Heath Renfrow, CISO at Leo Cyber Security.

It's time for businesses to take a closer look at how these threats work, how they can be detected, why they're predicted to grow, and the steps they can take to protect themselves.

The Evolution of Modern Fileless Attacks

Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.

"What's different about today is not the fact of fileless -- both Code Red and Slammer used this -- it's the fact that the bulk of the attack chain, the steps of the attack, are all fileless," she says. "If they do involve a payload it often looks legitimate and therefore, it's very hard to detect."

The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.

"Within a network, what's breaking the backs of organizations is the theft of usernames and passwords," he explains. "It's not the malware that's doing the trick."

Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it's oftentimes more valuable to access someone's Office 365 or Amazon Web Services login, Johnston says.

All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they're not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.

Why You're Vulnerable

Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can't monitor their full ecosystem. Many are "drowning in data" and are unable to bring account and user activity into a single place for analysis.

"If they can't track it, they can't understand which accounts have access to what," Johnston explains. "They have no way to visualize, and no way to track and scale, all of these different identities that don't always line up to a human."

The challenge escalates when employees don't adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.

Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.

"What hackers are doing is trying to get into personal accounts, and using that to get into corporate," Buduri explains. Many threat actors target low-level employees with the idea that once they're in, they can monitor email activity to learn the addresses of high-ranking workers.

Poised to Grow

Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking "significantly increases the risk to the infrastructure," he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.

Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. "Think about a cloud environment," he says. "How much insight does a CISO have into who's logging in and where?" Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned -- legitimate creds within attackers' reach.

While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. "The sad reality is we're seeing an increase in the number of destructive attacks that are being leveraged," she points out.

What Can You Do About It?

Protecting against phishing starts with employee education. "Trick them, test them, teach them," says Lovejoy. "The goal is to immunize enough people so the disease can't take hold." Employees should also have a means to report activity they feel is suspicious.

"Always enact the policy 'If you see something, say something,'" she adds.

On top of this, businesses should take a close look at activity in their ecosystems.

"One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure," says Renfrow. "It was eye-opening … we had more credentials running through our infrastructure than we had people."

After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine's infrastructure, he says automation was necessary for this.

He advises organizations to go back to the "old-school" method of looking at their traditional identity and access management. From there, if they're mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.

"I think it would be eye-opening for any organization," Renfrow says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading: