The threat landscape is constantly evolving, and we’re currently seeing a growing number of cyber criminals making a fundamental change in the way they carry out their attacks. Rather than installing executable files via phishing that antivirus solutions can easily scan and detect, they’re utilizing exploits, scripts, and otherwise legitimate administration tools to run malicious code directly from memory. As a result, these “fileless” attacks are bypassing traditional security defenses and wreaking havoc on victim networks.
With fileless attacks on the rise, there still remains a great deal of confusion around the use of the term “fileless” and what it actually means. To clarify what constitutes a fileless attack and help you better prepare your organization for facing them, let’s debunk five of the most common myths and misunderstandings:
Myth #1: Fileless attacks never involve files
Perhaps the biggest point of contention and confusion surrounding fileless attacks is that they can and often do involve files, especially during the early initial infection stage.
For example, an attack may begin with an employee tricked into opening a Word document they receive in a phishing email, and activating a macro or script embedded inside. That macro or script launches PowerShell, a legitimate framework built into Windows for automating system administration tasks. From there, the attacker uses PowerShell to execute malicious code directly in memory, making the attack from this point forward truly fileless.
Because attacks can have both fileless and file-based components, debating whether they’re truly 100% fileless from start to finish is beside the point. Terms like “fileless attack” and “fileless malware” are used interchangeably, but they’re often misnomers that simply imply an attack utilizes fileless tactics or techniques at one stage or another.
Myth #2: Fileless attacks are a brand new threat
In truth, many fileless techniques have been around for some time. In-memory exploits, for example, date back to the prolific Code Red and SQL Slammer worms of the early 2000s. Metasploit, the open source framework for developing and executing remote exploit code was created in 2003. Mimikatz, a popular penetration testing tool for dumping credentials straight from memory, has been around since 2011. Both have been used to carry out attacks that actively avoid writing malicious executable files to disk.
One of the reasons we’re seeing such a growing influx of fileless attacks now, however, is because many antivirus vendors are bolstering their file-scanning capabilities with advances in machine learning. In response, attackers are revisiting these pre-existing fileless tools and techniques and utilizing them to bypass file-scanning security solutions altogether.
Myth #3: Only APT and nation-state actors use fileless techniques
Many high-profile fileless attacks conducted in the past have involved sophisticated hacking groups (Stuxnet, Duqu https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf, etc.), but now we’re also seeing fileless techniques being incorporated into a far wider variety of attacks such as ransomware campaigns.
Tools and techniques developed by targeted attack groups have a tendency of finding their way downstream. Pentesting frameworks like Metasploit have played a role in accelerating that process, as have events like the Shadow Brokers leak in April, which made exploits purportedly developed by the NSA readily available for any would-be cyber criminal to use.
The easy, plug-and-play utility of these exploits and attack frameworks means there’s really no sophisticated “hacking” required. It’s more “paint-by-numbers.”
Myth #4: Only a small portion of attacks use fileless techniques
The truth is this is a trend on the rise. According to the SANS 2017 Threat Landscape Survey, nearly one third of organizations experienced attacks that leverage fileless techniques in the past 12 months.
It’s becoming especially common to see attacks abuse legitimate system tools like macros, PowerShell, and Windows Management Instrumentation (WMI) to achieve execution, persistence, and spread infections laterally across compromised organizations.
This approach — referred to by experts as “living off the land” — allows attackers to avoid raising red flags by blending in with other authorized system activities and administration. Instead of relying on software exploits or introducing malware onto a machine, they take advantage of the powerful functionality these tools already provide them, and hide their activities in plain sight.
Attackers know a winning strategy when they see one. According to some estimates, nearly four out of 10 successful attacks now involve PowerShell.
