Endpoint

1/11/2018
03:44 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Responding to the Rise of Fileless Attacks

Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance -- which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.

Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They don't need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.

Yet businesses still aren't paying attention.

"Our focus in this industry is still on traditional attack vectors we've been dealing with for most of our careers," says Heath Renfrow, CISO at Leo Cyber Security.

It's time for businesses to take a closer look at how these threats work, how they can be detected, why they're predicted to grow, and the steps they can take to protect themselves.

The Evolution of Modern Fileless Attacks

Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.

"What's different about today is not the fact of fileless -- both Code Red and Slammer used this -- it's the fact that the bulk of the attack chain, the steps of the attack, are all fileless," she says. "If they do involve a payload it often looks legitimate and therefore, it's very hard to detect."

The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.

"Within a network, what's breaking the backs of organizations is the theft of usernames and passwords," he explains. "It's not the malware that's doing the trick."

Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it's oftentimes more valuable to access someone's Office 365 or Amazon Web Services login, Johnston says.

All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and they're not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.

Why You're Vulnerable

Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they can't monitor their full ecosystem. Many are "drowning in data" and are unable to bring account and user activity into a single place for analysis.

"If they can't track it, they can't understand which accounts have access to what," Johnston explains. "They have no way to visualize, and no way to track and scale, all of these different identities that don't always line up to a human."

The challenge escalates when employees don't adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.

Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.

"What hackers are doing is trying to get into personal accounts, and using that to get into corporate," Buduri explains. Many threat actors target low-level employees with the idea that once they're in, they can monitor email activity to learn the addresses of high-ranking workers.

Poised to Grow

Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking "significantly increases the risk to the infrastructure," he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.

Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. "Think about a cloud environment," he says. "How much insight does a CISO have into who's logging in and where?" Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned -- legitimate creds within attackers' reach. 

While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. "The sad reality is we're seeing an increase in the number of destructive attacks that are being leveraged," she points out.

What Can You Do About It?

Protecting against phishing starts with employee education. "Trick them, test them, teach them," says Lovejoy. "The goal is to immunize enough people so the disease can't take hold." Employees should also have a means to report activity they feel is suspicious.

"Always enact the policy 'If you see something, say something,'" she adds.

On top of this, businesses should take a close look at activity in their ecosystems.

"One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure," says Renfrow. "It was eye-opening … we had more credentials running through our infrastructure than we had people."

After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicine's infrastructure, he says automation was necessary for this.

He advises organizations to go back to the "old-school" method of looking at their traditional identity and access management. From there, if they're mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.

"I think it would be eye-opening for any organization," Renfrow says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tbandos
100%
0%
tbandos,
User Rank: Author
1/16/2018 | 1:52:08 PM
Evolution of Fileless Attacks
Beyond just the rise of fileless attacks we're seeing threat actors also evolve more and more in this space through obfuscation techniques. This is an effort to further evade detection capabilities from EDR tools. 2018 will surely be an interesting year. Great post!
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17283
PUBLISHED: 2018-09-21
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Inject...
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.