Cybercriminals are increasingly becoming more adept at finding new and sophisticated ways to avoid being detected. Apart from the rise in ransomware attacks, there has also been an increase in the number of fileless attacks, which pose a threat to organizations and a challenge for security solutions due to the use of sophisticated attack techniques and various non-executable file formats.
The increase in fileless attacks can be attributed to a few reasons: for one, the malicious logic of the attack often occurs in memory, making traditional static detection insufficient. It also complicates post-event analysis because it’s easy for attackers to hide behind. For these and other reasons, various endpoint security solutions have included additional capabilities to combat these types of threats.
Fileless Attacks Explained
The term “fileless attack” encompasses several possible attack scenarios, only some of which don’t write any files to disk, while very few scenarios are completely fileless. Here are some widely accepted definitions of a fileless attack:
Executable-less attacks: Attacks based on a dropper, usually a document or scripts, which is written to disk, and then executes the next stages of the attack. These are the most common forms of fileless attacks.
Dual-use attacks: Attacks based on legitimate files that are either common to the organization attacked or are widely used administrative tools, which can be abused to perform malicious functions. These files are usually written to disk but can also be used as memory payloads.
Code injection attacks: Attacks based on code injection, which are loaded dynamically into the memory of a process.
Combating Fileless Attacks
The increasing awareness of these types of attacks is making it more difficult for attackers to successfully perform them. Moreover, there are some steps organizations and users can take to protect themselves and lessen the likelihood of becoming infected:
- Restrict the use of scripts and scripting languages inside the organization by applying different policies to different areas of the network. Allow scripts to run from read-only network locations, or access specific machines only.
- Restrict and monitor the use of interactive PowerShell within the organization.
- Scan Portable Executable (PE) files and macro scripts, which can be allowed to run within the organization.
- Make sure all your computers and programs are updated regularly and on time. This will prevent the exploitation of known and patched vulnerabilities.
With that in mind, it’s important to understand that, due to the growth in knowledge of both users and security vendors, malicious actors are expected to increase both the number of fileless attacks and the sophistication level of them while developing new ways through which fileless attacks can be conducted.
The best defense is to be aware of the different types of fileless attacks and their respective malicious logic, and to build out your arsenal of defenses based on that knowledge.