Just like tsunamis wreaking havoc in certain parts of the world, fileless attacks are creating similar damages in the cybersecurity scene. Fileless attacks are basically set of tactics that are deployed to intrude the system without installing any malware on the hard disk, therefore making heuristics scanners like AV (anti-virus) applications unable to detect it. Fileless attacks are growing, and according to a research done by Ponemon Institute, almost 77% of all the attack techniques are fileless.
Fileless attacks are made craftier and more elusive by targeting the places we least suspect as a threat in our systems, such as shellcodes and registries. By making use of tools that are already installed or running simple shellcode and scripts, attacks can be serialised and done in seconds. Of course, the damage is irreversible or containable when ‘delta T‘ (or the time factor to execute the attack) is almost zero.
The first major fileless malware attack by the Calicum/Fin7 group targeting U.S. restaurants sent shockwaves to the entire cyber community in late 2017 and it hasn’t toned down since then. Latest findings by SentinelOne in the Enterprise Risk Index Report that was done in the first half of 2018 unveiled that fileless attacks have risen by 94%. Furthermore, the report also deduced that 70% of the total detections were unknown to antivirus (AV) software, which remained oblivious to the fact that the systems they were supposed to safeguard had already been breached.
The modus operandi of a fileless attack is simple; evade detection and intrude using shellcodes and registry entries. Since we are able to articulate the modus operandi, we should be able to see the light at the end of the tunnel. There are a bunch of practical tips and approaches for mitigating the risk of fileless attacks. For example, by understanding application inventory, blocking the exploits and implementing an attack behavioural analysis solution to perform proactive hunting for malicious activities.
These new approaches need a comprehensive protection platform, and in order to be cost-relevant, should ideally be cloud-native. One fair example of such offering is the cloud-native CrowdStrike Falcon® platform that provides a revolutionary approach which combines all the must-have security capabilities with advanced next-generation protection mechanisms such as machine learning, behavioural analytics and continuous monitoring, to protect organisations from today’s most sophisticated fileless attacks.
Typically, when a security breach happens, we often assume that it originates from external nefarious parties. Ironically, the reality is most security breaches start from within the organisation. The role of an insider is very profound in fileless attacks as they have easy and privileged access to the critical systems. There is always a wolf in the clothing of Andrew or John from finance, as a result of identity hijacking that can be easily done due to the human factors. This form of hijacking will lead to fileless attacks.
A lateral approach to put a stop to insider breaches is to deploy a platform with next-gen capabilities such as global threat intelligence and sandboxing. In terms of the latter, rather than exposing the attacker to the actual system, we can create a separate, restricted environment. The attacker will then be led to attack the sandbox instead of actual production systems - Pretty neat and intelligent way to “hit the snake without breaking the stick”.
Crowdstrike has a comprehensive platform that is equipped with these capabilities and more, to effectively detect malware as well as fileless attacks, in order to prevent cyber attacks and quickly respond to incidents as they happen.