In the online world, a long-running attack standard is to have a program file serve as the main execution prompt. This malware file is the brains of the operation — imagine the scene of a henchman breaking into a basement window to gain entry.
But as the digital world evolves, different attack methods emerge. Some try to evade security tools, using only the resident programs and processes on a system. Fraudsters determined that they could circumvent defense programs designed to analyze file structures by eliminating the need to open a malware file.
Businesses at High Risk of Fileless Attacks
Carbon Black polled 410 security researchers and came up with a variety of data about fileless, nonmalware attacks. For example, 64 percent of respondents said they had seen an increase in this type of attack since the beginning of 2016. Worse, two-thirds of respondents said they were not confident that their legacy antivirus solutions would be able to prevent these kinds of attacks. Furthermore, 47 percent of professionals reported a lack of visibility with their legacy solutions.
Researchers are categorizing these types of attacks as high-risk. Ninety-three percent of respondents said that nonmalware attacks would pose “more of a business risk than commodity malware attacks.”
Resident Security Tools
CSO Online categorized the kinds of nonfile attacks seen by researchers as remote logins (55 percent), Windows Management Instrumentation-based attacks (41 percent), in-memory attacks (39 percent), PowerShell-based attacks (34 percent) and attacks using Office macros (31 percent).
Researchers also tried to find out how enterprises were using security tools to combat this threat. The top responses included employee awareness training, turning to next-generation antivirus (NGAV), increased focus on patching and limiting or locking down personal device usage as needed.
Creating Defense Processes
There are, of course, effective ways to detect and fight this sort of attack. “Do more than just monitor files,” a researcher from Carbon Black suggested. “It is critical that processes are also monitored. If you look at the command line and see what PowerShell is being used for, if the context doesn’t make sense, then investigate. Moreover, if you look at the command line and see text that looks like it is unrecognizable or random instead of just English, that also is a red flag.”
Within the changing digital landscape, an attack is not just made up of files anymore; it can trick a system into maliciously turning against itself.
Principal, PBC Enterprises