What You Need to Know about Fileless Attacks

Fileless attacks are on the rise. However, many people are unfamiliar with them. Learn what they are and how to protect your business from them.

Fileless attacks are not new, but they are becoming more common. Thirty-five percent of all cyberattacks in 2018 will be fileless, according a Ponemon Institute study. But what are they? Here is what you need to know about fileless attacks and how to protect your business from them.

Fileless Attacks 101

A fileless attack is not a new type of malware or the latest digital scam. Instead, it is a descriptor for a specific type of attack. In traditional cyberattacks, hackers try to install and run malware from a device’s hard disk. In fileless attacks, cybercriminals run malware directly from a computer’s memory. Hackers often use these in-memory attacks to steal money or data. The largest data breach in 2017 — the Equifax data breach — was a fileless attack.

Fileless attacks begin like most other cyberattacks. Cybercriminals try to gain access into a computer system. They might try exploiting a security vulnerability in unpatched software or try using a brute force attack to crack the password of service account. A more common technique, though, is sending out phishing emails that try to trick people into clicking a malicious link or opening a malicious attachment, such as a Microsoft Word document containing a macro.

Once the hackers have gained access, they run commands or malware directly from the computer’s memory. They often take advantage of built-in system administration tools such as Windows PowerShell or Task Scheduler to run commands and malware.

Fileless attacks are not necessarily fileless at every stage. The attack might initially begin in-memory, but then hackers will install malware on the hard disk, or vice versa.

Why Fileless Attacks Are Becoming More Common

Hackers are increasingly turning to fileless attacks because they are 10 times more likely to succeed than file-based attacks, according to the Ponemon Institute study. The high rate of success can be attributed to several factors.

For starters, anti-virus software is not very effective in detecting fileless attacks because malware is often not present on computers’ hard disks. Forensics experts also have a more difficult time reconstructing attacks for the same reason. Knowing how cybercriminals carried out attacks helps prevent similar attacks in the future.

Another reason for the high success rate is that fileless malware is often designed to run in stealth mode, which makes it harder to detect. Plus, hackers usually take advantage of built-in system administration tools to carry out tasks in-memory. Using built-in tools raises fewer red flags because system administrators often use them for legitimate work, making it more difficult to spot anomalies. In addition, access to those tools cannot be completely blocked since administrators need to use them.

How to Protect Your Business

Although fileless attacks have a high rate of success, you are not helpless against them. To protect your business, you can:

  • Make sure that computers’ operating system software, applications, and firmware are updated so that known security vulnerabilities are patched. Unpatched software can provide cybercriminals with an entry point into a computer.
  • Educate employees about phishing emails and the dangers of clicking links in emails and opening files attached to them. Hackers often use phishing emails to initiate cyberattacks, including fileless attacks.
  • Make sure macros are disabled in Microsoft Office apps like Word and Excel. Macros can be used by cybercriminals to access computers.
  • Use strong passwords for system and service accounts. Hackers can crack a weak password in minutes with a brute-force password-cracking tool.
  • Disable system administration tools not being used. That way, cybercriminals won’t be able to take advantage of them. It is particularly important to disable is PowerShell, as it is frequently used by hackers in fileless attacks.
  • Block suspicious activities. For example, you might want to stop any outbound process trying to connect to untrusted servers or websites.

We can evaluate your business and provide specific recommendations on how to secure it against fileless attacks.