Story image

How to detect and stop a non-malware (or fileless) attack

01 Mar 2017

Every year seems to be ‘the year of something’ in cyber security.

In 2013, it was ‘the year of the financial breach.’ In 2014, the ‘year of the retail hack.’ In 2015, we saw at shift to healthcare while in 2016 ransomware reigned and democracy came under fire. 

Already 2017 is shaping its own theme. Research from prominent third parties, as well Carbon Black’s own research, indicates that 2017 may become “the year of non-malware attacks.”

Such attacks have been in the news a lot recently. Let’s take a step back and understand what we’re up against and what can be done.

Defining ‘non-malware’ attacks

A non-malware attack is one in which an attacker uses existing software, allowed applications and authorised protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or ‘living-off-the-land’ attacks.

With such attacks, an cyber criminal is able to infiltrate, take control and carry out objectives by taking advantage of vulnerable software that a typical end user would leverage on a day-to-day basis (think web browsers or MS Office-suite applications). Attackers will also use the successful exploit to gain access to native operating system tools (think PowerShell or Windows Management Instrumentation (WMI), or other applications that grant the attacker a level of execution freedom.

These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.

An Example

Non-malware attacks leverage a robust suite of tactics and techniques to penetrate systems and steal data without using malware. They have grown in prevalence in recent years as attackers have developed ways to launch these attacks at large scale.

Let’s take a look at an example attack:

  • A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
  • On this page, Flash is loaded. Flash is a common attack vector due to its seemingly never-ending set of vulnerabilities.
  • Flash invokes PowerShell, an OS tool that exists on every Windows machine, and feeds it instructions through the command line — all operating in memory.
  • PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker This attack never downloads any malware.

Why non-malware attacks are on the rise 

Why are non-malware attacks on the rise? Simply put, they work.

Some leading attack campaigns in 2016, including PowerWare and the alleged hack against the Democratic National Committee (DNC) leveraged non-malware attack vectors to carry out nefarious actions.

Almost every Carbon Black customer (97 per cent) was targeted by a non-malware attack in 2016. Their ubiquity is clear and growing. Over a 90-day period, one-third of organisations can expect to be targeted by a severe, non-malware attack.

There is a common theme why cyber criminals are increasingly leveraging non-malware attacks: they are following the path of least resistance.

Many current endpoint security solutions (such as traditional AV and machine-learning AV) do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.

Traditional AV and machine-learning AV are designed to identify threats at a single point in time – when a file is written to disk. Since they only look at the attributes of an executable file, they are completely blind to attacks where no files are involved – as with non-malware attacks.

If the goal of an attack is to gain a foothold or exfiltrate valuable data, then non-malware attacks accomplish this goal without fear of detection, especially when organisations are relying on legacy AV and machine-learning AV.

New approach to endpoint protection

Streaming prevention offers a fundamentally new approach to identifying and preventing cyberattacks. Current approaches used by legacy AV and machine-learning AV focus exclusively on files and do nothing to target an attacker’s behaviours.

In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorised requests to run applications, and changes to credentials or permission levels.

Streaming prevention doesn’t just monitor individual events on an endpoint; it monitors and analyses the relationships among events.

Sticking with the example above, browsing the web, running Flash and invoking PowerShell are each, in their own right, viable and necessary events, but what about when they appear as a cluster of events? It’s simply not normal behaviour and, as such, can be tagged, flagged and automatically shut down by streaming prevention before the attacker can carry out objectives.

Article by Kane Lightowler, Carbon Black Managing Director of Asia Pacific and Japan.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."