What is a file-less attack?
A non-malware attack is one in which an attacker uses existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or “living-off-the-land” attacks.
With non-malware attacks, an attacker is able to infiltrate, take control and carry out objectives by taking advantage of vulnerable software that a typical end user would leverage on a day-to-day basis (think web browsers or Office-suite applications). Attackers will also use the successful exploit to gain access to native operating system tools (think PowerShell or Windows Management Instrumentation – WMI) or other applications that grant the attacker a level of execution freedom.
These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.
How file-less attacks work?
Fileless malware leverages the applications already installed on a user's computer, applications that are known to be safe. For example, exploit kits can target browser vulnerabilities to make the browser run malicious code, or take advantage of Microsoft Word macros, or use Microsoft's Powershell utility.
"Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications," says Jon Heimerl, manager of the threat intelligence communications team at NTT Security. "Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections."
Attacks using Microsoft Office macros can be thwarted by turning off the macro functionality.
ENDGAME AMPLIFIES SOC SKILLS TO STOP FILELESS ATTACKS AT ENTERPRISE SCALE
Endgame employs a layered protection to prevent fileless attacks. Combining both pre-attack and ongoing attack protections at the kernel and user level of the operating system, Endgame ensures complete protection against fileless attacks regardless of when in the attack lifecycle the agent is deployed on an endpoint.
Pre-attack prevention: Endgame's patent-pending technology prevents fileless attack techniques like shell code injection and DLL injection. Kernel-level analysis, performed on every executing thread, stops fileless attacks before an adversary can gain a foothold in memory. Once a fileless attack is blocked, the analyst gets an alert providing complete visibility of the origin and the full extent of the attack.
Ongoing attack prevention: To find adversaries resident in memory, Endgame automates in-memory analysis and identifies techniques such as memory modification, memory injection, hidden modules, and packed and encrypted areas in memory across unlimited endpoints in minutes with no end-user impact. Unlike other EDR tools, Endgame allows the SOC to proactively root out advanced attackers before any data theft and loss. With a few clicks of a button, Endgame empowers tier 1 SOC analysts to be a force-multiplier and stop fileless attacks at scale across the enterprise.
0 comments