The methods and tools that cyber attackers employ can vary widely. Some attackers focus upon fast and aggressive breaches, with the goal of getting in before the target has a chance to stop them. Others focus on remaining undetected and continuing to sit in systems and networks performing their malicious purposes until they have what they came for or are expelled. Years ago, a majority of cyber attackers focused on the first type, where they would come in hard and fast. But, as time has gone on and security has improved, many cyber attacks now come under the second heading of working to remain undetected. Unfortunately, many attackers have become extremely adept at this, and there are cases of attackers remaining in systems for over a year before they are finally discovered. In cyber criminals most recent innovation for remaining undetected, they are now employing fileless cyber attacks.

What is A Fileless Cyber Attack?

A fileless cyber attack is essentially when a threat is able to piggyback upon reputable or legitimate software without even needing to install itself on the actual hard drive. They are able to completely avoid the hard drive by simply running malicious script within the memory. This poses a large issue when it comes to cyber security. Security tools like antivirus typically function by scanning files to see if they match malicious indicators. But, when there is no file to be scanned, and the threat is simply running within the memory, it can easily be missed by many security tools. An example of this is a recently discovered threat called DNS Messenger, which is a trojan that employs remote access and macros to run malicious script. One of the methods of disguise that this trojan uses is hiding its C&C commands as DNS queries, which allows it to run without being detected by security tools.

Fileless cyber attacks have become such a prominent issue that security researchers had even discovered them within 140 bank networks across the globe. This arises an important necessity — organizations will have to take a step back and look at reworking security. Basic antivirus and security tools that rely on scanning files will simply no longer cut it, and it will require much more comprehensive methods. There are many vendors that may claim to use methods of memory scanning, but it is advised that an organization be cautious in regard to this. Vendors can embellish their offerings sometimes, and independent testing should be used to affirm these claims.

Defending Against Fileless Cyber Attacks

One of the largest factors in preventing fileless cyber attacks is limiting administrative access. Organizations should be extremely careful to ensure that permissions are limited to only what each level of personnel requires. Having too much access can allow an undereducated employee to enable various settings or scripts that could be detrimental to systems and networks. Take, for example, cyber attacks that rely on users enabling macros within Word documents for the payload to actually be delivered. This could be prevented as long as administrative access does not allow them to enable this script.

Then, there also comes the point of extensive scrutiny. Security professionals and teams need to thoroughly vet files within the hard drive, as well as the processes running within the system memory. This can require some adjustments, as the security team may need to expand their awareness and visibility into the various processes that are running. This can allow them to monitor the different traffic patterns, as well as enable them to detect strange or unusual patterns.

In reality, a single method is not going to be sufficient in preventing these types of attacks, but rather a combination is necessary.  Both of the above implements and other tools need to be employed to be able to actually detect these insidious threats.