The threat landscape is changing.
Fileless malware is a phrase that is rapidly picking up popularity in the cybersecurity industry. In fact, 77% of successful cyberattacks in 2017 utilized some form of fileless malware. So you’ve probably heard of it, and you know you should be scared of it… but what is fileless malware?
Defining Fileless Malware
Malware is defined as “software that is intended to damage or disable computers and computer systems.” Thanks to the picture of malware painted by newsworthy breaches and simplified definitions, most people think of malicious files running dangerous software when they hear the word “malware.”
Contrary to the popular perception of malware, fileless malware is just as much malware—and just as dangerous—as those pesky malicious files. Fileless malware is a cyberattack that uses non-malicious software—often already present on machines—to carry out malicious activities. Rather than relying on a malicious executable that to slip past security measures and run in the environment, fileless malware attacks turn “good” software and applications into double agents.
How it Works
One of the most common examples of fileless malware attacks is the malicious use of Windows Powershell, otherwise known as a Powershell Attack. A fileless attack can also use other native tools like Windows Management Instrumentation (WMI) or whitelisted software like Microsoft Office applications, Flash, Adobe Acrobat, or JavaScript.
In a fileless attack, the attacker will take advantage of one of these trusted tools and use it to run malicious code in the now-infected system. Because the tools are typically “safe” applications, the malicious actions happening behind the scenes are not identified by traditional security software or scans. Without an intelligent detection solution or security staff to review endpoint logs, the malicious code running within a trusted app or tool can go completely unnoticed until much later, when the stages of the attack progress.
Using built-in tools on the machine allows attackers to quietly navigate the network, gather information and data, and establish a foothold to keep coming back for more – adding to the severity of the breach with each additional minute spent inside your environment.
Protecting Against Fileless Attacks
So, what can you do to prevent this from happening in your network?
The first important detail to know is that users are the weakest link in any network, so it is vital to keep staff trained to identify potential security risks. This includes staying clear of unsecured websites, reporting phishing emails, and avoiding unsafe links or attachments. If something makes it past your firewall or email security, it should stop at the user.
Of course, it’s impossible to achieve 100% security, especially when attackers’ methods are constantly evolving. No business can rely on their people to be the most effective last line of defense. That’s where EDR comes in.
Endpoint Detection & Response (EDR) is a security technology that actively identifies and differentiates behaviors on endpoints and can detect malicious activities like those that take place in fileless attacks. This real-time detection and response service can detect the path of a fileless attack as it happens and alerts our security team to take the next steps. With EDR in place, attackers can no longer hide behind fileless attack methods.
