Responding to the Rise of Fileless Attacks

Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance -- which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.
Fileless, or non-malware, attacks let threat actors skip the steps involved with traditional malware-based attacks. They dont need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools
made up 52%
of all attacks for the year.
Yet businesses still arent paying attention.
Our focus in this industry is still on traditional attack vectors weve been dealing with for most of our careers, says Heath Renfrow, CISO at Leo Cyber Security.
Its time for businesses to take a closer look at how these threats work, how they can be detected, why theyre predicted to grow, and the steps they can take to protect themselves.
The Evolution of Modern Fileless Attacks
Fileless attacks are not new, but they have changed over time, says BluVector CEO Kris Lovejoy.
Whats different about today is not the fact of fileless -- both Code Red and Slammer used this -- its the fact that the bulk of the attack chain, the steps of the attack, are all fileless, she says. If they do involve a payload it often looks legitimate and therefore, its very hard to detect.
The growth of fileless malware attacks can be attributed to ease of use and improved tools for endpoint detection and response (EDR), says Adlumin CEO Robert Johnston, who led the investigation into the DNC hack during his previous role as a CrowdStrike consultant.
Within a network, whats breaking the backs of organizations is the theft of usernames and passwords, he explains. Its not the malware thats doing the trick.
Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, its oftentimes more valuable to access someones Office 365 or Amazon Web Services login, Johnston says.
All attackers have to break in somehow, meaning credential theft is the first step to an attack. Local admin credentials are always the first to go because nobody pays much attention to them and theyre not tied to a specific person, Johnston explains. This is generally the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have system access, attackers use privilege escalation techniques to increase their capabilities.
Why Youre Vulnerable
Organizations fail to understand the complexity of their IT environments, a shortcoming that makes them vulnerable when they cant monitor their full ecosystem. Many are drowning in data and are unable to bring account and user activity into a single place for analysis.
If they cant track it, they cant understand which accounts have access to what, Johnston explains. They have no way to visualize, and no way to track and scale, all of these different identities that dont always line up to a human.
The challenge escalates when employees dont adopt basic security practices. Lovejoy points out that phishing attacks are a popular means of delivering attacks and obtaining credentials.
Hackers are targeting workers personally and going after login credentials for Amazon, Gmail, PayPal, and other common services, says Arun Buduri, cofounder and chief product officer at Pixm. They know people use the same usernames and passwords across services.
What hackers are doing is trying to get into personal accounts, and using that to get into corporate, Buduri explains. Many threat actors target low-level employees with the idea that once theyre in, they can monitor email activity to learn the addresses of high-ranking workers.
Poised to Grow
Renfrow says fileless attacks will grow as workers are increasingly mobile and reliant on cloud. Teleworking significantly increases the risk to the infrastructure, he notes. As the CISO at United States Army Medicine, a position he held until November 2017, Renfrow says anyone who brought a device in from the field had to undergo a new image and scanning before logging back into the local network.
Mobile devices have become especially prominent in healthcare, he notes, and cloud has grown across industries. Think about a cloud environment, he says. How much insight does a CISO have into whos logging in and where? Most people assume the cloud is safe, but Renfrow points out that the cloud contains a lot of credentials that have fallen out of use and should have been decommissioned -- legitimate creds within attackers reach.
While financially motivated attackers will always be out there, Lovejoy anticipates more threats will aim to cause damage. The sad reality is were seeing an increase in the number of destructive attacks that are being leveraged, she points out.
What Can You Do About It?
Protecting against phishing starts with employee education. Trick them, test them, teach them, says Lovejoy. The goal is to immunize enough people so the disease cant take hold. Employees should also have a means to report activity they feel is suspicious.
Always enact the policy If you see something, say something, she adds.
On top of this, businesses should take a close look at activity in their ecosystems.
One thing we did in Army Med was bring in a toolset to map out all of the credentials across our infrastructure, says Renfrow. It was eye-opening … we had more credentials running through our infrastructure than we had people.
After evaluating this, the team dug into the who, what, where, and how of what these credentials were doing. Anything outside the normal login location would trigger an alert. Given the massive size of Army Medicines infrastructure, he says automation was necessary for this.
He advises organizations to go back to the old-school method of looking at their traditional identity and access management. From there, if theyre mature enough, they can consider toolsets designed to automate access management to learn the who, how, where, and what of network logins.
I think it would be eye-opening for any organization, Renfrow says.
Related Content:
AI in Cybersecurity: Where We Stand & Where We Need to Go
CISOs No. 1 Concern in 2018: The Talent Gap
AWS, Google Cloud Popular Home for Botnet Controllers
Back to Basics Might Be Your Best Security Weapon

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Responding to the Rise of Fileless Attacks