File-less (non-malware) attacks
What they are, how they work, and the best ways to stop them
New cybersecurity threats are constantly evolving. An increasingly common tactic being leveraged by cyber attackers is the execution of file-less or non-malware attacks.
Why are these attacks growing in popularity?
First, they work.
- The 2016 Verizon Data Breach Report stated that the majority of breaches (53%) involve no malware.
- The alleged Democratic National Committee (DNC) hack was likely file-less.
- SecurityLedger reported that file-less attacks on commercial networks operated by banks and other firms are spreading and harvesting sensitive information.
Second, they are difficult to detect.
- Many current endpoint tools do nothing to prevent file-less attacks because they cannot even detect them. By focusing on attack indicators and file-based attacks, these tools leave defenders blind to this new threat vector.
- File-less attacks are now the most effective way for an attacker to stay below the noise floor – the typical buzz of a properly operating network.
What is a file-less attack?
Carrying out a file-less attack involves the use of trusted software and authorized applications and protocols. Instead of downloading malicious files, the attacker uses what already exists on the network.
That’s why they’re also called “living off the land” attacks.
Attackers breach the network and take control of systems by exploiting vulnerabilities in software such as Microsoft Office or web browsers. Then they exploit native OS tools like PowerShell to obtain rights and authority to issue commands and obtain valuable data.
5 ways to stop a file-less attack
Morphick and Endgame recommend:
- Hardening admin accounts by creating a “jump box” through which all remote admin activity has to flow.
- Installing Powershell 5.0, a powerful tool for enterprise monitoring and incident response.
- Blocking uncategorized sites. By preventing users from visiting websites that are uncategorized by URL filters, you can remove a common attacker technique.
- Using Windows tools such as Just Enough User Administration (JEA) to minimize admin rights, and Event Tracing for Windows for visibility into Windows subsystems.
- Creating “dye packets,” which are fake administrator, patient, or client records against which rules are written to help detect file-less attack activity and signal alerts.
Detect and respond to file-less attacks with MEDR™
Managed Endpoint Detection and Response service (MEDR™) from Morphick and Endgame is a fundamentally new approach to preventing file-less attacks. It combines Morphick’s proven adaptive security methodologies with Endgame’s unmatched ability to prevent advanced attacks, deliver rapid response, stop ongoing attacks, and hunt next-generation threats at the earliest stages.
Learn more about stopping file-less attacks at scale across the enterprise.