Fileless Attacks vs. Traditional Attacks

The following document describes fileless attacks and how they differ from other types of cyber attacks. Additionally, this document examines ways to help prevent fileless attacks as well as the best detection methods for fileless attacks.

Fileless attacks are any cyber attack which does not write any files to disk on the target system. This kind of attack has grown in popularity over recent years due to some of the distinct advantages they hold over more traditional malware-based attacks. In most malware-based attacks, after the attacker has breached the target system, they will move a specially crafted piece of malware and place it on the victim machine. Even if only for a short time, this generally saved the malware to the storage disk on the target machine and executed it from there. Since defenders have access to the storage disk, many security solutions involve scanning the disk for known or potentially malicious files and taking actions against any found. For many security solutions this method is the primary defense.

Fileless attacks circumnavigate this defense. In a fileless attack, after successfully gaining access to the target machine the attacker does not save any malware to the disk. Instead, all further actions are executed in device memory only. Any security solution which relies on file scans or signatures to identify malware will struggle to identify and prevent fileless attacks. Behavioral detection techniques do a much better job of detecting fileless attacks than traditional scanning and signature detection.

Fileless attacks will also generally leverage a technique known as living off the land. Living off the land is simply the process of using tools already extant on the victim device to execute malicious action. Instead of using custom built malware to locate files, make edits to configuration, or extract data an attacker will use the programs and utilities already on the device to accomplish these tasks. Using benign tools to accomplish malicious tasks makes it even more difficult to notice attackers inside a system. An experienced or informed attacker can use living off the land to make their actions look like a sysadmin or routine action.

Threat actors are using fileless attacks as a crucial part of their constant push to outmaneuver security professionals.
What can security teams do to combat this growing threat?

Locking down user permissions to give users only the access they need is a good start. Ensuring that permissions of users associated with services on the device are locked down, along with users associated with humans can help. This approach ensures that even if an attacker can gain memory resident access to the device, they may not have the permissions requisite to execute their full attack.

In conjunction with ensuring user permissions are locked down, patching relevant vulnerabilities is crucial. Do everything possible to prevent initial access and privilege escalation by patching vulnerabilities as they are disclosed. This answer is obvious answer, but it never ceases to be important.

As a last, but necessary, defense, consider behavioral detection security products. Instead of focusing on files, behavioral solutions focus on the actions taken by processes on protected devices. A well-built solution can identify fileless attacks despite the lack of on-disk malware.