The characterisation of stealth by Sun Tzu in “Art of War” could almost have been a blueprint for fileless intrusion. As cyber attackers seem to shift their tactics, using fileless attacks to evade detection one could be forgiven for suspecting they used Art of War ‘s stealth tactics! As a guide!
So why should we be so concerned about fileless intrusions?
Fellow security experts commentary and an unprecedented number victims says it all.
In fileless attacks, intruders remain concealed and the victim is clueless on how to remediate their system, worse still they may be clueless they are being attacked at all. Ultimately, the intruder stays in the system longer (in some cases, forever!) and continues the assault while victims continue in blissful ignorance unaware of the damage being done, and as a result helpless to do anything about it.
Most fileless intrusions are executed via shellcode by running simple scripts in memory. The offending malicious code is normally hidden in registry or instrumentation management tools. Since these kinds of exploits use memory or swap spaces, they’re really difficult to detect using typical anti-virus tools. This kind of stealth play is compelling for cyber criminals. They are lured by the ability to stay hidden inside your defences for long periods of time. This being the case it’s not surprising to see that fileless attacks are on the increase. According to research carried out by CrowdStrike at the end of last year, fileless malware and malware free incidents constituted 66% of all attacks.
According to experts at CrowdStrike, the end-to-end fileless intrusion has a discreet anatomy. It starts with an initial compromise that typically involves loading and activating shellcode into the registry or instrumentation management tools such as Windows Power Shell or Windows Management Instrumentation (WMI).
Injecting shellcodes are quite popular because it loads the malicious codes into the memory by exploiting the vulnerabilities that exist in the system. Because nothing is written to disk, traditional anti-malware defences will be bypassed.
The next phase is to take command and control of the compromised system. Usually, in this phase, the attackers will steal the credentials of the relevant users by executing shellcodes. These stolen credentials are then leveraged by your attackers to escalate system privileges. Finally, the attackers will try to establish their persistence in the system by opening up the system to be accessed without any access password to avoid detection and trail.
If we put aside the criminal nature of these exploits and closely examine the anatomy of fileless intrusions, you can conclude that it is a clever and stealthy approach to break breach systems. That makes it all the more threatening.
To be safe from the fileless intrusions, it is very important to know the skeletal details of the attacks and apply emotional intelligence to counter it.
To learn more details on the anatomy of fileless attacks with examples, do have a look at CrowdStrike Whitepaper as they take a modern intelligence-led approach to secure against this type of attack.