Malware-free, or fileless, attacks are on the rise as the lines between nation-state sponsored attack groups and eCrime threat actors are blurred.
CrowdStrike researchers found 66 percent of the attacks they observed were from files malware attacks that either leveraged compromised credentials or malware that runs in memory only, according to the company's 2017 Cyber Intrusion Services Casebook report.
Examples of these type of attacks include those which use remote tools like RDP or VPN with compromised credentials, attacks that execute code from memory, conduct exploits by leveraging inherent weakness in a victim's IT stack, or those which use spearphishing attacks to gather credentials.
“Both threat groups increasingly leverage fileless malware and “living off the land” techniques,” Thomas Etheridge, VP of CrowdStrike Services told SC Media. “In the future, we will see more and more attackers leveraging these techniques because it's generally easy to obtain access when organizations are not prioritizing cybersecurity.”
Etheridge added that software supply chain attacks and self-propagating malware are also becoming more of a threat to organizations because they exploit a trusted relationship between vendors and their customers and often target the entire trusted organizations' customer base.
Some of the most common threat vectors are: web servers, web application, web shell exploits or file uploaders which account for 37 percent of intrusions, remote access such as RDP and VPN which account for 23 percent, supply chain compromise which account for 12 percent of attacks, social engineering and various phishing attacks account for 11 percent, and cloud based service exploits accounting for another 11 percent of vectors.
The findings weren't all grim however, for companies that focus on cybersecurity researchers spotted an 11 percent improvement in organization's ability to detect threats within their networks with 68 percent of their clients able to internally detect breaches. As a result, these companies are also curbing the length of time that attackers are dwelling in their system to 86 days compared to 100 days on average, the report said.
The longer an attacker spends in a victim's network the more time they have exfiltrate or destroy valuable data or disrupt business operations. Researchers reported dwell times as high as 800 to 1,000 days, but noted that these were exceptions and not the norm.
In order to better secure these vectors, researchers Etheridge said IT departments must understand their portfolio of assets and their priority as well as their system risk to implement vulnerability management tools that continually monitor for holes in their systems.
“When the staff is exercising proper cyber hygiene, including regularly changing passwords, not clicking on suspicious links, frequently testing their defense in depth strategy, they are effectively improving their ability to shield their specific assets from bad-actors,” he said. “Since businesses have seen others paralyzed by these attacks, we expect to see more businesses invest more and understand the importance of patching vulnerabilities.”
Etheridge added that organizations also need to ensure their systems are patched and up to date, maintain strong credential management tools, and have programs in place to manage access.