The rise of file-less attacks

Cyber criminals are constantly looking for new and sophisticated ways in which to avoid being detected and successfully perform their malicious attacks. This was most evident in the past few years, apart from the rise in ransomware attacks, there has also been an increase in the number of file-less attacks. File-less attacks pose a threat to organizations and challenge security solutions due to the use of sophisticated attack techniques and various non-executable file formats.

There are a few reasons for the increase in file-less  attacks. First, the fact that the malicious logic of the attack often occurs in memory, makes traditional static detection insufficient. Second, they complicate post event analysis, as it’s easy for attackers to hide behind. In response, the security industry hasn’t remained idle, and various security solutions have extended their capabilities to combat these types of threats.

File-less Attacks Explained

The definition of what is considered a file-less attack is wide, as the term “file-less attack” encompasses several possible attack scenarios, only some of which don’t write any files to a disk, while very few scenarios are completely file-less. A widely accepted definition of a file-less attack is an attack during which no portable executable (PE) file is written to and executed from disk.

So, what falls under the category of the current accepted definition of a file-less attack?

Executable-less attacks: The most common form are attacks based on a dropper, usually a document or scripts, which is written to a disk, and then executes the next stages of the attack.

Dual-use attacks: Attacks based on legitimate files which are either common to the organization attacked or are widely-used administrative tools, which can be abused to perform malicious functions. These files are usually written to disk, but can also be used as memory payloads.

Code injection attacks: Attacks based on code injection which are loaded dynamically into the memory of a process.

Combating File-less Attacks

Increasing awareness of these types of attacks by the security industry is making it harder for attackers. Moreover, if you put aside the organization’s choice of security solution, there are some steps organizations and users can take in order to protect themselves and lessen the likelihood of becoming infected:

  1. Restrict the use of scripts and scripting languages inside the organization, by applying different policies to different areas of the network. Allow scripts to run from read-only network locations or access specific machines only.
  2. Restrict and monitor the use of interactive PowerShell within the organization.
  3. Scan PE files and macro scripts which can be allowed to run within the organization.
  4. Make sure all your computers and programs are updated regularly and on time. This will prevent the exploitation of known and patched vulnerabilities.

With that in mind, it’s important to understand that malicious actors are expected to increase the number of file-less attacks and their sophistication, as they develop new methods to evade detection.

Advanced heuristics, which also protect against file-based attacks, quickly prevent code injection and in-memory attacks. Deep Instinct’s unique deep learning model provides a comprehensive protection against dual-use tools utilized in living-off-the-land attacks, and against dropper files used in non-PE attacks, blocking these attacks pre-execution.

To learn about the anatomy of file-less attacks, and get an in-depth explanation of the challenges and solutions involved, receive this free whitepaper.

Shimon Noam Oren,
VP research & deep learning,
Deep Instinct
https://youtu.be/bzoETjYwM9Y