What is a file-less attack?
13 July 2017 |
In December last year, the CIA disclosed how suspected Russian hackers conducted cyber-attacks on computer networks of both the Republican National Committee as well as the Democratic National Committee. While many could connect the dots and accuse Russia of conducting social engineering, the cyber-attacks were one of many such attacks taking place across the world and would continue to haunt politicans and businesses in the year ahead.
There was something different about these cyber-attacks. For a first, they managed to evade virtually every security firewall installed in large corporate networks, not because the malware used were futuristic, but because there was no malware in the first place.
Now commonly known as non-malware attack or file-less attack, this latest technique is now a favourite among hackers. Modern antivirus software and corporate firewalls are capable of stalling malware injections by scanning executable files, but they are useless when confronted with a file less attack.
This is because to conduct such an attack, a hacker only needs to gain access to and take control of vulnerable software employed by any organisation. Once he obtains the source code of such software, a hacker can then fulfill his objectives without leaving much of a scent.
This way, he doesn't need to download any malicious files which would otherwise be detected by antivirus software. Using a file-less attack, he can also control native operating system tools like PowerShell or Windows Management Instrumentation which will enable him to obtain necessary privileges to execute any command he likes.
'If the goal of an attack is to gain a foothold or exfiltrate valuable data, then non-malware attacks accomplish this goal without fear of detection, especially when organizations are relying on legacy AV and machine-learning AV,' said security firm Carbon Black.
If the DNC hack was only an indication of what file-less attacks were capable of, then last month's NotPetya attack was a practical demonstration. The lethal cyber-attack, which paralysed critical infrastructure, government-owned networks, banks and post offices in Ukraine as well as several large global firms, was initially disguised as a ransomware but was essentially a powerful file less attack.
Weeks after the cyber-attack took place, the Ukrainian police confirmed that suspected hackers carried out a supply chain attack to access the source code of accounting software created by Intellect Service and owned by accounting firm ME Doc. The said software is widely used in Ukraine for tax filing purposes by banks, media organisations, transport, telecommunications, and energy departments. It is also used by over 80 per cent of businesses in the country for tax filing purposes.
The NotPetya cyber-attacks also affected operations at global firms like Danish shipping company Maersk, Russian oil giant Rosneft, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
Considering the devastation that NotPetya caused around the world, the moot questions is whether we are ready for similar file-less attacks in the future?
A couple of days ago, we covered how a majority of businesses around the world consider perimeter security as sufficient in containing cyber-attacks. This is despite the fact that 28 percent of organisations have suffered perimeter security breaches in the past 12 months.
This belief among businesses is due to a sore lack of knowledge about the concept of file-less attacks. Perimeter security comprises of solutions like firewalls, IDPS, antivirus, content filtering and anomaly detection, all of which will fail when confronted with file-less attacks.
Just like end-to-end encryption and two-factor authentication protect customer data, timely upgradation of software and eradicating their vulnerabilities will go a long way to counter file-less attacks, as hackers will no longer be able to use existing vulnerabilities to infiltrate large corporate networks.
According to security firm CrowdStrike, organisations need to 'employ investigative digital forensics experience combined with the real-time monitoring and detection capabilities that a next-gen endpoint detection and response (EDR) solution provides'. Similar security solutions need to be implemented by third parties and agencies handling a company's data or software, as a corporate network is only as strong as its weakest link.
Carbon Black adds that the answer to sophisticated file-less attacks is streaming prevention. This mechanism not only monitor individual events on an endpoint, but also monitors and analyzes the relationships among events.
'In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels,' the firm noted.