Non-malware attacks have experienced what you might call a renaissance over the past couple years. As we speak it is being reported that hackers have been targeting the upcoming Winter Olympics using fileless malware.
Non-malware attacks, also known as fileless attacks, use trusted programmes, native to operating systems, to gain control of computers. Virtually every organisation examined by the Carbon Black Threat Analysis United (TAU) was targeted by non-malware attacks in recent research. And since then, there has been a noticeable uptick, with a monthly average growth rate of 6.8% for non-malware attacks. Deployment of non-malware attacks in the wild has moved with regularity into attack campaigns. More than half of all cyberattacks now leverage non-malware tactics.
the trend is continuing. A Carbon Black survey has found that 93% of security researchers say non-malware attacks pose more of a business risk than commodity malware attacks. The survey also found that 64% of security researchers have seen an increase in non-malware attacks. Why is the use of non-malware tactics growing at such an alarming rate? Simply put, they work. Cybercriminals are following the path of least resistance. Non-malware attacks have inevitably grown in prevalence in recent years as attackers have developed ways to launch these attacks on a large scale. Now, let’s delve a bit deeper, and consider what we’re up against and what can be done.
Non-malware attacks typically do not require downloading additional malicious files and are capable of conducting extremely nefarious activities such as stealing data, stealing credentials, and spying on IT environments. Native operating system tools regularly used in non-malware attacks include PowerShell and Windows Management Instrumentation (WMI), tools typically reserved for IT administrators. Non-malware attacks also exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behaviour. These attacks are said to “live-off-the-land,” which makes them especially insidious and difficult to distinguish from the ordinary functioning of a computer.
Criminals use non-malware attacks because malware-focused antivirus will be unable to dissuade them. Many current endpoint security solutions (such as traditional AV and machine-learning AV) do nothing to prevent, or even detect, non-malware attacks, providing attackers with a point of entry that goes completely overlooked. Traditional AV and machine-learning AV are designed to only identify threats at a single point in time: when a file is written to disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved. As we’ve discussed, non-malware attacks use known, allowed applications to carry out malicious ends. As a result, each individual event appears normal. If the goal of an attack is to gain a foothold or exfiltrate valuable data, then non-malware attacks accomplish this goal without fear of detection, especially when organisations are relying on legacy AV and machine-learning AV. The native tools that non-malware attacks leverage grant users exceptional rights and privileges to carry out the most basic commands across a network that lead to valuable data.
A Carbon Black survey has found that 96% of researchers say being able to prevent non-malware attacks would improve their organisation’s security posture. As we have seen above, confidence in legacy antivirus is waning. Two thirds of security researchers said they were not confident antivirus could protect an organisation from non-malware attacks. In this case, many organisations are looking to next-generation antivirus (NGAV) for protection from non-malware attacks.
At Carbon Black, the latest tool in our NGAV toolkit is a breakthrough technology called streaming prevention. What makes streaming prevention stand out from the crowd is how it uses event stream processing (ESP), the same technology that revolutionised algorithmic day-trading. Similar to algorithmic day-trading applications, streaming prevention continuously updates a risk profile based on a steady stream of computer activity. When multiple, potentially malicious events occur in succession, or are clustered together, the software blocks the attack.
In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorised requests to run applications, and changes to credentials or permission levels. Streaming prevention does not only monitor individual events on an endpoint; it monitors and analyses the relationships among events. As such, streaming prevention will thwart an attacker’s efforts to blend in with the day-to-day functioning of a computer. Nefarious activity is tagged, flagged and automatically shut down before objectives can be carried out. The use of non-malware attacks is no doubt trending upwards, but with advanced endpoint protection, organisations can stop attacks and keep valuable data safe.