Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding Fileless (or Non-Malware) Attacks and How to Stop Them

1,232 views

Published on

How adversaries use fileless attacks to evade your security and what you can do about it

Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.

You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.

The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective

Published in: Technology
  • Be the first to comment

Understanding Fileless (or Non-Malware) Attacks and How to Stop Them

  1. 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHO NEEDS MALWARE? UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM
  2. 2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1 What are fileless attacks 2 How does a fileless attack work 3 Real world examples 4 Why traditional approaches don’t work 5 The CrowdStrike approach
  3. 3. POOL QUESTION HOW WOULD YOU RATE YOUR KNOWLEDGE OF FILELESS ATTACKS 1 TO 5 (1 = NONE. 5 = EXPERT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  4. 4. WHAT IS A FILELESS ATTACK 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. An attack that does not require a malicious executable file to be written to disk
  5. 5. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. THE REALITY OF FILELESS ATTACKS Fileless techniques are not new More prevalent than Ransomware 24% vs. 21% 78% of organizations are concerned about fileless attacks Only 51% of breaches include malware - Source Verizon BDR 2017 Not all attacks are 100% fileless 80% of attacks use some fileless techniques - Source CrowdStrike Incident Response
  6. 6. FILELESS ATTACK TECHNIQUES 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  7. 7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells
  8. 8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 1. Attacker identifies organization with vulnerable web application 2. Remote attacker uses SQL injection or other vulnerability to drop payload 3. Vulnerable webserver is compromised and becomes backdoor WEBSHELL ATTACKS
  9. 9. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FILELESS TECHINQUES FILELESS INTRUSION TECHNIQUES OBSERVED BY THE FALCON PLATFORM § Spear phishing for credentials § Lateral movement using ‘living off the land’ tools (WMI, Unix commands, Powershell) § Registry persistence § Webshells § Powershell-based credential dumpers
  10. 10. G O A L T O O L S T E C H N I Q U E HOW A FILELESS ATTACK TAKES PLACE I N I T I A L C O M P R O M I S E 1 Remote access to a system using a web browser. Can be web scripting language E.g. China Chopper GAIN ACCESS WebShell C O M M A N D A N D C O N T R O L 2 Run system commands to find out where we are RECON Sysinfo, Whoami P R I V I L E G E E S C A L AT I O N 3 Run a PowerShell script such as Mimikatz to dump credentials DUMP CREDENTIALS PowerShell P E R S I S T E N C E 4 Modifies Registry to create a backdoor E.g. On screen keyboard or sticky keys MAINTAIN PERSISTENCE Registry E X F I LT R AT I O N 5 Uses system tools to gather data and China Chopper Webshell to exfiltrate data EXFILTRATE DATA VSSAdmin, Copy, NET use, Webshell
  11. 11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. REAL WORLD EXAMPLES § Fileless Malwre: Kovter § Fileless Attack: Nation State
  12. 12. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KOVTER § Click-fraud § Fileless after initial infection § Hides encrypted malicious modules in the registry § Hides other malicious modules in PowerShell scripts § Uses shortcut file (.lnk) to download PowerShell scripts. The script launches PowerShell to start a shellcode
  13. 13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. NATION STATE ATTACK § Weaponization: Spoofed website § Delivery: Spear phishing § PowerShell modules connect to a remote server § Install/run MimiKatz § Lateral movement through stolen credentials
  14. 14. MOVING LATERALLY WITHOUT MALWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Attacker sets the bait with a fake website Extract credentials from initial victim Move laterally to other hosts
  15. 15. HOW TO PROTECT AGAINST FILELESS ATTACKS 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  16. 16. HOW WOULD YOU RATE YOUR CURRENT LEVEL OF PROTECTION AGAINST FILELESS ATTACKS (1 = POOR – 5 = EXCELLENT) 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  17. 17. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. EDUCATE 83%Rate traditional AV based signature efficacy good or excellent
  18. 18. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHY TRADITIONAL APPROACHES DON’T WORK No file to analyze No artifacts left behind Blind if prevention fails Uses legitimate applications No file to detonate Hands on keyboard
  19. 19. PROTECTS AGAINST ALL TYPES OF ATTACKS Protect against Known/ Unknown Malware/Malware Free Protect Against Zero-Day Attacks Endpoint Detection and Response Managed Threat Hunting BENEFITS FALCON ENDPOINT PROTECTION Machine Learning IOA Behavioral Blocking Block Known Bad Exploit Mitigation 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  20. 20. PROCESS INJECTS A THREAD INTO SYSTEM PROCESS INJECTED THREAD READS CREDENTIALS FROM THE SYSTEM PROCESS MEMORY DUMPED CREDENTIALS ARE USED TO LOGIN INTO EXCHANGE SERVER MAILBOXES ARE EXPORTED OUT OF EXCHANGE INDICATORS OF ATTACK 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PROCESS CONDUCTS RECONNAISSANCE PROCESS ELEVATES PRIVILEGES WEB SERVER EXECUTES A PROCESS
  21. 21. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. KEY TAKEAWAYS THE THREAT IS REAL TRADITIONAL AV IS NOT ENOUGH CURRENT DEFENSES DO NOT WORK NEED TO THINK BEYOND MALWARE AND FOCUS ON STOPPING THE BREACH
  22. 22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: How Adversaries Use Fileless Attacks To Evade Your Security Link in Resource List Website: crowdstrike.com Email: info@crowdstrike.com Number: 1.888.512.8902 (US)

×