How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHO NEEDS MALWARE?
UNDERSTANDING FILELESS ATTACKS AND HOW TO STOP THEM
2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1 What are fileless attacks
2 How does a fileless attack work
3 Real world examples
4 Why traditional approaches don’t work
5 The CrowdStrike approach
3. POOL QUESTION
HOW WOULD YOU RATE YOUR
KNOWLEDGE OF FILELESS ATTACKS 1 TO 5
(1 = NONE. 5 = EXPERT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
4.
5. WHAT IS A FILELESS ATTACK
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
An attack that does not require a malicious executable file
to be written to disk
6.
7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THE REALITY OF FILELESS ATTACKS
Fileless techniques are not
new
More prevalent than
Ransomware 24% vs. 21%
78% of organizations are
concerned about fileless
attacks
Only 51% of breaches include
malware - Source Verizon BDR
2017
Not all attacks are 100%
fileless
80% of attacks use some
fileless techniques - Source
CrowdStrike Incident Response
9. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY
THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the
land’ tools (WMI, Unix commands,
Powershell)
§ Registry persistence
§ Webshells
10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
1. Attacker identifies
organization with vulnerable
web application
2. Remote attacker uses SQL
injection or other
vulnerability to drop payload
3. Vulnerable
webserver is
compromised
and becomes
backdoor
WEBSHELL ATTACKS
11. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
FILELESS
TECHINQUES
FILELESS INTRUSION TECHNIQUES OBSERVED BY
THE FALCON PLATFORM
§ Spear phishing for credentials
§ Lateral movement using ‘living off the
land’ tools (WMI, Unix commands,
Powershell)
§ Registry persistence
§ Webshells
§ Powershell-based credential dumpers
12. G O A L
T O O L S
T E C H N I Q U E
HOW A FILELESS ATTACK TAKES PLACE
I N I T I A L
C O M P R O M I S E
1
Remote access to a
system using a
web browser. Can
be web scripting
language
E.g. China Chopper
GAIN
ACCESS
WebShell
C O M M A N D
A N D C O N T R O L
2
Run system
commands to
find out where we
are
RECON
Sysinfo,
Whoami
P R I V I L E G E
E S C A L AT I O N
3
Run a PowerShell
script such as
Mimikatz to
dump credentials
DUMP
CREDENTIALS
PowerShell
P E R S I S T E N C E
4
Modifies Registry
to create a
backdoor
E.g. On screen
keyboard or
sticky keys
MAINTAIN
PERSISTENCE
Registry
E X F I LT R AT I O N
5
Uses system tools
to gather data and
China Chopper
Webshell to
exfiltrate data
EXFILTRATE
DATA
VSSAdmin,
Copy, NET use,
Webshell
13. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
REAL WORLD
EXAMPLES
§ Fileless Malwre: Kovter
§ Fileless Attack: Nation State
14. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KOVTER
§ Click-fraud
§ Fileless after initial infection
§ Hides encrypted malicious modules in the registry
§ Hides other malicious modules in PowerShell scripts
§ Uses shortcut file (.lnk) to download PowerShell scripts. The
script launches PowerShell to start a shellcode
15. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
NATION STATE
ATTACK
§ Weaponization: Spoofed website
§ Delivery: Spear phishing
§ PowerShell modules connect to a
remote server
§ Install/run MimiKatz
§ Lateral movement through stolen
credentials
16. MOVING LATERALLY WITHOUT MALWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Attacker sets the
bait with a fake
website
Extract
credentials
from initial
victim
Move laterally
to other hosts
17. HOW TO PROTECT AGAINST FILELESS
ATTACKS
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
18. HOW WOULD YOU RATE YOUR CURRENT
LEVEL OF PROTECTION AGAINST FILELESS
ATTACKS (1 = POOR – 5 = EXCELLENT)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
19.
20. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EDUCATE
83%Rate traditional AV based signature
efficacy good or excellent
21. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHY TRADITIONAL APPROACHES DON’T
WORK
No file to analyze No artifacts left behind Blind if prevention fails
Uses legitimate applications No file to detonate Hands on keyboard
22. PROTECTS AGAINST ALL
TYPES OF ATTACKS
Protect against Known/
Unknown Malware/Malware Free
Protect Against
Zero-Day Attacks
Endpoint Detection and Response
Managed Threat Hunting
BENEFITS
FALCON ENDPOINT PROTECTION
Machine
Learning
IOA
Behavioral
Blocking
Block
Known Bad
Exploit
Mitigation
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
24. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
KEY TAKEAWAYS
THE THREAT IS REAL TRADITIONAL AV IS NOT
ENOUGH CURRENT DEFENSES
DO NOT WORK
NEED TO THINK BEYOND
MALWARE AND FOCUS ON
STOPPING THE BREACH
25. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
Join Weekly Demos
crowdstrike.com/productdemos
Featured Asset:
How Adversaries Use Fileless Attacks To
Evade Your Security
Link in Resource List
Website: crowdstrike.com
Email: info@crowdstrike.com
Number: 1.888.512.8902 (US)