Non-malware, file-less attacks, living-off-the-land.
Attackers are learning how to fly beneath the radar by doing their work strictly in memory and staying off the file system as much as possible. In fact in a recent study, 64% of 410 security researchers report an increase in non-malware attacks since the beginning of 2016.
You still need to look for unrecognized EXEs, DLLs, scripts and so on but nowadays that will only catch lower skilled attackers. Actually – for that matter – it doesn't require a highly-skilled attacker to use non-malware techniques; there's already shrink-wrapped, commodity hacker tools out there that make it easy for non-systems programmers to exploit non-malware techniques.
Take the white-hat tool PowerShell Empire for instance. It gives the attacker all the power of PowerShell (pun intended) without persisting scripts – much less EXEs to disk. PowerShell allows you to use .Net which in turn allows you to do pretty much anything that a custom written Windows EXE can do. The attacker starts with something small like a Word document containing a macro that starts PowerShell in the memory of Word – never even launching PowerShell.exe.
Combatting the current state-of-the art in cybercrime isn't just about detection technology. We the security analysts and SOC managers need to get faster and more effective at detecting and resolving these incidents, to keep up. In the past we've been able to largely focus on the file system. That mindset is rooted in the days of simple viruses that relied on files with static byte patterns otherwise known as signatures.
Today, it's all about the much more dynamic, ephemeral world of processes and memory. Which programs are running other programs? Does that make sense? Why are the bits of a PowerShell DLL showing up memory allocated to Microsoft Word? Why is Word opening an outbound WMI connection to our database server?
But it's not limited to technical exploits. Organizations are reporting attackers becoming more adept at social engineering that targets; not just end-users but also IT and even infosec staff. Similarly attackers, having gained a foothold inside an organization’s network target end-users while impersonating HR and – again – even infosec staff when emailing other users.
In this upcoming real-training-for-free ™ webinar we will drill down into non-malware attacks and discuss what it takes to become a high-speed SOC that can quickly detect and respond to these attacks. Technology is a critical component but we'll also look at softer yet equally critical side of skills and processes. Joining me for the discussion are folks from Carbon Black who have been investigating non-malware attacks since they began.
Some of the technical issues we’ll address:
- WMI-based attacks
- In-memory techniques
- PowerShell attacks (both PowerShell.exe and more sophisticated DLL only attacks)
- Office macros
Carbon Black is sponsoring this real training for free ™ session and I’ll be joined by some of the very smart folks there who are constantly researching current attacks.
Anti-virus obviously don't address these attacks invisible to the file system and artificial intelligence are still nascent technologies at best. Join us for this in-depth discussion of how non-malware attacks work and how to streamline your SOC to deal with them.