A new kind of cyber attack is on the rise. Fileless attacks were involved with up to 77% of all successful cyber attacks in 2017. But what are fileless attacks, and how can you defend against them?
How Fileless Attacks Work
At its most basic, a computer stores data in two places: its hard disk drive(s) and its random access memory (RAM). The hard disk drive contains data locked away for long term storage. Think of all the files and applications that are stored on your computer, but aren’t open right now—those are on your disk. When you open applications and files, however, you’re telling your computer to bring them out of long term storage so that they can be processed by RAM. The data processing involved with viewing this web page, for example, is working mainly on this smaller, faster form of storage known as your computer’s memory.
Traditional malware works by saving itself to a computer’s disk (after being downloaded, for instance), trying to coax the user to execute a file so that the malicious software can take over. Over the past few years, however, a new kind of malware has been on the rise, infiltrating target systems by bypassing their hard disks altogether. Through some clever manipulation of your computer’s admin properties, “fileless” programs execute malicious code without any interaction with the hard disk, obviating the need for any action from the user. In most cases, they run directly in a system’s memory, or in low level databases associated with your computer’s operating system.
In the past, cyber attacks were like Trojan horses—trying to get users to inadvertently bring them through the gates. Now, in addition to these traditional threats, attackers are using fileless malware to parachute directly into your computer’s command center.
Types of Fileless Attacks
Once embedded, fileless attacks is capable of virtually everything traditional malware can do. It can harvest private information, forcing your computer to quietly send it to a remote server. Many notable data breaches, including the DNC hack during the 2016 election, are believed to have been perpetrated with fileless malware. And such programs can act as ransomware, taking data hostage until exorbitant payments are made. Here are just three common varieties of fileless infiltration:
Code injection: The malware runs SQL code that queries an organization’s databases, collecting valuable data and sending it to a hacker’s server.
Macro-based: The malware executes a macro from a Word document, instructing the computer to password-lock all of its saved documents.
Script-based: The malware executes with the HTML script on a malicious site, prompting your web browser to autofill its saved passwords and credit card numbers to a hacker’s database.
How AI Defeats Fileless Attacks
Fileless threats have been so successful, in part, because legacy antivirus (AV) software is powerless against them. Remember those long antivirus scans that say they’re searching through your files? They’re scanning through your hard disk looking for malicious files to quarantine. But because fileless software doesn’t hide on your disk, it goes undetected by these legacy AVs.
Next-gen AVs do better by analyzing code and scripts on your computer in search of suspicious commands. They use specific rules and heuristics aimed at identifying known kinds of malware, even in memory. But next-gen AVs are often ineffective as well, as their identificatory rules and heuristics fail to adapt quickly enough to the ever-growing variety of fileless programs.
Machine learning-based cybersecurity is the best solution to fileless attacks. That’s because rather than trying to memorize all of the signatures associated with fileless threats, it continuously updates itself, or “learns,” to best predict and prevent new and unknown threats, while shoring up defenses against those that have been seen before. It’s this advantage that has allowed SparkCognition’s own machine learning-based cybersecurity solution DeepArmor®️ to defeat some of the most insidious cyber threats, including ransomware like GandCrab, and CryptoMix, which are now being delivered using fileless approaches.
