Why Are Malware-Free Attacks on the Rise?

The global cyber threat landscape mutates and evolves with the utmost speed, and there is an increasing need to stay aware of the newly emerging attack vectors, as well as technical specifications of tools that adversaries are trying to use. That’s why organizations are increasingly developing flexible risk management techniques that are based on the newest research and trusted remediation techniques.

For instance, the latest report by CrowdStrike mentions that malware-free attacks constitute 51% of all the attacks that were identified by them in 2021. More than half of attacks of a certain kind look like quite a tendency that is worth further examination. Let’s look more closely at malware-free attacks and try to understand why malicious actors have been focusing primarily on this vector.

Do They Need Malware To Attack?

This might sound like a contradictory statement in its nature but attackers don’t necessarily need malware to breach security controls. In fact, one of their major goals is to stay unnoticeable by security scanners so the malware-free attack is actually a neat way to evade detection.

It’s not that modern security solutions are helpless in the face of malware-free attacks. Far from it. For example, you could deploy detection rules in your SIEM and map them to the MITRE ATT&CK framework with the help of SOC Prime’s Detection as Code platform. Also, if you need to share detections across various software products that you use, you can employ a generic SIGMA format. Later on, as soon as you need a query or a rule in a vendor-specific format, you can easily translate it by leveraging tools like Uncoder.IO, a free online translation engine for threat detection content. The question is, which rules exactly do you want to use and how do they address the specific features of newly found threats.

In the case of malware-free attacks, antiviruses on endpoints and traditional malware scanners used in honeypots and sandboxes won’t be able to recognize such an attack because it simply doesn’t leave the file trace in the system. That’s why detections have to be focused rather on suspicious behavior that is also tailored to the organization’s specific baselines in order to exclude the overflow of benign attacks. Furthermore, analysts in a security operations center need to look for patterns that are characteristic of the same kill chain. External threat intelligence might give the idea of how particular adversary groups lately tend to abuse systems and networks of their victims without even having any malware.

Malware-free vs Fileless Attacks

Members of the team that are not familiar with the technical side of common cyberattacks typically find it hard to understand how a security breach becomes possible without the installation of particular malicious files. What’s more, specialists on a technical level argue about the difference between malware-free and fileless attacks. Some of them say that these are entirely different strains of cyber threats while others see many similarities but also distinguish some drastic differences. However, it’s important to understand some common features of both these types of malicious behavior to be able to shape a viable strategy of detection and remediation.

Let’s start with malware-free attacks. Most commonly, they abuse the following structures in a victim’s network:

Native software and tools on the operating systems

Legitimate third-party applications

RAM, doesn’t write files to a hard drive

So if you hear about Windows Active Directory being targeted, or hijacked credentials, that’s most likely a malware-free attack. Then, if you hear about stolen certificates from the original software, count them in as well. Additionally, the trick is that a script can execute without writing any files into a device’s disk. What the attackers need is only accessing the processes that are already running in the device’s memory.

The definitions of malware-free and fileless attack often intersect and there is no single official term that describes each of them. However, researchers say that, unlike malware-free attacks, fileless malware does execute some malicious code, sequence of commands, or exploits collections of data. That’s why it might not go entirely without any file because an executable sequence of commands can be packed inside a .exe file. Another concern is that this file can quietly download itself from a malicious server, run undetected in the background, masquerading as a legitimate process, and delete itself once it achieves its goal.

How to Protect?

Of course, if you are possessing useful information at the right time, you can think that half of the battle is already won. So never underestimate the power of information and trusted reports like the one conducted by CrowdStrike. The next thing to do is to assess your organization’s current risk appetite and set the priorities accordingly. If the risk is considered to be high, take appropriate remediation measures.

Yet, before installing the available patches or coming up with your own playbooks for risk mitigation, it is necessary to detect those threats. Maybe someone has already penetrated your network in one or two places or you discovered a critical vulnerability that can potentially harm an entire business operation. In such a case, immediate action should be taken. Note that malware-free attacks require more sophisticated detection algorithms that are capable of spotting malicious behavior when it masks under legitimate processes and leaves no forensic evidence.