Safe Harbor on Cyber is a 'safe harbor' blog site on cyber security for families and small businesses with news on cyber threats, risk, data breach, identity thefts, ransomware, cryptocurrency, and vulnerabilities items.
In recent Fileless attacks, such as Ransomware, are easier and more effective than traditional malware-based threats and present a growing challenge to business goals. Cybercriminals take the path of least resistance, which is why more people are taking fileless attacks to attack victims. As attackers realize the ease of this approach, more and more employees rely on the mobile and cloud to do their job, and threats are growing.
No file or non-malware attacks allow the threat actor to skip the steps involved in traditional malware-based attacks. They do not need to create payloads, a major antivirus detection point; they can simply use trusted programs to take advantage of in-memory access, in which most antivirus can not easily detect. In 2017, file-based malware attacks using PowerShell or Windows Management Instrumentation tools accounted for 52% of all attacks.
However, the business is still not concerned or even aware of their system and hide from their pretended ‘Safe Harbor’.
Heath Renfrow, chief information security officer at Leo Cyber Security, said: “Our focus in this industry continues to be the traditional medium of attack that we deal with most of our careers. Businesses should carefully study how these threats work, how they are detected, why they are predicted to grow, and what they can do to protect themselves.
The evolution of modern fileless attacks
“The difference today is not the fact that there is no file – both the red code and Slammer use it – in fact, most of the attack chains do not have the steps to attack.” If they involve a payload, It often looks legal, so hard to find. ” and they are safe.
Robert Johnston, chief executive of Adlumin, said the growth of fileless malware attacks can be attributed to ease of use and improved tools on endpoint detection and response (EDR) tools, and he was a CrowdStrike consultant leading the DNC hack investigation.
“Within a network, what’s breaking the backs of organizations is the theft of usernames and passwords,” he explains. “It’s not the malware that’s doing the trick.”
Threat actors use domain accounts and IP administrator passwords to traverse around target networks and steal information. Their activity takes multiple forms; for example, it’s oftentimes more valuable to access someone’s Office 365 or Amazon Web Services login, Johnston says.
All attackers must break in some way, which means that stolen credentials are the first step in an attack. Johnston explained that local admin credentials are always the first to go because no one cares for them and they are not tied to a particular person either. This is usually the norm because it makes administration easier. Service account credentials are also vulnerable. Once they have a systematic visit, attackers use privilege escalation techniques to increase their abilities.
Why are you vulnerable?
Businesses can not understand the complexity of their IT environment, which is a flaw that made them vulnerable when they could not monitor the entire ecosystem. Many are submerged in the data and cannot focus their accounts and user activities in one place for analysis.
Johnston explains: “If they can not track this information, they have no way of knowing which accounts are accessible.” “They have no idea or a way to track and scale all of these different identities, In a row. ”
When employees do not adopt basic security measures, the challenge will escalate. Lovejoy pointed out that phishing attacks are a popular means of spreading attacks and obtaining certificates.
Arun Buduri, co-founder and chief product officer at Pixm, said hackers are now tracking credentials for staff to track Amazon, Gmail, PayPal and other common services. They know that people use the same username and password for their service.
“What hackers are doing is trying to get into a personal account and use it to get into the business,” explained Buduri. Many threat actors target low-level employees who, once in, can monitor e-mail campaigns to learn about the addresses of senior workers.
Ready to Respond
Renfrow said that as employees move more and rely on the cloud, fileless attacks will grow. He pointed out that “remote work” significantly increases the risk of infrastructure. As CISO at the U.S. Army Medical School, he holds positions until November 2017, and Renfrow said anybody bringing a device overseas must go through a new image and scan before they can log in to the local network.
He pointed out that mobile devices have become particularly prominent in healthcare and that cloud computing has grown in all industries. Most people think the cloud is safe, but Renfrow notes that the cloud contains many certificates that have been phased out and should be decommissioned – with legitimate reputation within the scope of the attacker.
Although economically motivated attackers are always out, Lovejoy predicts more threats will cause damage. She pointed out: “The sad reality is that we are seeing an increase in the number of disruptive attacks being exploited.
What can you do for this?
Prevent phishing from employee education. Coax them, test them, teach them, Lovejoy said. “The goal is to immunize enough people to keep the disease out of control.” Employees should also be able to report on activities they feel suspicious.
“Always make policy” If you see something, say something, “she added.
Above all, businesses should pay close attention to their ecosystem activities.
“One of the things we did at the Army Medical Center was to introduce a set of tools to chart all the vouchers on our infrastructure.” It’s an eye-opening … The infrastructure we have More than we have. ”
After evaluation, the team dug out what, where, and how these certificates are being done. Anything other than the normal login location triggers an alert. Given the sheer size of the Army’s medical infrastructure, he said automation was necessary.
He suggested that the organization go back to the traditional “old school” approach to authentication and access management. From there, they can consider designing a toolset for automated access management if they are mature enough to understand how, when, where, and how the web logs in.
“I think this is open to any organization,” Renfrow said.
Prevention of Ransomware Fileless Attack
Users and administrators are advised to take the following precautions to protect their computer network from ransomware infection:
Employee awareness, training, and drill, especially in detect spear-phish email
Robust Access Management and Proper Log Use
Strong Password Policy
Two- factor authentication
Back up data regularly. Verify the integrity of these backups and test the recovery process to make sure it is working.
Conduct annual penetration testing and vulnerability assessment.
Protect your backups. Make sure that the backup will not be permanently connected to the computer and network being backed up. For example, protecting backups in the cloud or backing up offline physical storage. When the system is backed up in real time, some instances of ransomware can lock up cloud-based backups, also known as persistent synchronization
Backing up is crucial for ransomware recovery and response; backups can be the best way to recover critical data if it becomes infected.
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Danger Rises of Fileless Attacks on Your Devices and the Cloud
Pseudo author name by David S. Eng offers valuable information and cyber threat incident alerts to protect, prevent, mitigate, respond, recover, and learn about Cybersecurity threats to your business and family. CyberWisdom author curated Cyber Security Information and News Feeds and Articles. He has six years of hands on experiences as the principal researcher for DHS Cybersecurity Pilot Program on cyber threat intelligence, risk management, cyber technologies, web collaboration tools.