Enterprise SOC teams are facing a growing sophistication and diversity of cyberattacks within their networks. Among these advanced attacks, there has been an upswing of fileless attacks over the past year. Cyber adversaries use fileless attack techniques to hide their presence on infected systems and maintain a long-term, stealthy presence used for data theft or destruction.
Fileless attacks operate completely in memory, leaving no artifact on disk. This makes detection difficult for existing endpoint tools which primarily focus on detection of malicious files. Endgame stops fileless attacks from gaining a foothold on systems at the earliest stages of the attack lifecycle before stealthy entrenchment and data loss.
ANATOMY OF A FILELESS ATTACK
In a typical attack, the attacker spear phishes through an email campaign which drives the user to a malicious website. Once the user visits the website, the web browser is exploited and malware executes on the system. In a fileless attack, instead of malware dropping to disk and executing, the malicious payload is injected directly into the memory of a running process and the malicious code executes in RAM. Native tools and operating system features like Powershell or WinRM are often used as part of fileless attacks to inject the malicious code. WHY
CURRENT APPROACHES FAIL TO STOP FILELESS ATTACKS
Traditional security products fail to detect fileless attacks because their detections are malwarecentric and rely on analyzing files on disk. Those approaches are ineffective when no files are present.
Traditional detection tools use rules engines to detect fileless attacks. They check sequences, sometimes known as indicators of attack (IOA), against data generated by processes on monitored endpoints. Rules-based tools look for secondary or tertiary artifacts such as sequences that indicate types of process injection or flag potential misuse of tools like Powershell. This approach can quickly get noisy if rules are too loose or stale if they are not updated to keep up with evolving attack techniques. Rules-based detection is brittle and can be easily bypassed by advanced attackers via new attack techniques or kernel-level tampering with the underlying data collection the rules process.
Often, these advanced attacks go unnoticed by the SOC or are discovered by third party sources. Existing tools take too long to contain these attacks and cannot detect the full extent of infection at scale, exposing businesses to a high risk of data theft and destruction. For instance, when a CISO gets informed of an intrusion by a third party, the incident response team or a tier 3 SOC analyst gets tasked to root-cause the incident and remediate the infection. For a fileless attack, the tier 3 SOC analyst must perform memory analysis using a third-party memory forensic tool, such as Volatility. The analyst dumps memory in the third-party tool to identify rogue processes and process DLLs for evidence of malicious code injection. A typical investigation on a single machine takes an average of two hours, causing significant downtime and potential business disruption. The extent of the damage cannot be determined because enterprise scale memory analysis is an impossible task. Instead, most teams prioritize a few critical assets and analyze them for infection. Existing tools do not eradicate the adversary leaving organizations vulnerable to damage and loss.
Existing EDR tools have three major challenges:
- require an expert SOC analyst to know what to look for to stop fileless attacks in real-time
- are unable to find on-going or resident attacks at scale
- fail to prevent fileless attacks before the attacker gains a foothold in the environment
ENDGAME AMPLIFIES SOC SKILLS TO STOP FILELESS ATTACKS AT ENTERPRISE SCALE
Endgame employs a layered protection to prevent fileless attacks. Combining both pre-attack and ongoing attack protections at the kernel and user level of the operating system, Endgame ensures complete protection against fileless attacks regardless of when in the attack lifecycle the agent is deployed on an endpoint.
Pre-attack prevention: Endgame's patent-pending technology prevents fileless attack techniques like shell code injection and DLL injection. Kernel-level analysis, performed on every executing thread, stops fileless attacks before an adversary can gain a foothold in memory. Once a fileless attack is blocked, the analyst gets an alert providing complete visibility of the origin and the full extent of the attack.
Ongoing attack prevention: To find adversaries resident in memory, Endgame automates in-memory analysis and identifies techniques such as memory modification, memory injection, hidden modules, and packed and encrypted areas in memory across unlimited endpoints in minutes with no end-user impact. Unlike other EDR tools, Endgame allows the SOC to proactively root out advanced attackers before any data theft and loss. With a few clicks of a button, Endgame empowers tier 1 SOC analysts to be a force-multiplier and stop fileless attacks at scale across the enterprise.