You may have heard a lot lately about memory-based attacks, fileless attacks, and living-off-the-land attacks. If so, that is excellent that you are staying up to date. These are all also referring to the same thing. As the name suggests, this is an attack on the system’s memory, which can include the ROM or RAM.
Why Now?
Attackers are increasingly using this type of attack because it works. It is less detectable by antivirus (AV) engines and even by some next-gen AV solutions. Because of this, the adversaries using this technique are more likely to succeed in their mission, which is to steal your stuff - whether it be credentials, trade secrets, or your computing resources.
How this Attack Works
The way this type of attack works is that it focuses on getting instructions in or data out of the memory, rather than traditional focus areas, such as the disk file directories or registry keys. The way these attacks are typically carried out is as follows:
- Step 1: A script or file gets onto the endpoint. It evades detection because it looks like a set of instructions instead of having typical file features.
- Step 2: Those instructions get loaded into the machine (we will explain where and how later).
- Step 3: Once they execute, they are working using the system’s own tools and resources to carry out the attack.
Attack Examples
A common example of this attack uses a combination of Word macros, Powershell, Meterpreter, and Mimikatz. These native tools, as well as web applications, run in memory and have a high level of execution rights.
What happens is that a user will receive a Word document containing macros via email, which they will be asked to enable after they open the document. The macros’ instructions then reach out to a Command and Control (C2) server to download a script to have Powershell do a second download of Meterpreter and Mimikatz (which are both applications with legitimate uses) to start finding and sending credentials to the C2 server. A malware payload may also be downloaded instead, which can be caught by a decent quality next gen AV solution.
But perhaps a user goes to a website with their preferred web browser and are asked to run Flash, which often has some kind of vulnerability. Once the user enables it, the exploited Flash can send shellcode or instructions to the user’s endpoint to run in Command Line and all in memory unbeknownst to them.
But because these attacks are based on instructions and using local applications, now you see where the names, “fileless” and “living-off-the-land” come from.
How to Stop These Attacks Today
You can, however, prevent these attacks by being vigilant in the following areas:
- Stay up to date on patching.
- Block websites running Flash, Silverlight, or Javascript or block these from running on websites requesting them to be enabled.
- Restrict usage of macros in documents.
- Defend against Mimikatz by starting on page 11 of this SANS paper by Jim Mulder (PDF).
Unfortunately, some of these methods may be potentially unrealistic for your users when they’re trying to get work done, but they are legitimate options.
You can also manually detect these types of attacks if you notice strange traffic using your SIEM - assuming you have one. You can also use your firewalls to inspect the traffic. Utilizing both of these methods as your detection strategy involves integrating high quality external threat intelligence and rules into those solutions, as well as rules to detect internal application execution.
You can also manually investigate events or do daily sweeps with a memory forensic tool. Volatility Foundation has open source software that is highly regarded. They also have paid workshops that won’t break the bank but will give you a good overview.
How to Stop These Attacks Tomorrow
If you think that this sounds like a lot of work which takes constant vigilance and talent, you’d be right. And we only discussed two examples of attack techniques out of the whole Mitre ATT&CK Matrix, which has dozens of different techniques. It is however, important to understand the large amount of manual effort required in order to appreciate what happens when these actions can become automated and more efficient.
Another option to detect and stop these attacks is to procure an endpoint detection and response (EDR) product with automated actions. This is a very crowded market right now with buzz-words that all sound very similar. That’s why it is very important to educate yourself on what your organization needs and whether a vendor can meet those needs quickly, easily, and effectively.
Regardless of how you implement your security strategy, it is important you have awareness of this type of threat, and to educate yourself on your potential options to stop it.
As you research your options, be sure to ask detailed questions about how each solution works, including what automated actions they provide and how advanced those detections and actions are. And remember - the purpose of a vendor solution is to improve the time usage of an analyst and their team, not add to the amount of work they need to do.
If you’re interested in learning more about stopping tomorrow’s attacks today, contact us here for more information about Cylance’s EDR product.
