In war, any good military strategist will try to exploit their enemy’s weaknesses. Cybercriminals are no different. They try to gain access to your endpoints and your sensitive data by exploiting weaknesses in your system, like a vulnerability in your software or in your operating system processes. Attackers are realizing that traditional file-based attacks that utilize malicious files (malware) are becoming less effective as cybersecurity technology becomes increasingly adept at detecting and blocking malicious files. As a result, attackers are using more “file-less” attack methods, or attacks where no actual malware file is used. They are also commonly referred to as “non-malware” attacks, or even “memory-based” attacks. The recent Equifax and DNC hacks are both high profile examples of file-less attacks.

But what exactly are file-less attacks? In short, they’re ways for an attacker to get a foothold in your system by exploiting vulnerabilities in native applications you use every day. They don’t entice you to download a malicious file which then executes and exfiltrates data. Instead, they exploit a vulnerability in your application to then, in a way, tell it what to do. It’s like planting a seed (injecting malicious code into memory) in an otherwise trusted application, and then that application runs the malicious commands and can open doors to other applications or processes to achieve its objective (steal sensitive data, hold a system ransom, etc).

Here’s a common example of how these work:

  1. The user clicks a link in an email that they believe is from a trusted source (it isn’t)
  2. This brings them to a website that looks legit (it isn’t)
  3. The website loads Flash (which is the poster boy for vulnerabilities)
  4. Flash opens PowerShell, which is a tool on every Windows operating system that can issue commands through the command line interface (basically it can talk to things and tell them what to do, all in memory).
  5. PowerShell connects to the attacker’s command and control server, whereby it downloads and runs a malicious script that searches for your data, finds it, and sends it to the attacker.

So how do you fight against these file-less attacks? First of all, patch and update your software and your operating system. The entry point for these attacks are your own vulnerabilities. So if you close the vulnerability, it closes the door on this type of attack. But you can’t always trust that your users will be ever-vigilant about updating their systems and not clicking on links that they shouldn’t. Therefore, Cisco AMP for Endpoints now introduces “exploit prevention” capabilities that will defend your endpoints from file-less attacks that use memory injection on unpatched software vulnerabilities. These types of attacks include:

  • web-borne attacks, such as Java exploits that use shellcode to run payload
  • malicious Adobe and Office document files
  • malicious sites containing Flash, Silverlight and Javascript attacks
  • vulnerabilities exploited by file-less and non-persistent malware
  • zero-day attacks on software vulnerabilities yet to be patched
  • ransomware, Trojans, or macros using in-memory techniques

So how does the capability work? The Exploit Prevention capability identifies common applications running on your endpoints that could be exploited by attackers. Then it creates a decoy of those applications, and if the attacker attempts to exploit a vulnerability in that application, the decoy will foil their plan. In more technical terms, the Exploit Prevention capability identifies the potentially exploitable application, remaps the libraries and DLL entry and exit points, and then moves them to a randomized location upon every execution of the application. It then presents a decoy of these resources to any other processes, such as malicious code, trying to access or exploit them. The malware, unable to locate the real application, will then target the decoy instead, and AMP will log and block the attempt. Meanwhile, the real application is kept safe, and the attack is prevented.

Some of the more common processes that Cisco AMP for Endpoints protects include:

·       Microsoft Excel Application
·       Microsoft Word Application
·       Microsoft PowerPoint Application
·       Microsoft Outlook Application
·       Internet Explorer Browser
·       Mozilla Firefox Browser
·       Google Chrome Browser
·       Microsoft Skype Application
·       TeamViewer Application
·       VLC Media player Application
·       Microsoft Windows Script Host
·       Microsoft Powershell Application
·       Adobe Acrobat Reader Application
·       Microsoft Register Server
·       Microsoft Task Scheduler Engine

See exploit prevention in action in this in-depth demo:


To learn more about the Exploit Prevention capability on Cisco AMP for Endpoints, visit www.cisco.com/go/ampendpoint


John Dominguez

Product Marketing

Cisco Security Business Group