Fileless Malware - The New “Cyber”

DerbyCon 7.0 - Legacy

Presented by: Edmund Brumaghin, Colin Grady
Date: Friday September 22, 2017
Time: 16:00 - 16:50
Location: Track 4 - Three Way

Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of fileless malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware.

Edmund Brumaghin

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware, banking trojans and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape.

Colin Grady

Colin Grady is also a threat researcher with Cisco Talos. He started his infosec career as a SOC analyst and has worked his way through a variety of roles including engineering, architecture, and incident response. He joined Talos from his prior role with Cisco’s incident response team (CSIRS) to have a more direct and proactive role in protecting customers. He spends his days looking at interesting malware and finding ways to identify and process the samples and activities for convictions across the Cisco product line.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats