"If you can max out a huge multi-way CPU, it's so much better than someone's laptop," he says. Sprickerhoff recommends that companies look for unusual CPU usage as a possible indicator that Bitcoin mining is going on.
Even behavioral analytics systems won't be able to detect all fileless attacks, says Rapid7's Beardsley. "You depend on noticing when unusual events start happening, like my user account gets compromised and I start connecting to a bunch of machines I haven't been communicating with before," he says.
It's hard to catch these attacks before they trigger the alerts, or if they do something that the behavioral algorithms don't watch out for. "If the adversary is putting in a lot of effort in being low and slow, it's much harder to detect [the attack]," he says. "With the things we see, that could be selection bias — we only see the clumsy ones because that's the ones that are easiest to see. If you're super-stealthy, I'm not going to see it."
Sign up for Computerworld eNewsletters.