How to detect targeted attacks by using memory introspection

Razvan Muresan

May 24, 2016

How to detect targeted attacks by using memory introspection

Cybercriminals can spend months inside organizations, storing away information for a future attack or piecing data together that will get them to the prize they are after. They will also create measures to protect themselves from detection. Sometimes they create diversionary tactics to draw your attention away from what they are doing and where they have succeeded, as EY’s Global Information Security Survey 2015 shows. Cyberattacks impact both business decisions, mergers/acquisitions and competitive positions.

Advanced Persistent Threats (APTs) and Advanced Targeted Attacks (ATAs) are of tremendous concern to organizations. Recent examples have focused on retail since they lead to wide media coverage and direct financial losses. They are also interesting because many of the highest profile attacks were not detected by the retailer, but by the credit card companies tracking fraud activity.

Other attacks that are well-known in security circles but don’t get as much media attention include nation-state sponsored attacks. Some are generally accepted (e.g. Stuxnet, Carbanak, Turla), while others are widely suspected (Chinese attacks against U,S, defense contractors, Nortel, and other industrial targets). On that note, industrial espionage is another area of great concern.

 The enterprise IT infrastructure has transformed completely in the past years becoming a truly hybrid infrastructure. The hypervisor now sits as an intermediary between virtualized endpoints and physical hardware. But Endpoint security has not, until now, experienced the same paradigm shift. Traditional network-level security may run as a virtual appliance, but still essentially performs inspection of network traffic just as it did before. Traditional security agents running in protected systems may offload scanning to a virtual appliance for performance, but are still constrained by technical limitations of running within the endpoint operating system.

Until now, the very concept of endpoint security was constrained to security agents running within an host OS on endpoints – the Windows and Linux servers and desktop operating systems upon which every modern organization depends – or as network devices, and attackers have been taking advantage.

Bitdefender has solved the technical challenges of creating a solution to the root problem, thereby giving datacenter owners the ability to know what they don’t know, and act on information from below the operating system. with an agentless protection running outside the host OS, this radical new approach redefines endpoint security.

Citrix’s XenServer API facilitates virtual machine introspection from a security virtual appliance. Bitdefender has built Hypervisor-based Introspection (HVI) to take advantage of the virtual machine introspection feature included in Citrix Xen Server

Gartner states in its Host-Based Controls for Server Workloads Ready for Hybrid IT” report published in April 2016:

“Platform, hypervisor and OS integrity checks are excellent controls for systems over which you have lost end-to-end control, such as in colocated systems. Additionally, this control can, to some extent, defend against certain high-impact malware. Furthermore, it is currently the only safeguard that can verify the integrity of a (formerly) trusted hypervisor. Thus, this control is most feasible for application architectures where the integrity of the hypervisor or of the hardware is of any concern (e.g., high-risk applications in colocated systems or, where supported, public clouds).”

 

Leveraging insight provided from the hypervisor embraces datacenter architectures that virtualization has brought. This deeper level of insight goes below the virtualized endpoints and the workloads they host.

Hypervisor-based Introspection (HVI), by its very nature, operates at a level of privilege that is higher than that available in-guest. While a rootkit running in a virtual machine may run with kernel-level (ring-0) privilege, as in-guest security software does, HVI performs at the hypervisor level of privilege (ring -1). 

With hypervisor-level access to in-guest memory, and isolation from in-guest exposure to compromise, Bitdefender Hypervisor-based Introspection delivers a new level of insight into what was previously deemed impossible to know. While a targeted, highly sophisticated attack may use customized, one-off tools and exploit zero-day vulnerabilities to get a foothold and defeat in-guest endpoint security, HVI will expose these attacks by leveraging changes in the software stack that virtualization has introduced.

HVI identifies attack techniques. This way, the technology can identify, report and prevent common exploitation techniques. The kernel is protected against rootkit hooking techniques that are used during the attack kill chain to provide stealth. User-mode processes are also protected against code injection, function detouring, and code execution from stack or heap.

According to Bitdefender’s CTO, Bogdan Dumitru, predictions published last December, in 2016 we will see in the enterprise environment, an increase of targeted attacks and strongly obfuscated bots, with a short lifespan and frequent updates. Most of these attacks will specialise in information theft. Attackers will be in and out of an organisation in a few days, maybe even hours. APT, which currently stands for Advanced Persistent Threats, should change to Advanced Penetration Threats, or even BA for Blitzkrieg Attacks. Bitdefender is the only security company that provides security at the ring-1 level and prevents you company from becoming the next victim.

 Contact an expert

tags


Author


Razvan Muresan

Former business journalist, Razvan is passionate about supporting SMEs into building communities and exchanging knowledge on entrepreneurship. He enjoys having innovative approaches on hot topics and thinks that the massive amount of information that attacks us on a daily basis via TV and internet makes us less informed than we even think. The lack of relevance is the main issue in nowadays environment so he plans to emphasize real news on Bitdefender blogs.

View all posts

You might also like

Bookmarks


loader