[BreachExchange] Memory Protection beyond the Endpoint

Tue Jul 17 18:55:31 EDT 2018

http://www.infosecisland.com/blogview/25086-Memory-Protection-beyond-the-
Endpoint.html

Threat actors have been digging into an ever-growing bag of tricks to
compromise endpoints:  social engineering, phishing, malware, zero-day
vulnerabilities, advertising, ransomware -- even recent cryptocurrency
jacking operations are just a few examples of the diversity, and even the
sophistication, of some attacks. However, as different as these attacks may
appear on the surface, some share similar features, and relying on a
handful of the same methods for compromising endpoints and data. For
instance, the use of zero day or unpatched vulnerabilities is commonplace
when discussing how victims are compromised. In a way, the methods used to
breach systems have remained fairly consistent – partially because they’re
still very effective, regardless of the actual malware payload or the
threat actor’s end goal.

Memory Manipulation – The Achilles Heel

Memory manipulation through the use of zero day or unpatched
vulnerabilities is usually the weapon of choice for threat actors, as it
allows them to dodge traditional in-guest security solutions and execute
malicious code on the victim’s endpoint. Threat actors have long been using
these vulnerabilities in compromising victims either through drive-by
downloads and malicious advertisements, or even infected email attachments.

The interesting aspect of vulnerabilities is that, at their core, when they
manipulate an application’s memory, they use only a handful of memory
manipulation techniques, regardless of how sophisticated or critical these
vulnerabilities might seem. Unfortunately, traditional security solutions
usually lack the ability to protect an endpoint’s memory space, and only
focus on files stored on-disk.

This Achilles heel of traditional security solutions means that threat
actors can regularly exploit the same vulnerability and constantly deliver
various payloads until one of them bypasses scrutiny from the security
solution. Since payloads can range from ransomware to keyloggers and even
coin mining software, memory manipulation of a victim’s endpoint using
vulnerabilities is extremely effective.

Worse, some threat actors rely on exploit kits – a collection of known
vulnerabilities in popular applications, such as Java, Adobe Reader,
browsers and even operating systems – to automatically probe endpoints for
known vulnerable software to drop malicious payloads. Although some of the
most popular and versatile exploit kits, such as Angler and Rig have been
dismantled by law enforcement, threat actors still rely on memory
manipulation vulnerabilities.

Memory Protection

The obvious question is: how do you protect the memory space from being
manipulated by vulnerabilities? There are in-guest next generation layered
security solutions that offer anti-exploit capabilities. Anti-exploit
technologies work by watching for Return-oriented Programming (ROP)
techniques usually associated with attackers trying to hijack a program’s
control flow and execute already-present specific instructions. Such
anti-exploit technologies can block memory execution of ROP chains as well
as other stack manipulation techniques usually associated with exploit
techniques employed by vulnerabilities.

However, with organizations leveraging the power of virtualization and
cloud infrastructures, we’ve reached a point where multiple guests – or
operating systems – can share the same host – or hardware. Some
technologies can protect the memory of all guests – without impacting their
performance – by sitting between the hardware and the operating system
layers.

Memory introspection technology is highly effective and efficient in
protecting against known and unknown memory manipulation techniques
associated with vulnerabilities, as it’s entirely outside the operating
system. Because it’s isolated from the guest operating system, it’s
completely untouchable by any in-guest threat – regardless of how
sophisticated it is – but at the same time has complete visibility into the
memory of each guest virtual workload.

Leveraging bare metal hypervisors, memory introspection technologies
provide an additional security layer for virtual infrastructures, offering
protection against any zero day or unpatched vulnerability that threat
actors are trying to exploit. Instead of focusing on the actual payload, as
most traditional security technologies do, memory introspection focuses on
the initial point of compromise.

For instance, if a threat actor tries to exploit a zero-day Adobe Reader
vulnerability to drop coin mining software, ransomware, or keylogging
malware, memory introspection would plug the attack as soon as the attacker
tries to perform the memory manipulation to escalate his privileges. This
means the attack kill chain would be broken long before any payload or
damage to the infrastructure would even occur.

Security beyond the Endpoint

Endpoints –virtual and physical – still play a vital role in organizations,
and security needs to address these infrastructures holistically, and
protect them without affecting performance. Software-defined datacenters,
hyper-converged infrastructures, and hybrid clouds have changed the way
businesses operate and scale. But security has mostly focused on the actual
endpoint (e.g. VDI, VPS).

Re-engineering security solutions to fit the new infrastructure,
performance, and scalability needs of organizations is crucial as advanced
threats often exploit security blind spots. Having security technologies –
both in-guest and outside the OS, as close to the hypervisor as possible –
that can protect against memory manipulation techniques used to deliver
anything from advanced persistent threats to coin miners and ransomware,
can make a world of difference in ensuring business continuity, as well as
in avoiding financial and reputational losses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180717/57492992/attachment.html>