Security technology has not kept up with today’s accelerated move toward virtual infrastructure and disappearing network boundaries. Advanced hackers are quickly exploiting application vulnerabilities with fileless and memory-based attacks.
A new security approach is needed to counter these sophisticated threats. Methods that do more than monitor the perimeter and that go beyond the signature of past attacks are required. What’s needed are security platforms that can map an application’s expected behavior, monitor compliance, and block behavior deviations in real-time.
The security industry, as a whole, has historically focused most of its attention on finding ways to throw up effective perimeter defenses with firewalls and antivirus solutions. It’s a natural reaction when under assault, to harden the perimeter and watch for incoming attacks. As the analogy between cyber and kinetic warfare illustrates, it is often difficult to react quickly enough to be effective against an incoming strike.
From the attackers, however, there has been a fundamental shift toward fileless attack techniques. These are attacks that target memory while applications are running rather than planting malware on a disk or slipping an executable malware file past the perimeter line of defense.
There are advanced attack tools, some of which were leaked or stolen from government research labs, that are now in the hands of highly skilled adversarial nation-states and criminal enterprises. These formidable threat actors have found a soft spot in our defenses. They employ advanced technologies to exploit trusted tools during the development cycle.
DevOps teams often have little understanding of how code functions in memory. Conversely, sophisticated adversaries have made this an area of intense study.
Exacerbating this problem, software developers have accelerated the development process by integrating software components they didn’t create in-house. While the ability for DevOps teams to quickly turn out new functionality and capability provides significant benefits to users, customers, and society generally, it comes with a price. Applications are now more composite than ever before. This heightened level of integration creates the soft spot that threat actors are actively exploiting.
The task of protecting against the class of fileless scripts designed to execute while the application is live is not an impossible one. We just need to change where we are focused. We must concentrate on application protection and understand what is and should be happening with advanced memory-based attacks. We need security that is operating at runtime as well.
A security solution provider that exemplifies the necessity of addressing fileless and memory-based attacks is Virsec Systems. A San Jose, California based cybersecurity company, Virsec, provides a radically new approach to protect applications against advanced attacks.
Brilliance Security Magazine sat down with Shauntinez Jakab, Director of Product Marketing at Virsec Systems, at the 2020 RSA Conference. We wanted to understand what Virsec offers to combat memory-based attacks.
Shauntinez explained that Virsec is made up of experts from various disciplines, including network security, semiconductors, embedded systems, and real-time memory systems. She said, “The company came about interestingly. The founders and CEO have backgrounds in firmware and processor design and manufacturing, specifically, designing system-on-a-chip (SoC) processors for computer networking.”
She continued, “Our focus has been developing tools that understand what applications are supposed to do, what their intent was, and then compare that against what’s actually happening. By doing that at runtime, we can see definitively when something bad is happening.”
Virsec claims to be able to detect and stop:
- Zero-day attacks
- Fileless attacks
- Buffer overflow attacks & exploits
- Stack smashing
- DLL injection & execution
- Return-oriented programming (ROP), ROP gadgets
- Side-channel attacks
- Corruption of configuration data
- Spectre & Meltdown protection
Explaining why she believes more emphasis needs to be placed on SoC level vulnerabilities, Shautinez said, “Security leaders, CISOs, for example, put a lot of trust in chip manufacturers. They trust them to build protection mechanisms into their hardware. And these manufacturers do put protection in place, but software developers are typically not focused on leveraging these protective tools.
“Attackers know this and are launching memory attacks like WannaCry, Not Petya, BlackEnergy, Industroyer, Triton, Spectre, and Meltdown. A CISO wouldn’t necessarily know that the software used in their organization is not leveraging all the chip-level protection that is available.
“Virsec protects any application, patched or unpatched, across the full application stack, from web threats to binary memory-based attacks.”
Today’s security challenges can easily overwhelm an enterprise’s security leaders. CISOs get flooded with competing claims of the best way to address these challenges. The modern digital transformation necessitates a security transformation to keep pace with bad actors.
No single security solution can solve every problem, but Virsec is one platform that will help protect memory at the application level. Virsec scrutinizes application process memory to ensure that applications only behave as intended and aren’t corrupted by memory exploits.
Steven Bowcut, CPP, PSP is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.