Five Reasons Memory-Based Cyberattacks Continue to Succeed

Almost every week we see new examples of highly sophisticated organizations and enterprises falling victim to another nation-state cyberattack or other security breach. These attacks circumvent staple security products such as next-gen firewalls, IDS/IPS systems, web and endpoint security defenses, web application firewalls, and database monitoring solutions.

Breaches continue to happen at an increasing rate, with more severe consequences. Forbes reported that the year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, governments, and individuals. While substantial sums have been spent on network and endpoint-based security, these breaches reflect a general lack of investment in adequate application-aware workload protection. This has continued despite repeated surveys pointing to applications and OS vulnerabilities as the largest areas of enterprise security exposure.

“Memory-based attacks are happening all around us and no one seems to want to talk about it because there hasn’t been a lot of defense against them. Virsec has an extraordinary and effective solution for defending against memory-based attacks. These guys are monsters in that.” – Chief Security Architect, Schneider Electric

Below are five key reasons why memory-based attacks continue to evade conventional security tools:

1. Memory-based attacks cannot be identified via signature.

Buffer errors or return-to-libc attacks, and many other memory corruption exploits, attack the call stack or memory registers of an application in non-repeating ways. This presents problems for traditional security solutions because most approaches are based on pattern matching, using signatures of past malware or malicious actions.

While some endpoint vendors promote defenses against “memory exploit techniques”, they are still based on signatures and pattern-matching of pieces of existing executable code. Today’s advanced attackers are innovative and resourceful and easily avoid repetitive behavior that can be detected by pattern-matching.

2. Most security defenses focus on network protection and authorization, while memory-based attacks happen in the guts of applications.

Today’s advanced attacks are aimed at high-value targets, take place in the memory of an application, and manipulate the application’s execution path. By the time a successful memory-based attack makes a network transmission, it is doing so over normal channels and will evade detection.

Conventional enterprise security strategies are built on an authentication/authorization model, network checkpoints, and sandboxes that sample or inspect moving packets across the network. However, memory-based attacks typically use phished or insider credentials with escalated privileges or they use remote OS commands to execute such as PowerShell. These techniques make memory threats, such as ROP chain attacks invisible at the packet level.

3. Endpoint security is pervasive in enterprises but lacks the ability to stop file-less and remote code execution exploits.

Focusing on the endpoint has become a popular model as traditional perimeter security is disappearing. But most endpoint technologies focus on end-user devices, and less on core, high-value servers. Applications running on servers and workloads are fundamentally different than those running on devices and laptops and require different means of protection.

Other technologies such as host-based IPS (HIPS), app control, file-whitelisting, and server endpoint suites, also have significant limitations against memory-based attacks and are known for producing large quantities of false positives. File-whitelisting is becoming more widely used but misses most memory-based attacks that exploit legitimate applications allowed to run in a file-whitelist environment.

4. Traditional application security solutions focus on eliminating code vulnerabilities, but not securing the applications at runtime.

Most memory-based attacks target enterprise applications, but most application security solutions focus only on identifying and remediating vulnerabilities in developer code. Relying on developers to find and eliminate all weaknesses is not adequate.

Most developers prefer to focus on application features over security and have limited experience in risk management, and enterprise security automation across large numbers of applications and 3rd-party components. Additionally, these solutions tend to be imprecise in identifying advanced attacks and generate larger numbers of false positives.

More importantly, the most sophisticated and evasive attacks – like the recent SolarWinds or Hafnium Microsoft Exchange server hack – are occurring in runtime.

5. Many organizations fail to systematically patch vital applications and host OS binaries.

A significant number of companies do not have a mature patch management strategy in place. Keeping up with patching is a significant challenge for many organizations that have a wide range of heterogeneous servers, many of which may no longer receive updates.

Advanced hackers have become adept at scanning networks to identify unpatched systems and target vulnerable applications with zero-day exploits. Verizon’s 2020 Annual Data Breach Report confirms that most breaches occur using vulnerabilities for which CVE (common event vulnerability) or patch has existed for several years, but not been deployed consistently.

How to Ensure Memory Protection

Memory-based attacks comprise the most insidious threats to critical applications, exploit the most common vulnerability in applications (buffer overflows), and represent the most frequently used advanced exploit over the last several years. Remote code execution exploits – once an outlier – have now become the go-to evasive attack technique, and many IT professionals regard memory attacks as “indefensible” by today’s security products.

Virsec Security Platform

Virsec's Cyber Security Platform provides application-aware workload protection that ensures comprehensive memory protection and runtime protection. Virsec’s patented technology is delivered via the following three application-aware components:

  • Memory Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided shell code.

  • Web Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided byte code.

  • Host Protection: leverages file integrity capabilities to prevent even single instructions from any unauthorized executables, libraries, and scripts from executing.

Unlike EDR/EPP and other perimeter security controls, Virsec’s source of trust is the application’s code itself. Once a developer delivers an application, the Virsec source of trust never changes. This stands in contrast to conventional security controls, which depend on a moving target of threat feeds.

Additional Learning

White Paper: The Need for Application-Aware Workload Protection

Solution Brief: Virsec Security Platform

Webinar: Defending Against Nation-State Attacks: Breaking the Kill Chain

Webinar: SolarWinds CSI: Re-creating the SolarWinds Attack