Workload and Application Security Blog

Prediction Series #1: Security systems are blind to memory-based threats

Written by Virsec Systems | Feb 22, 2019 4:36:53 AM

The failure of traditional security systems to see memory-based attacks poses data theft risks

You can’t protect what you can’t see. Process memory is still goes unseen by most security tools, making memory the perfect target for cyber attackers. Recent in-memory attacks include GreyEnergy, BlackEnergy, WannaCry, NotPetya, Industroyer, Triton, Spectre and Meltdown. All of these attacks easily bypassed conventional security products.

While security solutions are still focusing on file-based attacks, advanced hackers have gotten creative. They’ve found ways to dig beneath the surface and manipulate binaries at the memory-level or use fileless malware (such as scripts and interpreted code) that activates legitimate tools on the victim’s system, such as PowerShell or Java Script - as demonstrated in the recent Ursnif bank Trojan. The security perimeter is no longer a fence that can keep out the bad guys because they’ve figured out how to dig a tunnel under your feet.

Runtime memory is a critical cyber battleground

Sophisticated, multi-pronged techniques target applications at the memory level to infiltrate and hijack valuable data.

Attack types include:
- Zero-day attacks
- Fileless malware
- Buffer overflow exploits
- Stack smashing
- DLL injection & execution
- Return-oriented programming (ROP), ROP gadgets
- Side channel attacks
- Corruption of configuration data
- Spectre & Meltdown protection

Because of these tactics, Ponemom Institute has stated that a fileless attack is 10 times more likely to succeed than a file-based attack. What’s more, memory-based attacks are accounting for more cyber attacks overall – close to a third of attacks in 2018, up from 20% in 2017. We expect this rising trend to continue in 2019.

~~~

Further resources:

Virsec Memory Protection

You Must Remember This: Memory-Based Attacks Are the New Battleground