The Last Watchdog, by Byron V. Acohido, March 4, 2019; with comments by Satya Gupta
In his article last week, Byron Acohido discusses how memory attacks have become a powerful new class of hacking method that sneaks past conventional IT security systems. Byron reports that companies have spent $216 billion on security products and services over the past two years, but memory attack prevention clearly weren’t a focus of that investment.
To dive into the details of memory attacks, Last Watchdog’s Byron Acohido recently sat down with Satya Gupta, founder and CTO of Virsec, a San Jose-based supplier of advanced data protection systems. Virsec is a leading innovator of memory protection technologies. According to Byron, Gupta put memory attacks in context of the complexity that has overtaken modern business networks.
Satya explained that, “Conventional security tools try to protect applications pre-execution, or they monitor for anomalies post-execution, but attackers are now exploiting the space in-between – during application runtime, when the code is actually executing. Memory attackers seek to corrupt memory in many ways, such as inserting benign-looking user inputs, changing runtime libraries (DLLs) during runtime, or using return oriented programming (ROP) gadgets to run arbitrary operations on a machine.”
However it’s accomplished, once inside, the intruder wants the freedom to move around at will, but also wants to remain undetected for as long as possible. “Critical application processes are at the greatest risk, including those that are running in air-gapped environments,” Gupta says. “Once skilled malicious hackers have bypassed deficient conventional security, they can setup backdoors, and dwell within networks for extended periods without setting off alarms.”
Gupta lays it out like this: “By combining flaws in software and hardware, with a series of unvalidated data inputs targeting process memory, attackers corrupt legitimate processes to disable security, leak information or execute application functions in unintended ways.”
Threat actors also leverage the fact that memory flaws can be used to take advantage of privileged accounts.
“Privileged processes typically have broad access to memory,” Gupta says. “From a privileged account you can modify system security configuration, add a trusted root certificate, change registry settings, or corrupt memory for specific code sets just as the code is being executed. From here, it’s possible to hijack control over application servers, access databases, or use APIs to connect to other systems.”
Several vendors are making an effort to address memory threats.
Virsec is among a small group of innovators that have set out to tackle memory exposures more directly. Rather than endlessly chasing external threats, Virsec provides proactive memory protection, based on what an application should be doing at any given time, and how scripts are actually executing, at the memory level, during runtime.
“We focus on identifying and stopping attacks, during execution, in runtime,” Gupta told Byron. “We can terminate rogue processes and disconnect specific rogue users within milliseconds, or signal other network tools to disable attackers at the perimeter.”
Byron Acohido wrapped up his article by noting that “Memory attacks clearly represent an insidious and profound exposure with the potential to scale quickly through a given network, and, beyond that, across entire sectors, as we’ve already seen, with the power plant attacks. The concern on the horizon is that memory attacks will give threat actors a firm foothold to corrupt the smart homes, smart workplaces and smart transportation systems that are coming on line in the next few years. I’m encouraged that the cybersecurity community has begun to address this, with innovators, like Virsec, pushing the edge of the envelope. You’ll hear more from me on this topic.”
Read full The Last Watchdog’s Memory Hacking article.