There are all sorts of ways to attack a cyber system, from using brute-force to exploiting known vulnerabilities. This might sound scary, but many cyberattacks are not very sophisticated, and can be easily prevented with the right combination of tools, processes and procedures.
“For years now, as security software has improved, successfully exploiting vulnerabilities has gotten harder,” said information security expert and co-author of “Android Hacker’s Handbook” Zach Lanier. Mainstream security tools can now extrapolate from their knowledge of existing threats to detect new threats.
But the state-sponsored hackers attacking government contractors, critical infrastructure, the financial sector and others are not interested in customers’ credit cards, nor will they be deterred by your average network protection software. They’ve started using a different type of attack, and it’s one that is practically invisible.
The Limits of Predictive Security
Predictive threat detection works by matching traits of previously known malicious behavior to new behaviors. This, of course, has its limits. To build the library of known threats and tailor it for each customer requires careful calibration during installation. These systems can still suffer from high rates of false positives once it’s up and running. Oftentimes organizations hire data analysts simply to validate their systems’ threat notifications, making the entire security process both more expensive and less efficient.
Most importantly, however, extrapolation-based security models can leave organizations at risk for some of the most dangerous types of attacks: those that exploit a previously unknown vulnerability, known as “zero-day exploits,” and those that adversaries have built to have no malicious traits.
Attacks Without a Trace
“The most advanced attackers’ goal is not to put bad code in your machine,” said Ray DeMeo, the co-founder and chief operating officer of Virsec Systems, Inc. “It’s to take your valid code and use it against you.” He likened it to having your car hijacked. “You want to go on legitimate roads, but someone jumps in and says, ‘We’re going off-road,’” he said. “They’re using your car—your code—to redirect your program’s execution.”
“These exploits run within the program itself without ever writing anything to system storage,” said Lanier. The attacks occur in a computer’s memory, deep in the Central Processing Unit. “For example, if an attacker successfully exploits a vulnerability in your web browser, they can run malicious code in the browser— and take advantage of other system features or functions that allow malicious activity— without storing a piece of malware on the disk.”
Because of that, these “file-less” in-memory attacks leave no trace of ever having been executed. Any evidence disappears when the system is rebooted. There is no way to tell whether a system’s integrity has been compromised.
Addressing the Worst-Case Scenario
When he and his co-founder Satya Gupta started Virsec Systems, said DeMeo, “We asked ourselves, ‘What’s the worst thing that could happen,’ and built our solution from there.” Undetectable file-less attacks were at the top of the list.
This class of cyberattack is not new; in 2016, researchers identified the “potentially catastrophic flaw in one of the Internet’s core building blocks,” as Dan Goodin wrote last February, leaving apps and hardware open to remote hijacking eight years after the vulnerability was first introduced. It takes a very high level of skill to exploit that vulnerability, which is part of why it took so long to discover. Until recently, there haven’t been many real-world incidents where attackers used file-less, in-memory attacks. But that’s changed: one recent report cited attacks on over 140 secured networks in 40 different countries– and those are just the ones that forensics teams were able to identify.
To solve this problem, Virsec Systems took a different approach. Just like there are limited numbers of legitimate roads, there’s a finite number of legitimate paths in a piece of code. By knowing what is legitimate, Virsec’s security software is able to identify any attempts to redirect the execution flow.
This approach may seem obvious, but it takes a very high level of skill to build a tool that can verify the execution path of a program and constantly confirm its integrity. “No one really appreciated just how much would be living out on computer systems,” DeMeo said. “The internet wasn’t built to be secure, and no one really thought people would be that determined and skilled to attack computers at such a deep, granular level.”
“It takes the same amount of determination and technical skill to come up with a defense against these attacks as it does to execute them,” he said. “Fortunately, we have that, and the need has never been greater.”
Was this interesting? Share comments and feedback with our senior reporter, Ariel Robinson on Twitter at @ArielAtWork or by email at firstname.lastname@example.org.