What are Memory-based Attacks?
Looking at the history of security incidents, it is clear that attackers often change tactics in order to exploit new vulnerabilities that are not protected by existing security and operational models. A perfect example is the shift of hackers’ focus from network- and OS-specific vulnerabilities to client-side 3rd party endpoints application vulnerabilities. As organizations become better at covering their bases from an OS-level patch management perspective, adversaries simply begin to target the unmanaged 3rd party apps that are essentially exploitable “blind spots.”
A new emerging blind spot are memory-based vulnerabilities. These vulnerabilities are increasingly targeted by memory-based attacks that never manifest themselves on the hard drive in a traditional sense. These memory-based or RAM-only attacks drop malware payloads into the already running and trusted memory space of installed applications and services. The result is a very stealthy payload that can evade most traditional and advanced security products, as it goes unseen in memory rather than manifest itself on a victim’s hard drive.
While memory-based vulnerabilities such as buffer-overflows and memory injections are not new – in fact, according to the National Vulnerability Database (NVD) they account for 23% of all known critical vulnerabilities – they remain a significant security blind spot for most organizations today. Without a layered defensive approach to memory stack protection, sophisticated attackers can establish footholds in even the most secure environments without leaving many clues that traditional security products can detect.
Protect against Memory-based Attacks
Memory injections – commonly found in Advanced Persistent Threat (APT) and other sophisticated malware – can be difficult to detect and stop since they often hide inside the memory of the already running and trusted application that has been exploited. The in-memory payload of a memory injection “looks” just like the trusted program that has been exploited. This is why traditional whitelisting products cannot stop them: It’s a blind-spot for solutions that have not been specifically engineered to protect against them.
There are several well documented techniques for loading malicious payloads into the memory space of trusted applications including basic remote DLL injection, Skape/JT and Reflective Memory Injection (RMI). These techniques use varying degrees of sophistication and stealth, and cannot be easily stopped without the correct technologies, configurations and processes in place for protection.
To protect against these sophisticated memory exploits, you need to be able to validate all new processes, even those initiated by approved running applications. So, your application whitelisting solution really needs to ensure not only that unauthorized / unwanted applications cannot execute, but also that trusted applications are not modified while running in memory to compromise the endpoint.
How Lumension Helps
Lumension® Application Control includes patent-pending technology that can detect and stop memory injections (including RMI and Skape/JT) by monitoring an endpoint’s memory address space and associated processes for distinct evidence of exploitation. The architecture and kernel-level position of Lumension® Application Control allow it to extend beyond simple whitelisting to provide memory protection.
In order to prevent exploits such as DLL injections, reflective memory injections, or attempts to write to kernel memory, Lumension® Application Control extends the whitelisting model into memory, preventing execution of processes originating from unauthorized programs. This Advanced Memory Protection eliminates one of the biggest endpoint security blind spots available for attackers to target today.
Defense-in-Depth Strategy for Memory-based Attacks
Lumension® Advanced Memory Protection is an integral part of an overall layered strategy in Lumension® Endpoint Management and Security Suite (L.E.M.S.S.) for defense against sophisticated attacks such as Advanced Persistent Threats (APTs). L.E.M.S.S. provides layered protection against memory-based attacks by combining market leading patch and remediation management, configuration verification of native memory protection capabilities such as Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), and traditional application whitelisting capabilities.
The defense-in-depth capabilities in L.E.M.S.S. provide organizations with the ability to:
- Remove all known memory-based vulnerabilities and ensure that the “attackable surface area” is as small as possible.
- Ensure native protection features of the OS (like DEP and ASLR) are in fact enabled, making successful memory-based exploitation less likely.
- Identify and block attempted memory-injection exploits in memory with Advanced Memory Protection.
- Deny any attempts to install on-disk payloads through the proven application whitelisting security model