I long for the days of simple viruses. Why? Because they were easy to find. Okay, maybe they weren’t easy to find at the time. When you look back on things like Lovebug and Slammer, they had pretty standard patterns. They infect files or spread through communications. You could take them down if you knew what to look for. Antivirus programs could be configured to block communications or disinfect files before they were dropped onto your computer.
Modern malware is a totally different game. Where before it was all about exploration and maybe a touch of malicious fun, today’s malware creators are all about money and wide-scale destruction. You don’t have to look very hard to find out how organized this has gotten as of late. Take WasterLocker as a prime example. This customizable malware platform can create attacks that are targeted at specific organizations. It can help attackers discover countermeasures and defeat them. Then it locks the files on a target system and demands a six or seven-figure payout to unlock the files. It’s a nasty piece of kit that is designed to be evasive and utterly destructive.
The next generation of endpoint protection is trying to keep up with this new breed of payload. However, it’s a race against time. Attackers are constantly trying to innovate around defenses. Defenders are trying to keep up and guess where the attackers are headed. The stakes for the game are business continuity for your users or a hefty payout and potential legal action if the attackers are sanctioned.
Morph Into Action
In the race to stop malware like WasterLocker, the time has come for defenders to think differently about how they stop the attacks. During Black Hat 2020, I had the chance to sit down and talk with Andrew Homer of Morphisec about how they’re responding to this new wave of threats. Their solution is a unique one because they’re looking at the problem less as a static defense and more as a problem of moving targets.
In order to infect a system, you have to infect a file either on the system’s drive or in-memory. The drive is problematic because you don’t know if or when the file might be read. But infecting in-memory is a guaranteed hit. It is hard to protect against in-memory infection threats because the target moves every time a new process loads onto a system. You have to find a way to stop a malicious process from grabbing the program and hijacking it for nefarious purposes.
Morphisec has a very interesting method of preventing and recognizing this vector. They modify the application memory run-time structures, without changing the application behavior. When a program or legitimate process tries to access that memory location, it successfully gets to the new memory structures. However, when malware tries to do something out of the ordinary or incompatible with the way the memory should be accessed, it logs the attempt and crashes the illegitimate process that tried to do the wrong thing.
One of the benefits of this approach is that it has no false positives. If the access attempt is legitimate, it will succeed. If the attempt is fraudulent, it will fail. If you have fraudulent attempts logged onto the console, you can guarantee they came from something that is up to no good. That kind of deterministic approach helps you figure out when you’re under attack. For something like WastedLocker, you really want to know when that’s happening so you can deploy other assets to detect entry points and close them. Morphisec Shield can continue to run on your critical devices and ensure that nothing gets compromised. That’s because Morphisec is focused on prevention over detection or remediation. If you stop the attack before it can do harm, there’s nothing to detect or fix.
Morphisec started off in the Windows server landscape but has recently released Linux support as well. The solution can work alongside your existing antivirus or EDR platform to provide an additional defense against attackers. The key to proper security is defense-in-depth and the deeper you can insert protection and controls into your systems, the better you will be able to sleep at night.
Bringing It All Together
You never want to find yourself staring down the barrel of a full-blown attack on your infrastructure. As attackers gain more and more sophistication, they will quickly fly past your traditional defenses and start causing massive damage. You need a different way to prevent them from causing problems for your servers. The novel approach that Morphisec takes to preventing in-memory attacks is one of the surest ways I’ve seen of preventing your critical systems from getting compromised and used against you. Hats off to the Morphisec team for thinking outside of the box and finding a way to play the attackers’ own games against them.
For more information about Morphisec and their Shield platform, make sure to visit their website at http://Morphisec.com
Thank you Tom as you have captured the essence of this disruptive approach. More vendors need thinking out of the box and find ways to turn the attackers game against themselves, the only way to keep them out, rather than chasing them after the fact.