According to Trustwave’s most recent Global Security Report, the average time from intrusion to detection of a breach is around 49 days. With more advanced malware – also known as Advanced Persistent Threats (APT’s) – detection times can be much higher.
These advanced attacks use various methods to escape detection. But there’s something that every attack – whether the latest and greatest state-sponsored malware or a yet-to-be-disclosed zero-day vulnerability - has in common; they all require at least a little memory to exist and execute.
“All malware leaves a memory footprint,” says Liviu Arsene, Senior E-Threat Analyst at Romanian security provider Bitdefender. “I pull my hair out every time I hear about fileless attacks. There is no such thing. It's still code. All of these advanced tools, they all require some sort of memory footprint.”
However, it can be hard to find traces of malware. Today’s malware is adept at hiding itself within systems; just because Windows says there’s isn’t an executable file using up lots of memory doesn’t mean that’s actually true.
“The disadvantage of having an agent inside in the machine is that it's dependent on information coming from the Operating System.”
Bitdefender’s newest technology claims to solve the problems of threats lying to agents and hiding in the raw memory of virtualised systems. Called Hyper-Visor Introspection, it provides live memory introspection at the hypervisor level. Instead of using OS-reliant agents in each Virtual Machine, the technology ‘detects and secures infrastructures directly at hypervisor level, through a security virtual appliance.’
“If you can tap into that physical layer, below the operating system, that means you have complete visibility into the operating system without actually relying on information from the Operating System.”
To continue reading this article register now