Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities.

However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious code running in memory which caused the anomaly alert to begin with.

Fileless malware

Fileless malware is a type of evasive, in-memory threat that appears only inside of a computer’s memory. The malware cannot be seen and it will usually vanish once the machine is turned off or the system is rebooted. According to the ​Ponemon Institute’s​ ​2018 State of Endpoint Security Risk report​, fileless malware attacks are 10 times more likely to succeed than file based attacks. The report predicts that nearly 40 percent of cyber attacks targeting organizations in 2019 will be fileless.

Memory analysis: The ground truth

When defending against cyber threats such as fileless malware, it is important for organizations to understand that ​volatile memory ​is the​ ground truth​.

While the majority of endpoint protection solutions are focused on identifying the symptoms or behaviors of a machine to detect suspicious activity ​— ​for example, abnormal network connections or data leakage ​—​ the real threat lies in the malicious code that is running in memory. Simply put, if a malicious application or program does not run, then there will be no successful cyber attack. The only way for an adversary to conduct a successful attack is to run malicious code, and in memory is where the code will be run. ​If organizations want to identify fileless threats, they need to analyze all of the code running in memory.

Conducting a memory analysis is a widely adopted industry practice to date, and there are some great open source or free tools available that can help you do that:

Memory imaging (acquiring memory dumps):

Memory Analysis (analyzing memory dumps):

On the down side, analyzing memory is a manual process that requires advanced technical skills. It requires time and unfortunately, can not be achieved at scale.

Challenges in memory analysis

1. Focus​ – One of the greatest challenges of conducting memory analysis is to know what processes and modules to focus on during the investigation. It is extremely difficult to sift through all of the legitimate modules, which can include both operating system libraries (DLLs) and various processes from trusted software. In most cases, the total number of legit modules exceeds 1,000 per memory image.

What makes it even more challenging is our inability as analysts to compare modules’ hashes to a known whitelist, due to the fact that the hash value changes once a module is loaded to memory. The most common solution to this problem is to try and identify anomalous artifacts (such as searching for hidden processes and analyzing network connections) in order to know what processes to target during an investigation. However, this contains a lot of guesswork and there is a strong possibility that malicious code will remain undetected.

2. Visibility​ – In many cases, malware is employed as a piece of injected code and not as an entire module or process. In these cases, dumped “orphan” code is practically impossible to analyze. Our options are limited. We can not use a sandbox to analyze a dumped code, we can not query the hash value and even reverse engineering such items is extremely difficult since the API calls are omitted in many cases.

Applying a genetic approach to malware analysis

Applying a ​genetic approach​ can help security teams automate the process of memory analysis at scale and assist in identifying and responding to in-memory threats. Implementing a genetic approach to memory analysis means to search for code similarities within every bit of executable code running in memory.

Code similarity analysis (or, “genetic malware analysis”) can help to automatically detect fragments of code that were seen in the past, thus helping both with identifying trusted software as well as malware, solely by looking at the raw binary code.

Conclusion

Endpoint protection solutions are incredibly important for alerting us about potential problems and for preventing threats. However, we must remember that it is only the beginning of the story and investigating the suspicious endpoints is necessary to close the response cycle.

The nature of modern threats and the existence of fileless malware makes memory analysis a must-have skill in the SOC arsenal for endpoint investigation.

Analyzing the binary code, specifically identifying code reuse to previously seen threats, can complement organizations’ existing endpoint protection solutions, to automate the complex but necessary process of memory analysis.