Fileless attacks are increasing and are more likely to succeed than traditional file-based malware. Most defenses seek to detect them by recognizing anomalous behavior on the network — but this is basically an after-the-event approach.
Virsec takes a different approach. It seeks to detect malicious fileless behavior while still in memory and before any bad effect can occur.
To this effect, Virsec announced what it calls the first application memory firewall. Its function is to detect deviations in application execution caused by memory-based attacks — and stop them instantly. The implications of such an approach are attractive. If an application is seen to be misbehaving internally, then a memory firewall doesn’t merely stop unknown zero-day fileless attacks, it also provides virtual patching.
Consider WannaCry and NotPetya, which only occurred because many systems could not be patched, and many others were simply left unpatched. EternalBlue and DoublePulsar are memory attacks that leave no traces until after execution. However, if they could have been detected and blocked while still in memory, the lack of patching would not have been an issue and the attack would have been halted.
The Equifax hack is another example. An RCE vulnerability was exploited by passing malicious code in the Content-Type header. Patching the Struts2 flaw is problematic because it requires rebuilding all apps. But if the execution of the Apache web-server and app-servers was monitored by an application memory firewall, then malicious activity would have been detected and stopped immediately — without requiring the patch.
Atiq Raza, CEO at Virsec, said at the time, “Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks — we need to shift to real-time monitoring and security for web applications and all the processes that support them.”
“Memory is the new battleground for cyberattacks,” explains L. Barry Lyons IV, director of risk consulting at KPMG Cyber Security Services; “yet typical security tools have little visibility into memory usage during runtime. Virsec is able to detect and stop attacks that previously seemed indefensible.”
The Virsec memory firewall achieves its purpose by mapping the legitimate execution of an application. “If there is any deviation during execution,” it announced at RSAC this week, “this is a positive sign of compromise, and the Application Memory Firewall stops the exploit within microseconds. Virsec effectively guardrails applications to keep them on track during runtime, delivering results that are far more effective and accurate than existing security tools.”
The process works with any compiled application, whether that’s proprietary, open source or legacy. As applications are loaded, into process memory, Virsec maps every assigned memory transition and compiles an ‘AppMap’. This AppMap is then compared to the actual execution flow, and any deviation is taken as evidence of memory abuse or corruption. As a result, fileless attacks from within an application can be detected and blocked within milliseconds — before any malicious effect.
“Very few security practitioners understand how process memory works, and even fewer security tools operate at the memory level,” said Satya Gupta, founder and CTO of Virsec. “Rather than endlessly chasing external threats, Virsec focuses on what applications should be doing, and how they are actually executing during runtime, down to the memory level.”
The result is a generic defense against advanced fileless techniques. This includes memory corruption attacks (buffer overflows); stack smashing, DLL injections, return-oriented programming (ROP) and ROP gadgets, side channel attacks and corruption of configuration data.
San Jose, CA-based Virsec raised $24 million in a Series B funding round led by tech investment firm BlueIO in March 2018, bringing the total raised to date $31.6 million.
Related: Watch Out for Fileless Ransomware