[By Oren Dvoskin, Director of Product Marketing at Morphisec]
The global cybersecurity market continues to soar, and for good reason, cybercriminals are becoming increasingly sophisticated and effective. In fact, it’s safe to say that the sophistication of today’s criminals is far outpacing the evolution of the defenses they are attacking.
A great example of this mismatch is the explosion of malware executing modern battlefield attacks. These attacks first started emerging in the mid-2010s, but it was until recent years that there has been a surge in activity—recent Aqua Nautilus research shows there’s been a 1,400% increase in modern-battlefield attacks in 2023. That’s a staggering figure, and when you consider that most security teams rely on detection-based solutions to detect and mitigate these attacks, there’s good reason for concern.
Detection-Based Solutions Come Up Short
Endpoint protection platforms (EPP), endpoint detection and response (EDR/XDR), and antivirus (AV) are effective when malware relies on executables. That’s because these leavebehind evidence, such as attack patterns and signatures, that help teams identify them. But today, with attack chains increasingly targeting device memory during runtime, the signatures to detect or behavior patterns to analyze are no longer there. This leaves traditional defenders with limited visibility. It’s true that evidence of these threats can surface over time, but by then, it’s usually too late for defenders to do anything.
Going Inside Modern Cyber Battlefield Attacks
For those less familiar with modern cyber battlefield attacks, they can be installed with or without associated files, and their preferred area of operation lies in a very specific lane, where an end user starts an application and turns it off. The reason attackers target this space is because what occurs in device memory during an application’s runtime is mostly invisible to defenders.
To understand this invisibility, consider how a security solution might try to scan an application while it’s in use. It would need to scan device memory multiple times during the application’s lifetime while listening to the correct triggering operations and finding malicious patterns to catch an attack in progress. That might not sound too daunting but try scaling this to an organization with 1,000 or more employees.
A typical application’s runtime environment could have 4GB of virtual memory. To scan this volume of data effectively AND frequently would slow the application down to the point where it was unusable. Consider how that would impact an organization’s productivity or bottom line.
This leaves us with memory scanners that examine specific memory regions at specific times and specific parameters. At the end of the day, teams might gain insight, but it would be limited to three to four percent of application memory. I say might because modern battlefield threats often leverage obfuscation techniques that make them more difficult to detect. Now, the challenge of finding a single needle in a single haystack grows to finding a single needle in 100 haystacks.
And I haven’t even touched on the fact that these attacks also sidestep or tamper with the hooks most solutions use to spot attacks in progress. This allows attackers to linger undetected for extended periods—a remote access trojan (RAT), infostealer, and loader using application memory stay in a network for an average of around 11 days. For advanced threats like RATs and info stealers, this figure is closer to 45 days.
Modern Battlefield’s Many Faces
The modern cyber battlefield compromises of more than a single type of threat — it’s a feature of attack chains that leads to a wide range of outcomes. For example, ransomware is not necessarily associated with memory runtime attacks. But to deploy ransomware, threat actors usually must infiltrate networks and escalate privileges. These processes tend to happen in memory at runtime.
These threats also don’t just target memory processes on Windows servers and devices. They target Linux. For example, a malicious version of Cobalt Strike was created by threat actors specifically for use against Linux servers. In industries like finance, where Linux is used to power virtualization platforms and networking servers, there’s been a violent surge in attacks. Attacks often compromise business-critical servers in-memory to set the stage for information theft and data encryption.
Stopping the Modern Cyber Battlefield Madness
From businesses to government entities and everything in between, the key is to begin focusing on stopping threats against application memory during runtime. It’s no good focusing exclusively on detection. That’s because the modern cyber battlefield and fileless malware are essentially invisible, and traditional security techniques, which build a castle wall that surrounds protected assets and relies on detecting malicious activity, won’t do you any good.
One proven answer is Defense-in-Depth, which features a security layer that prevents memory compromise from occurring in the first place. One technology option is Automated Moving Target Defense (AMTD). What makes AMTD so effective is that it creates a dynamic attack surface that even advanced threats cannot penetrate. This is because AMTD morphs application memory, APIs, and other operating system resources during runtime. It does this while applications are being used while having no impact on performance.
Think of this from a home security perspective. To keep the burglars out, AMTD continuously moves the doors to a house (front, back, basement — you name it) while simultaneously leaving fake doors behind in their place. These fake doors are what trap the malware for forensic analysis. In the event a burglar finds an actual door, it won’t be there when they come back. As a result, they cannot reuse an attack on the same endpoint or any other endpoint.
Now, rather than detecting attacks after they’ve happened, AMTD technology does what other detection-base solutions cannot, it proactively blocks attacks without the need for any signatures or recognizable behaviors and, in doing so, makes Modern Battlefield attacks ancient history.
Oren T. Dvoskin, Product Marketing Director, Morphisec
Oren T. Dvoskin is Product Marketing Director at Morphisec, delivering endpoint protection powered by Automated Moving Target Defense. Before joining Morphisec, Oren was VP, of OT & Industrial Cybersecurity marketing at OPSWAT, overseeing the company’s portfolio of OT and ICS security solutions. Previously, Oren held marketing and business leadership positions in cybersecurity, healthcare, and medical devices, with a prior extensive career in software R&D. Dvoskin holds an MBA from the Technion – Israel Institute of Technology, an undergraduate degree in computer science, and graduated from the Israeli Defense Forces MAMRAM programming course.