virtualisation & cloud computing |
|||
|
of privilege and visibility within the operating system , it is always a cat and mouse game between cybercriminals and security vendors to attain that context . Considering the OS is usually the victim and the target of attack , both the attacker and the security solution rely on it for accurate information .
Operating systems were simply not built with security in mind , let alone specifically for virtual environments . This means that , while they retain the same vulnerabilities they had as standalone installations , they are also prone to new vulnerabilities when deployed as guests in virtual infrastructures .
All ( advanced ) threats are made equal
With more than 500 million malware samples currently in the wild , the security status quo is to go after all of them and try to keep up . With machine learning algorithms designed and trained to spot new and unknown malware samples based on similar features , with signatures and behavioural heuristics , the current security standard is to identify new malware as soon as it ‘ lands ’ or tries to execute on the victim ’ s computer .
However , advanced threats – those designed to infiltrate organisations , government institutions or critical infrastructures – are different beasts altogether . The first stage of attack usually involves using a zero-day or unpatched vulnerability into the operating system or some popularly installed applications , then dropping a malicious payload whose purpose is to only evade detection once .
The security industry is currently unable to cope with the first stage of attack that involves a zero day . Any memory manipulation technique usually employed by advanced attacks to cause a
|
legitimate application to behave illegitimately is completely outside the ‘ superpowers ’ of a traditional security solution , as it cannot see what ’ s going on within raw memory , but only what lands on disk .
Since all advanced attacks have this memory manipulation method for covertly infiltrating victims , detecting these threats is reduced to being able to tap into raw memory and understand how it ’ s being manipulated , and identifying all possible memory manipulation attack techniques . These premises make for the basis of guaranteeing VM security against advanced attacks , from outside the VM .
The untapped potential of the hypervisor
The hypervisor , a performance tool , was only used for interfacing VMs with physical hardware and managing VMs so they remain isolated from each other . These type-1 hypervisors ( better known as bare-metal hypervisors ) are built for a single task , or so we used to believe . Because the hypervisor has raw access to the physical memory allocated to each VM , it ’ s only a matter of having a technology that can ‘ understand ’ how that memory is allocated , and do it in real-time without affecting the performance of any guest VM .
While gaining access to raw memory via the hypervisor is the easy part , extracting semantic meaning from memory pages is something that was deemed impossible to achieve – except in academia . The major benefit of this new security layer is that it ’ s completely isolated by the hypervisor , it has full context of what ’ s being executed with each VM as it ’ s no longer dependant on the operating system feeding it that information , and it can guarantee the integrity of both in-guest application and the virtualised guest operating system .
|
‘ With more than 500 million malware samples currently in the wild , the security status quo is to go after all of them and try to keep up .’
Operating systems were simply not built with security in mind , let alone specifically for virtual environments .
|
Of course , because it sits completely outside the guest OS , it would also be fully compatible with any traditional in-guest security solution and would only intervene directly within memory whenever a threat is detected . The dilemma that traditional security faced – context versus isolation – can now be solved by levering the hypervisor to go below the operating system , where no threat can hide .
Bare-metal security
Defending virtualised environments from advanced and sophisticated attacks is a lot easier with Hypervisor Introspection . If advanced threats targeting organisations usually remain undetected for up to five months , having the ability to spot memory manipulation attack techniques prevents an attack even before it can drop any payload on the machine . If detecting advanced threats traditionally involves either detecting the payload or having some sort of indicators of compromise ( IoC ) to spot an anomaly , hypervisor-based memory introspection would stop the attack in the really early stages of its lifetime . Practically , it will reduce the risk for companies of suffering a data breach and mitigate threats before they can compromise the company ’ s infrastructure or network .
|
July 2017 | 27 |