DCN July 2017 - Page 27

virtualisation & cloud computing of privilege and visibility within the operating system, it is always a cat and mouse game between cybercriminals and security vendors to attain that context. Considering the OS is usually the victim and the target of attack, both the attacker and the security solution rely on it for accurate information. Operating systems were simply not built with security in mind, let alone specifically for virtual environments. This means that, while they retain the same vulnerabilities they had as stand- alone installations, they are also prone to new vulnerabilities when deployed as guests in virtual infrastructures. All (advanced) threats are made equal With more than 500 million malware samples currently in the wild, the security status quo is to go after all of them and try to keep up. With machine learning algorithms designed and trained to spot new and unknown malware samples based on similar features, with signatures and behavioural heuristics, the current security standard is to identify new malware as soon as it ‘lands’ or tries to execute on the victim’s computer. However, advanced threats – those designed to infiltrate organisations, government institutions or critical infrastructures – are different beasts altogether. The first stage of attack usually involves using a zero-day or unpatched vulnerability into the operating system or some popularly installed applications, then dropping a malicious payload whose purpose is to only evade detection once. The security industry is currently unable to cope with the first stage of attack that involves a zero day. Any memory manipulation technique usually employed by advanced attacks to cause a legitimate application to behave illegitimately is completely outside the ‘superpowers’ of a traditional security solution, as it cannot see what’s going on within raw memory, but only what lands on disk. Since all advanced attacks have this memory manipulation method for covertly infiltrating victims, detecting these threats is reduced to being able to tap into raw memory and understand how it’s being manipulated, and identifying all possible memory manipulation attack techniques. These premises make for the basis of guaranteeing VM security against advanced attacks, from outside the VM. The untapped [X[وH\\\܂H\\\܋H\ܛX[B \ۛH\Y܈[\X[•\]\X[\\H[X[Y[\^H[XZ[\]YHXX\\B\KLH\\\ܜ ]\ۛۂ\\K[Y][\\\ܜH\HZ[܈H[H\܈H\Y˜[Y]KX]\HH\\\܈\œ]X\H\X[Y[[ܞB[]YXXK]8&\ۛHBX]\و][HXH][8&[\[8&H]Y[[ܞB\[]Y [][X[ ][YB]]YX[H\ܛX[Bو[HY\K[HZ[[X\]›Y[[ܞHXHH\\\܈\BX\H\ ^X[[X[X›YX[[HY[[ܞHY\š\Y][]\Y[YY[\XHXY]H8$^\[XY[ZXKHXZ܈[Y]و\]X\]H^Y\\]]8&\\][H\]YHB\\\܋]\[۝^ق]8&\Z[^X]Y]XXH\]8&\ۙ\\[[ۈH\][\[HYY[š]][ܛX][ۋ[][X\[YHH[Yܚ]Hو[YY\\X][ۈ[B\X[\YY\\][\[K&][ܙB[ L Z[[ۂX[\B[\\˜\[B[H[ HX\]B]\][\Y\[و[B[HšY\\ &B\][œ\[\\B[\HZ[]X\]H[Z[ ][ۙBXYX[B܈\X[[\ۛY[˂و\KX]\H]]˜\][H]YHHY\][[H[H\]XB][HY][ۘ[[YY\X\]H][ۈ[[ۛB[\[H\XH][Y[[ܞB[]\HX]\]XY H[[[XH]Y][ۘ[X\]HXY8$۝^\\š\][ۈ8$[HYH]\[H\\\܈™[H\][\[K\HX][YK\K[Y][X\]BY[[\X[\Y[\ۛY[HY[Y[\X]Y]X\HX\Y\]\\\܈[X[ۋYY[YX]\][›ܙ[\][ۜ\X[H[XZ[[]XY܈\]H[۝][HX[]HY[[ܞBX[\[][ۈ]XX\]Y\œ][[]X][YܙB][[H^[YۈBXX[KY]X[Y[YX]Y][ۘ[H[\™Z]\]X[H^[Y܂][YHܝو[X]ܜ›و\Z\H [H[[X[K\\\܋X\YY[[ܞH[X[ۈ[H]X[HX[HX\BY\و]Y][YKXX[K][YXHH\܈\[Y\›وY\[H]HXX[Z]Y]HX]YܙH^B[\Z\HH\[x&\š[\X\H܈]ܚ˂[H M