Advanced threats are now more accessible than ever. On the Dark Web you can buy or rent zero-day attacks, fileless malware, supply chain compromises, and malware that targets device memory processes.
In 2021, memory compromise was the most common of the top five MITRE attack techniques, and the number of fileless attacks increased by over 900%. The number of zero-days seen in the wild more than doubled from 2020, according to Google's Project Zero. In 2022 data breaches were just 60 short of the all-time record of 1,862 breaches, set in 2021. There was a notable dip in data breach volumes during the first half of 2022, likely because Russia-based cybercriminals were too distracted or preoccupied by the invasion of Ukraine, along with volatility in the cryptocurrency market.
Advanced cyberattacks against well-defended networks have resulted in crippled oil pipelines, school systems, and even entire countries. And we will never know how many successful attacks on major enterprises occurred that never went public.
Threats Hide in Memory to Avoid Detection
Detection technologies are essential defenses in any IT environment. They include next-generation antivirus (NGAV), endpoint protection platform (EPP), endpoint detection and response/extended detection and response (EDR/XDR), and managed detection and response (MDR). But the most advanced threats and new variants of existing threats are specifically designed to evade these tools, usually by hiding in memory.
Scanners try to identify malware and malicious activity by looking at known signatures. But even if you have multiple layers of security technologies, these scanners cannot see threats that don't have recognizable signatures, are fileless, or exist in memory, which is impossible to scan effectively at runtime. After all, if you don't know what to look for and can't see your environment in real time, you can't find what you can't see.
Memory is a major vulnerability in modern cybersecurity because standard cybersecurity tools can't find stealthy, unknown, and evasive threats in memory — certainly not fast enough to stop attacks. As a result, security teams end up one step behind threat actors.
The Memory Security Gap Is Growing
Threat actors are targeting memory because it's the best place to persist on a device while remaining invisible. This is because runtime memory is such a big space that it's basically impossible to scan without massively degrading performance, leaving it mostly undefended by security controls.
To avoid compromising performance, detection-based solutions like EDR must look at memory selectively. They depend on picking specific times and spaces in memory to scan and looking for certain indicators, such as the recently released Cobalt Strike Yara rules.
Because threats can hide in a vast space and be reconfigured to avoid triggering rulesets, scanning solutions miss evasive threats almost all the time.
In a device's run-time memory environment, threats can steal credentials, hijack legitimate processes, and even turn a low-privileged user into a system administrator.
For example, malicious versions of the pen-testing framework Cobalt Strike enable threat actors to deploy a loader in the memory of a legitimate application, such as PowerShell. This means the threat exists purely in the memory environment while an application is running.
Adding Memory Defenses
The only way to reliably prevent compromise by advanced threats is to deploy a layered security posture that makes attackers' lives difficult. This means building secure networks, hardening systems, and deploying security technologies like EDR, EPP, and AV to spot malicious behavior and keep security teams informed about network activity. Security teams also need to consider solutions that protect memory by denying access to untrusted actors.
One way to protect memory is by using moving target defense technology to randomize the run-time memory environment so attackers can't find what they're looking for, breaking their attack chain. Instead of a static, known target environment, an attacker faces a dynamic memory environment containing decoy traps that capture unauthorized activity for forensic analysis.
As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.