Detecting Threats in Memory: The Role of Advanced Sensors

Cyberattacks are very rapidly increasing in capability and consequence. Over time, they have evolved to include not only remote attacks on systems but also proximity and physical attacks. Due to the omnipresence of memory usage in a variety of electronics and software, bad actors are making frequent attempts to compromise systems through memory, often using it as a pivot point to elevate their attacks.

Memory-based attacks are increasingly sophisticated and challenging for customers to detect. Traditional security measures often fall short in identifying these threats for a variety of reasons, including the traditional focus on file-based scanning for known signatures of malware, lack of behavioral analysis, limited visibility of memory-based attacks, and the proliferation of more advanced evasion techniques. 

These issues — and others — have necessitated the development of advanced sensors that can monitor and analyze memory for malicious activities. CylancePROTECT® is part of CylanceENDPOINT™, and provides a wide array of such sensors, and customers are given the control to enable them selectively and how they would like to react to these threats when they have been detected.

Common Memory-Based Attacks

As our customers defend themselves against memory-based attacks, some trends have become clear. Increasingly sophisticated memory-based attacks continue to exploit vulnerabilities in a system’s memory to execute malicious code and often bypass traditional file-based detection methods. Memory-based attacks are not limited to devices running the Windows® OS; systems that run macOS® and Linux® can also be affected by these attacks. Here are some common types of memory-based attacks, for reference:

Locating the Sensors

The advanced sensors in CylanceENDPOINT must be enabled as part of a device policy. To access this configuration, open the Cylance console and follow these instructions:

1. Navigate to Policies > Device Policy.
   
   
2. Click on an existing device policy to modify it or click on the + Add New Policy button to create a new device policy. 
   
   
3. Click on the Memory Actions tab and ensure that the Memory Protection setting is checked.
   
   
4. Under the Violation Type section, expand Exploitation, Process Injection, or Escalation to see each group’s sensors and configure them.

Configuring the sensors

Within a device policy, each of the sensors can be configured to react in one of the following ways (with a few exceptions):

• Ignore: The CylanceENDPOINT agent does not take any action.
• Alert: The CylanceENDPOINT agent logs the violation and reports the incident to the management console. This can provide you with awareness of memory violations but is not disruptive and allows apps to continue operating.
• Block: The CylanceENDPOINT agent logs the violation, reports the incident to the management console, and blocks the process call. The application that made the call is allowed to continue to run, as only a single process call (that could potentially be malicious) has been blocked.
• Terminate: The CylanceENDPOINT agent logs the violation, reports the incident to the management console, blocks the process call, and terminates the application that made the call. This setting could be disruptive, as legitimate business apps could have their processes terminated in the process.

The Role of Advanced Sensors to Detect Memory Attacks

CylanceENDPOINT provides 28 advanced sensors that have been designed to detect memory-based threats by continuously monitoring and analyzing memory activities. These sensors can identify anomalies and suspicious behaviors that indicate the presence of malicious code. 

Here are some key features and advantages of these sensors:

1. Real-Time Monitoring: Sensors provide real-time monitoring of memory, allowing for the immediate detection of suspicious activities. This is crucial for preventing attacks before they can cause considerable damage.

2. Behavioral Analysis: By analyzing the behavior of processes and memory activities, sensors can identify patterns that deviate from normal operations. This helps in detecting sophisticated attacks that may not be caught by signature-based detection methods.

3. Automated Response: Advanced sensors can automate the response to detected threats, such as isolating affected processes or alerting security teams. This reduces the response time and minimizes the impact of an attack.

4. Integration with Existing Security Tools: These sensors can be integrated with other security tools, such as Endpoint Detection and Response (EDR) systems, to provide a comprehensive defense against memory-based attacks.

Real-World Sensor Applications and Benefits

The advanced sensors in CylanceENDPOINT provide the confidence that you need to defend your systems. They offer several advantages in protecting against memory-based attacks. 

Let’s explore how these sensors can mitigate the risks associated with these attacks:

1. Malicious Payload Detection: CylanceENDPOINT can detect the injection of malicious payloads by monitoring memory for unusual code execution patterns. For example, if a process that typically does not execute code in a certain memory region suddenly does so, the sensor can flag this as suspicious and take a pre-configured action.

1. APC Injection Prevention: By tracking the queuing and execution of APCs (Asynchronous Procedure Calls), CylanceENDPOINT can identify and block malicious APC injections. This can make customers aware of attackers that are attempting to hijack legitimate business apps while they are executing their code.

1. DYLD Injection Mitigation: On macOS and Linux systems, CylanceENDPOINT can monitor the DYLD (Dynamic Link Editor) for unauthorized modifications or code injections. This can help to prevent attackers from exploiting the dynamic linker to execute malicious code. DYLD injection is one of the most prevalent types of attacks on both macOS and Linux systems, so this safeguard is highly recommended.

1. LSASS Read Protection: CylanceENDPOINT can detect and block unauthorized access to the LSASS (Local Security Authority) process memory. This is crucial for preventing attackers from extracting sensitive information, such as user credentials, from the memory. When an attacker gets access to system credentials, it may enable them to access personal or sensitive information, compromise system defenses further, or move laterally to other systems on the network to inflict more damage.

Final Thoughts on Memory-Based Cybersecurity Threats

The advanced sensors in CylanceENDPOINT are a critical weapon for detecting memory-based cybersecurity threats and can enhance the security posture of your organization.

Our Distinguished Support Solutions Owners Team sees how this helps BlackBerry customers every single day, as these sensors provide real-time monitoring, behavioral analysis, and automated response capabilities that offer a robust defense against sophisticated attacks. As cyber threats continue to evolve, the adoption of such advanced technologies will be essential in safeguarding sensitive information and maintaining the integrity of our digital environments.

For more information about the threat landscape, you can read BlackBerry’s quarterly Global Threat Intelligence Report. This report enables you to stay informed about the most recent cybersecurity threats and challenges in their industries and geographic locations. The report is the culmination of the research, analysis, and conclusions of our Cyber Threat Intelligence (CTI) team, our Incident Response (IR) team, and security specialists in our CylanceMDR service.

Related Reading 

• CylanceENDPOINT Proven as the Most Effective and Efficient EPP, Again
  
• BlackBerry Named a 2024 Customers’ Choice for Endpoint Protection Platforms in Gartner® Peer Insights™
  
• How Admins Can Reclaim Their Time With Device Lifecycle Management (DLCM)
• BlackBerry Cybersecurity: What to Expect From Award-Winning Customer Support