How to detect targeted attacks by using memory introspection

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Cybercriminals can spend months inside organizations, storing away information for a future attack or piecing data together that will get them to the prize they are after. They will also create measures to protect themselves from detection. Sometimes they create diversionary tactics to draw your attention away from what they are doing and where they have succeeded, as EY’s Global Information Security Survey 2015 shows. Cyberattacks impact both business decisions, mergers/acquisitions and competitive positions.

Advanced Persistent Threats (APTs) and Advanced Targeted Attacks (ATAs) are of tremendous concern to organizations. Recent examples have focused on retail since they lead to wide media coverage and direct financial losses. They are also interesting because many of the highest profile attacks were not detected by the retailer, but by the credit card companies tracking fraud activity.

Other attacks that are well-known in security circles but don’t get as much media attention include nation-state sponsored attacks. Some are generally accepted (e.g. Stuxnet, Carbanak, Turla), while others are widely suspected (Chinese attacks against U,S, defense contractors, Nortel, and other industrial targets). On that note, industrial espionage is another area of great concern.

 The enterprise IT infrastructure has transformed completely in the past years becoming a truly hybrid infrastructure. The hypervisor now sits as an intermediary between virtualized endpoints and physical hardware. But Endpoint security has not, until now, experienced the same paradigm shift. Traditional network-level security may run as a virtual appliance, but still essentially performs inspection of network traffic just as it did before. Traditional security agents running in protected systems may offload scanning to a virtual appliance for performance, but are still constrained by technical limitations of running within the endpoint operating system.

Until now, the very concept of endpoint security was constrained to security agents running within an host OS on endpoints – the Windows and Linux servers and desktop operating systems upon which every modern organization depends – or as network devices, and attackers have been taking advantage.

Bitdefender has solved the technical challenges of creating a solution to the root problem, thereby giving datacenter owners the ability to know what they don’t know, and act on information from below the operating system. with an agentless protection running outside the host OS, this radical new approach redefines endpoint security.

Citrix’s XenServer API facilitates virtual machine introspection from a security virtual appliance. Bitdefender has built Hypervisor-based Introspection (HVI) to take advantage of the virtual machine introspection feature included in Citrix Xen Server

Gartner states in its Host-Based Controls for Server Workloads Ready for Hybrid IT” report published in April 2016:

“Platform, hypervisor and OS integrity checks are excellent controls for systems over which you have lost end-to-end control, such as in colocated systems. Additionally, this control can, to some extent, defend against certain high-impact malware. Furthermore, it is currently the only safeguard that can verify the integrity of a (formerly) trusted hypervisor. Thus, this control is most feasible for application architectures where the integrity of the hypervisor or of the hardware is of any concern (e.g., high-risk applications in colocated systems or, where supported, public clouds).”


Leveraging insight provided from the hypervisor embraces datacenter architectures that virtualization has brought. This deeper level of insight goes below the virtualized endpoints and the workloads they host.

Hypervisor-based Introspection (HVI), by its very nature, operates at a level of privilege that is higher than that available in-guest. While a rootkit running in a virtual machine may run with kernel-level (ring-0) privilege, as in-guest security software does, HVI performs at the hypervisor level of privilege (ring -1). 

With hypervisor-level access to in-guest memory, and isolation from in-guest exposure to compromise, Bitdefender Hypervisor-based Introspection delivers a new level of insight into what was previously deemed impossible to know. While a targeted, highly sophisticated attack may use customized, one-off tools and exploit zero-day vulnerabilities to get a foothold and defeat in-guest endpoint security, HVI will expose these attacks by leveraging changes in the software stack that virtualization has introduced.

HVI identifies attack techniques. This way, the technology can identify, report and prevent common exploitation techniques. The kernel is protected against rootkit hooking techniques that are used during the attack kill chain to provide stealth. User-mode processes are also protected against code injection, function detouring, and code execution from stack or heap.

According to Bitdefender’s CTO, Bogdan Dumitru, predictions published last December, in 2016 we will see in the enterprise environment, an increase of targeted attacks and strongly obfuscated bots, with a short lifespan and frequent updates. Most of these attacks will specialise in information theft. Attackers will be in and out of an organisation in a few days, maybe even hours. APT, which currently stands for Advanced Persistent Threats, should change to Advanced Penetration Threats, or even BA for Blitzkrieg Attacks. Bitdefender is the only security company that provides security at the ring-1 level and prevents you company from becoming the next victim.

 continuous sec