![]() This means deploying best-of-breed scanning-based solutions. Reliably preventing compromise by advanced threats requires deploying a layered security posture that makes attackers’ life difficult. XDR - Which Is Right for Your Cybersecurity Stack? Securing the In-memory Security Gap with Moving Target Defense This makes the chances of catching malicious activity in runtime memory close to zero. The challenge is exacerbated by the fact that increasing amounts of threat actors are using polymorphism, packing, and obfuscation to hide their presence, including in-memory. This leaves a significant security gap for exploitation by Cobalt Strike and similar tools. Even then, in a best-case scenario, memory scanning-focused solutions can only scan a small percentage of application memory. However, this is typically done within a sandbox, not in the real-time environment of endpoints. NGAV, EPPs, and EDRs/XDRs can perform memory introspection. Typical stages in CobaltStrike execution, which works primarily in-memory to evade detection. So this leads to close to zero visibility. Secondly, because memory is constantly changing and there are limits to how many times you can stop an application without reducing its responsiveness, it’s impossible to continuously scan an application. Any solution trying to perform large-scale memory inspection of this size consumes significant system resources. Consider the runtime environment of a typical application, which could hold close to 4GB of virtual memory. Firstly, runtime memory is a vast, dynamic space that requires significant processing power to scan. Specifically, they can’t effectively perform memory introspection during application execution, which is needed to find and prevent malware as it executes in memory.Ī key constraint is that memory inspection during application runtime massively degrades usability. Despite vendor claims, they can’t effectively find and stop malware in memory at runtime. Just look at the inherent security gap in EDRs. The continuing success of attacks using Cobalt Strike, as well as others such as Emotet and Opens a new window Jupyter, illustrate a growing gap that has developed between attacks, which are changing and becoming increasingly more sophisticated, and defenses, which are stagnant and predictable. These evasive techniques ensure Cobalt Strike runs undetected in memory once its initial loader has been executed. That may sound easy enough, but here’s the catch-Cobalt Strike employs sophisticated evasive techniques upon installation, execution, and during C2 communications. Source: Microsoft Opens a new window Cobalt Strike Evades EDRs by Executing In-MemoryĮDRs (Endpoint Detection and Response) must detect Cobalt Strike and other pen-testing frameworks to stop them. The CobaltStrike Beacon was used for remote control in the SolarWinds attack. About 67 percent of those backdoor cases were ransomware attempts, though defenders were able to detect the backdoor before the ransomware was deployed. IBM’s 2023 Security X-Force Threat Intelligence Index Opens a new window notes the deployment of backdoors (like Cobalt Strike) emerged as attackers’ top action last year. Nevertheless, Cobalt Strike continues to feature in prominent attacks, including the infamous SolarWinds supply chain attack. The surge of Cobalt Strike exploitations has led Google Cloud’s intelligence research to release 165 YARA Opens a new window rules to try and improve detection mechanisms. The MITRE ATT&CK knowledge base documents over 50 techniques the Cobalt Strike framework uses and over 20 APT groups actively exploiting the framework. Unfortunately, threat actors ranging from ransomware operators to state-sponsored advanced persistent threat (APT) groups also use Cobalt Strike for their own malicious ends. Cobalt Strike’s Beacon is a post-exploitation backdoor and part of a rich Cobalt Strike framework used to achieve persistence, privilege escalation, and lateral movement within a network. That’s moving target defense, explains Michael Gorelik, CTO of Morphisec.Ĭobalt Strike is an adversary simulation tool developed for pen-testing to emulate the tactics and techniques malicious actors use when attempting to access and control a target’s network. ![]() Stopping these attacks requires a layered security posture that secures the in-memory security gap of detection-based security solutions. Right now, a variety of threat actors, including a dvanced persistent threat groups, are abusing Cobalt Strike for malicious ends.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |