Hypervisor Introspection: Fighting APTs in Business Environment – Part 1

Liviu Arsene

May 24, 2016

Hypervisor Introspection: Fighting APTs in Business Environment – Part 1

Recent cybersecurity incidents have left organizations and companies struggling to implement the necessary resources to minimize IT risks, regardless of how much security budgets have increased. More than 71 percent of organizations fear zero-day attacks and strongly believe they’re the most serious threats, and over 74 percent believe that it’s likely and very likely that their organization will be hit by an APT (Advanced Persistent Threat).

The main reason why such attacks are difficult to detect is that threats such as rootkits or kernel exploits often trick the operating system into hiding its tracks, hence dodging security solutions in the process as well. Detecting something that neither the operating system nor the security solution can see was believed to be impossible – or at least difficult to achieve - until now.

Developed in collaboration with Citrix by leveraging their hypervisor, HVI is a new security layer that runs raw memory introspection. Because it addresses attack techniques and not specific malware, independently reading raw memory without relying on information (APIs) from the operating system, it means that HVI is completely agentless and fully compatible with any existing EPP solution.

Defining APTs and their  Life-Cycle

An APT is usually characterized by a set of stealthy computer hacking processes performed by malicious entities on targeted organizations, nations, and businesses. The Turla APT is one of the most notorious examples of attacks where government have been infiltrated and information has been exfiltrated for a very long period of time.

Financial institutions, such as banks, have also been taking the blunt of these attacks as the Karbanak APT operated undetected for about 2 years and caused financial losses estimated at around $1 billion.

Just like any other malware infection, the first stage is all about the attack vector. May it be a drive-by attack or a maliciously crafted PDF file, the attacker usually chooses a means through which he can infect his victim/target. The second stage involves using an exploit – usually an undocumented or unknown vulnerability – in a commonly used application in order to force it to run malicious code.

The next step usually involves dropping a user-app payload or a kernel payload into the victim’s computer, in order to establish a foothold. This is usually a type of malware or remote connection tool that enables the attacker to gain a backdoor into the computer. The last and final stage of the attack usually ends with the attacker gaining complete remote access to the infected computer and using it to either deploy new tools for network lateral movement or exfiltrate critical and sensitive data.

Don’t Trust the Operating System

Because security solutions rely on kernel and OS APIs to get information about what’s going on with files, registry entries or any OS activity, they’re prone to relying on false information if the system is somehow corrupted. Kernel exploits and rootkits usually run with the same administrative privileges as a security solution, but they can sometimes trump the endpoint protection and end up controlling the entire OS.

APTs often rely on such techniques in order to remain undetected for a long time – sometimes even months – with the standoff between security software and APTs practically left to chance.

The only solution – although deemed impossible to achieve – was to find a way to go below the operating system and assume that the information it’s feeding to the EPP could be corrupted or altered by an attacker. With virtualization technologies gaining fast adoption, the hypervisor solution coupled with a technology that’s able to offer insight into the raw memory stack of every virtual machine was designed to add another layer of security.

However, having the ability to read raw memory and analyze it at such a low level – without relying on any information provided by the operating system – was a security challenge that only a handful of people in the world could actually achieve.

Hypervisor Introspection (HVI) works directly with the raw memory of the machine, meaning that no malware, piece of code, or action can hide from it. While gaining insight into the virtual machine’s memory from outside the operating system is only possible via a hypervisor (Citrix in this case), actually interpreting raw memory lines and piecing them together to get a full picture is the innovation that solve the context versus isolation dilemma.

Leveraging Citrix’s hypervisor APIs for virtual machine introspection, our memory introspection engine doesn’t require any local agent – or other form of software – deployed in the virtual machine, as it looks directly at the memory allocated to the VM. To this end, if an EPP security solution runs with the highest level of privileges in OS (usually referred to as “ring 0”, “root” or “admin” privileges), HVI runs with ring -1 privileges, as it does not rely on any information provided by the operating system, but by the memory.

Continue reading part 2.

Contact an expert



Liviu Arsene

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact in critical public and private business infrastructures. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact.

View all posts

You might also like