The CIO-level business angle on the latest tech
Network World - Imagine you've been forced into playing a game of hide-and-seek with The Invisible Man. You can't find him in any of the normal hiding places because, of course, you can't see him. His amazing ability to remain invisible forces you to use different tactics. If you can't see him, maybe you can see the flattened blades of grass where he has walked, or you can feel a slight breeze as he runs past you to another hiding place. Just because he's invisible doesn't mean he isn't there, and he's leaving slight traces that will help you find him. You just need to follow those subtle clues until your opponent is no longer hidden.
Now let's take that analogy and apply it to finding a different kind of opponent: malware on your computer systems. The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It's a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn't be there. With the right skills and the right tools, you can eventually make this invisible malware stick out like a sore thumb. Then you can capture it and win your game.
[ MORE: The future of malware ]
In a roundabout way, I've just described a new course offered by the SANS Institute called Windows Memory Forensics In-depth. As the name implies, the course teaches you how to use forensic techniques to analyze the memory of Windows-based systems that are actively running. The course is intended for IT security professionals working in industry or organizations that have a constant target on their back -- like financial services, critical infrastructure, military or government -- the kinds of high-value organizations that attackers go after persistently.
Memory-resident malware is at the top of the scale for sophisticated attacks, according to Jesse Kornblum, the developer and trainer of the new SANS Institute course. It's the kind of tool that rogue nations are known to use to infiltrate high-value targets. An attacker would use malware in memory after every other type of attack has not worked. It is notoriously hard to detect, which makes it all the more dangerous.
Kornblum spent years researching memory-resident malware and this course is the culmination of what he has learned. He teaches techniques that help security professionals find what is otherwise well hidden.
"Traditional forensics looks at what is on the disk," says Kornblum. "When malware gets written to disk, it is stored on the server and run on the computer, and that's how it maintains its persistence. In the past several years though, malware authors have realized that if they write their code to the disk, it can be discovered easily. It's right out there for anyone to see. And so what they've started doing is making their malware memory-resident only. In essence, the malware is loaded into RAM and it never touches the disk. Therefore it won't be found using traditional forensic techniques."
Linda Musthaler is a principal analyst with Essential Solutions Corporation.
Rss Feed
The Connected Enterprise
You are previewing premium content. 
