NOREA | Why should IT Auditors use Memory Forensics

menu

12 juni 2024

Why should IT Auditors use Memory Forensics to enhance the cybersecurity posture of their clients?

Auteur: Robert Jan Mora

1. Introduction

In the last decade, organizations have adopted Endpoint Detection and Response (EDR) capabilities to combat nation-state threats and cybercrime, often based on auditors' recommendations. However, EDR alone has not significantly reduced ransomware attacks. This is partly due to a lack of staff to interpret alerts and the growing ability of threat actors to evade EDR. A recent study showed that 26 EDR vendors failed to prevent all tested evasion techniques, with tools like EDRBlast rendering several EDR solutions ineffective^{1 en 2}.

The fight against cybercrime requires more than traditional security measures. IT auditors, who assess the robustness of an organization's cybersecurity, must step up their game. Despite passing audits, many organizations still suffer from ransomware, highlighting the inadequacy of current controls. Auditors typically rely on interviews, documentation, and limited technical checks, which is no longer sufficient.

But how can auditors determine if a client's system or network is in a trusted state, compromised, or without specific "stated" controls without ever sampling and analyzing the volatile memory of critical systems?

To enhance their assessments, auditors should adopt memory forensics—a powerful technique used by threat-hunters and incident-response analysts to detect concealed threats. NIST's IR.8428 2022 guideline emphasize its importance in uncovering sophisticated cyber-attacks through memory analysis rather than just disk inspection. They state: “Memory Forensics – Because everything has to go through memory, it is an extremely viable source of forensics data. Instead of hunting the entirety of the physical disk looking for malware, it is possible to analyze memory and see the malware running.”³

There is a strong case for integrating memory forensics into IT audits to better assess cybersecurity risks and improve security postures. Currently, its use in IT audits is rare due to perceived complexity, but it offers a valuable opportunity to gain insights without disrupting business operations. In the following sections, I will explain memory forensics, its current applications, and why IT auditors should incorporate it into their practices or at least ensure their clients' cyberdefense teams are using this capability.

2. What is Memory Forensics?

The memory forensics field has always been complex, dynamic, and research-oriented. The field basically started after a DFRWS memory challenge among researchers in 2005 and by the founders of Volexity by releasing the famous Volatility framework and its foundation in 2007^{4 en 5}. Since then, stable next-generation memory collection and analysis capability has become widely available to every analyst across Windows, macOS and Linux platforms⁶. With memory forensic collection tools one preserves the state of a computer at the moment in time that collection takes place, simultaneously collecting relevant artifacts. The data found in volatile memory is the data that is actually executed by the processors on the system. It gives investigators insight into different data sources, including the current process tree, network activity, and artifacts from the disk itself. It allows you to understand what is currently active and what has happened (i.e., been executed) in the past.

With the evidence gathered through memory forensics, you can confidently ascertain the state of a device and its configuration, as well as discern the state and workings of implemented security measures or flaws. It has proven to be a highly reliable source of evidence, particularly in determining if controls were or were not implemented or active at a specific moment in time. This capability not only provides assurance but also the ability to retrospectively analyze based on new findings an audit might produce.

3. Unparalleled Insight into Cyber Threats and Risky Practices

Memory forensics also offers unparalleled insight into cyber threats by providing a detailed view of system memory. There are even memory forensic solutions like our Volcano memory analysis solution where investigators can collaborately work on multiple cases across regions globally. Memory forensics has been instrumental in regularly finding so-called zero-day exploits used by advanced nation-state threat actors

In the two figures below you can see process listing Figure 1 of a compromised Ivanti ICS VPN server and Figure 2 the exploitation of a vulnerable API-endpoint with a POST request that was abused as a zero-day by the threat actors. As advanced threat actors usually clear logging to hide their tracks the discovered POST request with its full payload is a memory-only artifact, meaning you will only find it in memory and nowhere else. More about the discovery of the Ivanti zero days or Palo Alto zero day via memory forensics can be found here and here.

^{Figure 1. Process tree of a compromised Ivanti ICS VPN Server}

^{Figure 2. Full memory-only POST request to vulnerable Ivanti api-endpoint}

Unlike traditional security measures that focus on perimeter defense, signature-based detection, or behavior detection controls, memory forensics enables auditors to uncover sophisticated threats that may evade detection by other means and also gives usually confronting insights into the IT hygiene of a customer. By analyzing volatile memory, auditors can get an insight into current or historical malicious processes, unauthorized access attempts, and other indicators of compromise that could go unnoticed otherwise. Memory forensics can uncover user credentials stored in memory, including usernames, passwords, authentication tokens, and session cookies. This information is particularly valuable for assessing the effectiveness of password management practices but also gives insights into unsafe practices that otherwise would not have been determined. Memory forensics can also be leveraged to determine if EDR technology has not been evaded, tampered with or bypassed, as mentioned in the introduction, by inspecting relevant callbacks or (userland—) drivers belonging to the EDR that are still operating in a trusted state⁷.

4. Comprehensive Security Assessment

Unlike traditional security measures that focus on perimeter defense, signature-based detection, or behavior detection controls, memory forensics enables auditors to uncover sophisticated threats that may evade detection by other means and also gives usually confronting insights into the IT hygiene of a customer. By analyzing volatile memory, auditors can get an insight into current or historical malicious processes, unauthorized access attempts, and other indicators of compromise that could go unnoticed otherwise. Memory forensics can uncover user credentials stored in memory, including usernames, passwords, authentication tokens, and session cookies.

5. Evidence-Based Audit Findings

Memory forensics enables IT auditors to conduct comprehensive security assessments beyond surface-level evaluations. Memory forensics provides IT auditors with concrete, evidence-based findings that can substantiate their audit conclusions and recommendations. Rather than relying solely on interviews, documentation reviews, or configuration checks, auditors can use memory forensics to gather hard evidence of security incidents, unauthorized access attempts, and other security-related events. This ensures that audit findings are robust, defensible, and actionable, improving the auditee's cybersecurity. By leveraging these techniques, a confrontation with reality is likely to occur as the auditor can now easily disprove claims made by the auditee during the audit.

6. Audit organizations for memory forensics capabilities

Maybe performing memory forensics of critical systems during an audit is too ambitious, due to limited memory forensic skills of the auditor; in that case, the auditor can at least test if the memory forensic capability is working and if it is used and understood by the cyber defense staff. Alternatively, the auditor can request the cyber defense staff to provide the results of certain sampled critical systems during an audit.

If the memory forensics capability is not there, a recommendation can be given to complete the visibility on potential EDR or any other gaps that are currently not seen. In this way, the cyber security resilience of audited organizations will definitely be improved.

7. Conclusion

In conclusion, memory forensics is a valuable technique that IT auditors should embrace as a significant interest group to improve cybersecurity resilience and mitigate their clients' cyber risks. By leveraging memory forensics techniques, auditors can gain unparalleled insight into risks related to the configuration of essential security controls, IT hygiene, or cyber threats to the client's infrastructure. By maturing the cyber security of their clients through memory forensic audits, organizations will become more resilient against advanced cyber threat actors or ransomware attacks.

Ultimately, memory forensics empowers IT auditors to start to play a more proactive role in strengthening the organization's security posture and safeguarding against the ever-evolving threat landscape.

By using memory forensics, IT auditors, themselves will quickly adopt this capability in their own companies and of their auditees to implement robust memory forensics capabilities to improve their own and their customers’ resilience. Memory forensics has greatly evolved. It’s not that complex anymore but remains one of the most vital sources of evidence, especially for IT-auditors.

If auditors do not feel comfortable due to limited knowledge how to collect and analyze memory samples of critical systems, then at least audit for the presence of memory forensic capabilities in the cyber defence organization. This will limit endpoint visibility gaps and thus improve the organization's cybersecurity resilience and potential impact of cyber attacks as they are understood more through the usage of memory forensics . By proactively and regularly checking critical systems for relevant breach indicators, the impact on employees' privacy is limited, but memory samples often do contain relevant sensitive data that is loaded into computer systems' memory. Therefor it’s imported to have relevant proper security controls in place for storing and retaining of memory samples and the staff that can accessing those.

Many mature cyber organizations that understand the limitations of EDR detections and how threat actors will bypass that control have invested in memory forensics capabilities in their network. The financial investment to complement the detection function in organizations with memory forensics in organizations is limited but depends on the organization's size.

If you want to receive more information about memory forensics and how to apply it in your IT-audits to further mature the cyber resilience of the auditees, contact Robert Jan Mora, rmora@volexity.com