I ran across a couple of blog posts recently that were espousing the virtues of memory forensics.  Having developed a framework very similar to Volatility from the ground up under a government contract before Volatility was a thing, I have some perspective on its uses.  I like memory forensics.  But encouraging its use as a central security tool indicates an outmoded and unrealistic security model.

Throwing memory forensics at the problem is a hedge.  Most companies would have trouble finding, let alone affording the skilled personnel to make adequate memory forensics a central, or even occasional part of their security regime.  And even if they could, it would be leveraging expensive resources in the least efficient way possible – making them manually hunt for evidence of attackers in gigabytes of data among a deluge of false-positive prone “leads”.  Even attacks involving humans behind keyboards move at shorter timescales than memory forensics.  And after your manual memory forensics investigation is over, how do you know that the endpoint still isn’t owned up?  This is not a model that scales, and it’s not a model that works for the typical organization.  What is needed is a solution focused on detecting actual adversary tactics and procedures, and doing so efficiently, without needing to rely on in-house IT assets to stay abreast of such things.

If you are still skeptical, you need only look at the evidence in the market that this approach has been tried before and has failed.  Startups such as HBGary were founded on the premise that we need humans to perform memory analysis of possibly compromised endpoints on a regular basis as a central component of our security regime.  Such approaches are no longer at the top of anybody’s short list of technologies to evaluate these days, and for good reason.  Such response techniques occur on longer timescales than the attacks that they might detect.  But somehow what is old is new again, and some endpoint security vendors are once again pushing inefficient manual methods that are wasteful of human resources.

If a vendor suggests you need to do detection by leveraging memory forensics tools, they’re distracting you from their lack of detection capability.  What is papered over in such a model is the question that should be central and pervasive in our industry:  How do I detect attacks against my organization, and how do I do that efficiently given my limited human resources?  A modern solution should give you good visibility – that’s a given.  But a modern solution should also actually detect the adversary and give the analyst contextual information around that detect.  And not just once or twice, enough to “show value”, it needs to detect the adversary consistently, independent of what other technologies you might already have deployed.

This is what is meant by an Indicator of Attack, or IOA-based approach.  IOAs capture the behaviors of the adversary and alert your organization as soon as they happen.  The ability to act on increasingly tighter timescales is crucial to effective response.  The ability to provide automated prevention on the basis of such behavioral IOAs further distinguishes the right approach from the many wrong ones.  The IOA-based approach involves not only detecting, alerting, and preventing, but also automatically providing the specific additional forensic data than an expert analyst would typically want to obtain following an alert of any given type.  That is the type of approach necessary to level the playing field and make real security available to any organization – not just those with the wherewithal to engage in expensive, inefficient, and slow response techniques like memory forensics.

Is there a place for memory forensics?  Absolutely.  It belongs as an important tool in the research community.  Such research leads to the development of new IOAs that can be leveraged across all customers, and not just those that are up to speed on the latest memory forensic techniques.  After all, organizations shouldn’t have to independently reinvent detection.  The whole community should benefit uniformly.  Memory forensics does not belong as a typical tool in a rapid responder’s workflow.

Why most vendors can’t deliver IOA-based detection and prevention and so are forced to deemphasize it is a topic that will be explored in the next blog post.