Advanced Forensics and Analysis - How to Defeat Advanced Malware: New Tools for Protection and Forensics (2015)

How to Defeat Advanced Malware: New Tools for Protection and Forensics (2015)

Chapter 6. Advanced Forensics and Analysis


Bromium LAVA uses the Microvisor to detect attacks and to provide powerful in-depth analysis of the behavior of advanced malware, before signatures are available. It also offers a powerful platform for forensic analysis that equips IT with vital information needed to understand the origin, targets, and vectors of an attack.


forensic analysis





Microsoft® Systems Center

Microsoft MAPP

Bromium’s Live Attack Visualization and Analysis (LAVA) uses the Microvisor to detect attacks and to provide powerful in-depth analysis of the behavior of advanced malware, before signatures are available. It also offers a powerful platform for forensic analysis that equips IT with vital information needed to understand the origin, targets, and vectors of an attack. With its multitier introspection framework, the centralized security application captures all the volatile information involved in the malware execution flow including the persistence aspects of the malware. This multipronged approach helps to notify users and IT reliably of compromised isolated tasks. The security operations teams can leverage this rich forensics information to act and tune their environments to limit the scope of further similar attacks.

The technology aims to identify attackers with a very high degree of accuracy, and to provide evidence of a compromise as soon as it occurs. There are three key advantages of the architecture that provide an opportunity for uniquely accurate and valuable detection and analysis:

• Courtesy of its privileged execution, the Microvisor has a unique perspective for introspection into a running micro-VM.

• Because a micro-VM is a restricted environment containing only one task, it is possible to easily detect behaviors that are anomalous for that task. Moreover, since micro-VMs execute Copy on Write, all changes made by any specific task are cached in its execution context, making it easy to associate attempted system changes with the specific task.

• Because the protect-first architecture will protect the system from an attack, malware need not be terminated early. Indeed, the attempted system modifications/compromises made by a task can be analyzed automatically when the task completes (or is closed by the user). Post-exploitation analysis of this form is dramatically simpler than pre-attack detection.

LAVA offers IT an ability to detect and study isolated malware to ascertain details about an attacker, his targets and methods, and to derive information to permit defense-in-depth.

6.1. Micro-VM behavioral analysis

LAVA includes a powerful behavioral analysis engine. This engine operates with a malware detection approach that is highly tuned to deliver accurate identification of real attacks; in other words, few to no “False Positives.” The engine combines insight into application/task layer semantics, with the narrow constraints of a microvirtualized execution environment.

The goal of the engine expressed in terms of the ROC diagram is shown below:


There are three key goals:

1. Provide a powerful new set of capabilities to separate attack and nonattack behavior as widely as possible, maximizing the ability of the detector to separate attack and nonattack events

2. Tune the detector to minimize False Positives (FPF ∼ 0 due to the high threshold), and

3. Maximize True Positives.

6.2. Advanced live forensics

Every advanced attack typically follows a sequence:


Systems that rely on detection in order to block an attack are heavily focused on the first two stages. They focus on this aspect because the moment an attacker has persisted an attack, the system is compromised and must be reimaged.

LAVA has an opportunity to permit malware to execute to completion without any fear of a succeeding attack. The attacker in a micro-VM will attempt to retain an attack by dropping a payload into the system in some way, and then will execute the attack. Since this solution manages persistence explicitly, any attempt to persist state will be detected. Further, since it has a powerful ability to introspect granular task-isolated micro-VMs, it gains unique insights that are not possible on any other computer system. For example, if an advanced BIOS-kit or bootkit tries to overwrite the MBR record to survive a reboot after compromising a task micro-VM, then the LAVA enabled Microvisor identifies this activity and alerts the administrator.

6.3. LAVA architecture


LAVA offers a set of powerful virtualization-enabled features that provide unparalleled insights into the behavior of new attacks, helping IT to identify attackers, their methods and targets, and enabling defense in depth through the use of complementary security tools. In particular, it offers a unique ability to tune the detection capability to “alert and block early” versus providing full late-stage, guaranteed malicious full forensics, via a simple tool that allows IT to select the optimum value.


If desired, IT can study the behavior of the attacker in detail, observing its network traffic, changes that it attempts to make to the operating system and/or file system, and gain insight into the specific vulnerabilities it is using to execute the attack. Since the specific context in which the attack arrived at the desktop is available, together with the task state for the micro-VM, the forensic capability enables IT to pinpoint the origin of the attack and its vector into the enterprise. It also helps IT security to identify the specific assets targeted by the attacker.

The outputs of this solution are the entire forensic kill-chain, together with a captive malware manifest, in an open-industry standard format: STIX/MAEC that has been adopted by MITRE and federal agencies, the financial services industry and others. Events are output in real time, and are centralized at the Management Server where they can be delivered to various operations systems:

• Simple use of a tool such as Splunk> allows the C&C centers of an attack to be mapped in real time, as the attack occurs.

• The STIX forensic information can be parsed using Microsoft® Systems Center management workflows to trigger automated compliance checks and to force the user endpoint to be reexamined for security

• The output can be delivered to a SIEM or other vendor console

• The output can be delivered to a cloud-hosted “threat service” such as Microsoft MAPP, which can correlate malicious activity worldwide.

6.4. Conclusion

Attackers continue to increase the sophistication of their exploit techniques. Web browser release cycles are decreasing and the interval between the general availability of a new release and the appearance of the first security patches has also shortened. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received. Notably “use-after-free” type vulnerabilities, zero-day attackers favorite.

The evolution from software-centric to hardware-based protection promises a revolution in on-line security and it heralds some unforeseen benefits: Although computers cannot discern good from bad, they are very good at enforcing the rules of “need to know” – even when we humans make mistakes. Appropriately implemented, such a system will protect the user by design when he/she mistakenly opens a malicious PDF document, or clicks on a poisoned URL.

Micro-virtualization extends the isolation, control, and isolation principles of hypervisor-based virtualization into the OS and its applications. It does this by using hardware virtualization to dynamically virtualize and isolate vulnerable user tasks. It provides a powerful, hardware-guaranteed backstop for the existing software isolation used in the OS, protecting sensitive applications and data, and allowing users to safely access untrusted networks, documents, and removable media. It is the only technology that can safely permit code and data of different levels of trust to coexist on a single system with guaranteed mutual isolation.

Micro-virtualization protects desktops from attack: Vulnerable tasks are isolated within the hardware-protected confines of a micro-VM. Micro-VMs execute with the full richness of Windows, but cannot modify the running desktop OS or applications; nor can they access privileged enterprise files, networks, web-sites, or devices. Any attempt by a micro-VM to access the file system, clipboard, network services, or any devices results in a hardware-forced VM_EXIT that returns control to the Microvisor that polices access to system resources – enforcing dynamic least-privilege access with mandatory access controls.

Micro-virtualization protects the desktop first and foremost, by preventing any micro-VM from tampering with Windows, gaining access to protected enterprise documents or data, or retaining an attack for later execution.

Micro-virtualization isolates individual user tasks into micro-VMs, offering security teams a powerful new vantage point from which to obtain real-time, automated analysis of malware attacks, without any concern that an attack might succeed. The granular isolation protects the desktop first and foremost, and also offers a secure, safe environment in which malware can be observed as it attempts to attack the enterprise.

When a new attack is identified, the incident response team can:

1. be confident that the attack has been isolated and hence defeated.

2. obtain detailed insight into how the attack was initiated, its targets and multiple vectors,

3. avoid the cost and downtime of remediation, because the architecture naturally discards malware, keeping systems “gold” and keeping users productive.

Any system that relies on on-the-fly detection of an attack in order to trigger protective measures – in other words the current state of the art in endpoint protection – faces a daunting task. Unfortunately no detector is perfect, and therefore an approach that depends on detection in order to protect is vulnerable to false negatives (i.e., failure to detect a real attack). If the attacker can bypass the detector, he will succeed. It is therefore imperative to adopt an approach that guarantees protection first and foremost, independent of any form of detection or analysis. The only system architecture that can deliver robust protection independent of any detection capability is micro-virtualization.