This week's solution of the week is called Morphisec. Hundreds of endpoint security solutions offer file, signature or behavioral type detection capabilities but with almost no way to monitor or stop in memory attacks. It is estimated that ~80% of all attacks use some form of in memory exploit which is critical to its successful execution. These are the worst kind of attacks and sadly very few antivirus solutions can stop them. Only one platform has proven to not only stop every single known in memory attack but also zero days and unknown in memory exploits yet to be discovered. This is Morphisec.
After my initial discovery, I decided to reach out to the company to learn more. I was able to learn that some large enterprises has used this product successfully including Motorola, Citizens Health and Fubon Bank and that Morphisec partners with some of the largest technology firms including having a strong relationship with Microsoft. As we spoke further, I only became more interested. One thing which was really helpful to know is that not only does Morphisec alert you when some kind of in memory attack was attempted but the software which protects you is extremely lightweight. For organizations running a bunch of different agents on your endpoints, Morphisec will have little impact on performance. It only runs at the start of every process randomizing memory locations and that is it. Talking about endpoints, this software works best in conjunction with any other antivirus product and runs on Windows as well as Linux systems. Other antivirus products protect against file based attacks and Morphisec blocks any attacks running in memory. They told me that their product currently is used on about 5 million endpoints with about 20,000 blocked attacks happening daily. They assured me no fileless attack has ever bypassed their system and are often blocking exploits before they become known to the rest of the world. At a cost of ~$38 a year per endpoint they can offer businesses peace of mind in a security landscape where everyone is trying to be reactive. If you want to stop cold most malware, ransomware and any kind of in memory attack there is no better solution. This product is on our radar and it won't be long before they become a valuable partner of ours.
How does it work?
Morphisec is a pioneer in something called "Moving Target Defense". This means that your attack surface is ever changing and evolving. Generally exploits expect very specific and static code which when manipulated in a very specific way can have harmful and unexpected consequences. Moving Target Defense means that your system is always moving not allowing these exploits to happen because they expect the system to be configured one way but instead it is configured differently. To explain this lets take a look at a Rube Goldberg machine. Imagine this is the path an attack takes in your operating system. When the TV is turned on, the attack has executed successfully.
Moving Target Defense will change around the locations of the parts of the machine so that when the black ball at F tries to move into the G basket, it no longer is there and was moved 5 feet to the right. This stops the entire sequence. An attacker also expects everything to be static and known beforehand for an exploit to work. Morphisec randomizes the locations of resources when in memory processes spawn. Normal applications are updated dynamically and run as expected while attacks expect the process resources to be in their default locations. Morphisec also tracks when a process tries to access these default locations alerting the system there was an attempted breach so you know when malicious activity is taking place. The idea may be pretty simple but it's implementation has proven to be highly effective.
That's it for this week. Thank you for spending the time to come and learn about Morphisec and Moving Target Defense.
Please feel free to reach out anytime and Welcome to the Blog!