Researchers at the University of California at Santa Barbara have developed a technique for detecting changes caused...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
by rootkits after infection. Could you explain how this rootkit detection technique works? Can it be deployed in an enterprise environment right now?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Researchers at the University of California at Santa Barbara presented a paper at the ACM Computer and Communications Conference that describes how Blacksheep can be used to detect changes or infections caused by a rootkit. The Blacksheep technique allows a system administrator to take a live memory dump from a managed system using a special driver. This dump is used to analyze the executing processes on the system to identify potential files executing in memory that may be malware. Blacksheep works in a similar fashion as file integrity checking, but the integrity and memory analysis checks are performed across a number of different systems to identify which, if any, files or memory dump data differ between the systems to potentially identify suspicious files.
One of the biggest challenges with implementing Blacksheep is the amount of homogeneity required from the endpoints to effectively identify changes made to or malware located in the memory of compromised systems. In many corporate environments, though, there is significant homogeneity, so these techniques offer new options for incident response. Blacksheep could also be used on servers or potentially any type of homogenously configured systems to identify malware or suspicious executables.
The Blacksheep technique could be used in the place of file integrity monitoring, which takes computer resources and time. Blacksheep could also be deployed to a wide number of systems to identify infected systems with minimal false positives caused by the environment.
Dig Deeper on Configuration Management Planning
Related Q&A from Nick Lewis
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.continue reading
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.