Researchers at the University of California at Santa Barbara have developed a technique for detecting changes caused...
by rootkits after infection. Could you explain how this rootkit detection technique works? Can it be deployed in an enterprise environment right now?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Researchers at the University of California at Santa Barbara presented a paper at the ACM Computer and Communications Conference that describes how Blacksheep can be used to detect changes or infections caused by a rootkit. The Blacksheep technique allows a system administrator to take a live memory dump from a managed system using a special driver. This dump is used to analyze the executing processes on the system to identify potential files executing in memory that may be malware. Blacksheep works in a similar fashion as file integrity checking, but the integrity and memory analysis checks are performed across a number of different systems to identify which, if any, files or memory dump data differ between the systems to potentially identify suspicious files.
One of the biggest challenges with implementing Blacksheep is the amount of homogeneity required from the endpoints to effectively identify changes made to or malware located in the memory of compromised systems. In many corporate environments, though, there is significant homogeneity, so these techniques offer new options for incident response. Blacksheep could also be used on servers or potentially any type of homogenously configured systems to identify malware or suspicious executables.
The Blacksheep technique could be used in the place of file integrity monitoring, which takes computer resources and time. Blacksheep could also be deployed to a wide number of systems to identify infected systems with minimal false positives caused by the environment.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.