Researchers at the University of California at Santa Barbara have developed a technique for detecting changes caused by rootkits after infection. Could you explain how this rootkit detection technique works? Can it be deployed in an enterprise environment right now?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Researchers at the University of California at Santa Barbara presented a paper at the ACM Computer and Communications Conference that describes how Blacksheep can be used to detect changes or infections caused by a rootkit. The Blacksheep technique allows a system administrator to take a live memory dump from a managed system using a special driver. This dump is used to analyze the executing processes on the system to identify potential files executing in memory that may be malware. Blacksheep works in a similar fashion as file integrity checking, but the integrity and memory analysis checks are performed across a number of different systems to identify which, if any, files or memory dump data differ between the systems to potentially identify suspicious files.
One of the biggest challenges with implementing Blacksheep is the amount of homogeneity required from the endpoints to effectively identify changes made to or malware located in the memory of compromised systems. In many corporate environments, though, there is significant homogeneity, so these techniques offer new options for incident response. Blacksheep could also be used on servers or potentially any type of homogenously configured systems to identify malware or suspicious executables.
The Blacksheep technique could be used in the place of file integrity monitoring, which takes computer resources and time. Blacksheep could also be deployed to a wide number of systems to identify infected systems with minimal false positives caused by the environment.
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.