Review: Morphisec scrambles memory to thwart advanced attacks

With Morphisec, you get a full spectrum of protection that is more complete than any antivirus program alone.

CSO  >  danger / security threat / malware / biohazard symbol in data center
Jakarin2521 / EvgeniyShkolenko / Getty Images

In the world of cybersecurity, many companies that provide protection have moved away from preventing attacks to remediating them after they land. One reason for this is how difficult prevention has become, with new attacks like memory exploits and fileless malware finding vulnerabilities and getting around traditional protection. It’s easier from a defender’s standpoint to detect attacks after they start making changes on systems or overt things like that. It’s also a more dangerous way to operate.

Morphisec has chosen a different path, shifting the focus back to prevention of a specific family of advanced exploits that either use or reside in system memory. These exploits are very difficult to detect using traditional methods. This is how most advanced attacks get around signature-based antivirus protection these days.

It’s pretty ingenious how Morphisec works. The platform is able to scramble system memory by moving the default locations for system resources that all programs use and most advanced malware is designed to exploit. This includes scrambling the locations of .dlls, memory structures and commonly used resources. At the same time, authorized programs such as browsers launched by local users are given the new secret locations when they activate so they can function normally. And those locations are kept in flux, with new locations being generated each time an authorized program activates. Two instances of Chrome running on different systems will have vastly different locations for memory support objects. And if Chrome is closed and reopened, the new instance will find a different environment than the one that existed before it.

Morphisec Default Plan CSO

The platform ships with a default plan regarding which applications and programs it will work with. These are all given the secret new locations of memory objects and .dlls when run by valid users, so are protected from any memory exploits.

In addition to scrambling memory and providing the secret new information to authorized programs, Morphisec also builds a skeletal framework of memory with the locations of everything in the traditional places that Windows uses. Anything that tries to tap into those traditional locations will hit the skeleton and trigger an alert but won’t be able to execute. Morphisec collects forensic information from each thwarted attack, so security teams can see what would have happened had the real memory not been scrambled, and what the malware was attempting to find or accomplish.

In the world of cybersecurity, many companies that provide protection have moved away from preventing attacks to remediating them after they land. One reason for this is how difficult prevention has become, with new attacks like memory exploits and fileless malware finding vulnerabilities and getting around traditional protection. It’s easier from a defender’s standpoint to detect attacks after they start making changes on systems or overt things like that. It’s also a more dangerous way to operate.

Morphisec has chosen a different path, shifting the focus back to prevention of a specific family of advanced exploits that either use or reside in system memory. These exploits are very difficult to detect using traditional methods. This is how most advanced attacks get around signature-based antivirus protection these days.

It’s pretty ingenious how Morphisec works. The platform is able to scramble system memory by moving the default locations for system resources that all programs use and most advanced malware is designed to exploit. This includes scrambling the locations of .dlls, memory structures and commonly used resources. At the same time, authorized programs such as browsers launched by local users are given the new secret locations when they activate so they can function normally. And those locations are kept in flux, with new locations being generated each time an authorized program activates. Two instances of Chrome running on different systems will have vastly different locations for memory support objects. And if Chrome is closed and reopened, the new instance will find a different environment than the one that existed before it.

Morphisec Default Plan CSO

The platform ships with a default plan regarding which applications and programs it will work with. These are all given the secret new locations of memory objects and .dlls when run by valid users, so are protected from any memory exploits.

In addition to scrambling memory and providing the secret new information to authorized programs, Morphisec also builds a skeletal framework of memory with the locations of everything in the traditional places that Windows uses. Anything that tries to tap into those traditional locations will hit the skeleton and trigger an alert but won’t be able to execute. Morphisec collects forensic information from each thwarted attack, so security teams can see what would have happened had the real memory not been scrambled, and what the malware was attempting to find or accomplish.

Morphisec Dashboard CSO

The main dashboard for the Morphisec platform shows how many attacks have been prevented. Unlike most security programs, it’s nearly impossible for any of these entries to be false positives, since only unauthorized apps would visit traditional memory locations that have been scrambled by Morphisec.

Setting up Morphisec was extremely easy. The brains of the platform is installed as an on-prem console, though it can also be virtualized or even served through a customer-owned cloud. Once in place, administrators can set up how the agents out on client machines and servers will function. There is a default package of programs and applications that Morphisec will enable. They are the ones that will be given the secret, constantly moving locations of memory objects when activated by a legitimate local user. They include office programs like Word, Excel and Outlook, browsers like Chrome and Edge, and applications like Rundll32, Mshta, Regasm and even the screensaver file.

While most everything a typical business user would need is included in the initial loadout, and Morphisec company officials say that many of their over 5,000 enterprise customers use the default list unedited, you can still add new programs. We were able to add, for example, Webex to that list with just a few clicks. Most modern programs and apps should have no trouble accepting the new data pointing to the scrambled memory locations, though some older apps like those from the Windows 7 or Windows XP era may not be designed to function that way and could crash.

Morphisec Add New App CSO

While many users choose to use the default loadout, adding new programs and applications that can take advantage of Morphisec’s memory protecting technology is a simple task from the main console.

Once the protection scheme is established, agents will need to be deployed to client systems. Currently, the main Morphisec console can’t deploy those agents, so a third-party program will need to do that. Given that most enterprises have a system for creating and deploying agents or golden images, this should not be a problem. The agents are surprisingly small, only a few megabytes each, and work with any Windows client or server, and even within a Windows-based virtual desktop infrastructure. Company officials say that Linux deployments will be added soon, and container protection is being examined as well.

As impressive as Morphisec performs, you would not want to deploy it as the only protection for an enterprise. Attacks that don’t try to use advanced techniques or memory exploits would not be detected or stopped by it. To get complete protection, Morphisec integrates with Windows Defender. The idea is that Defender will handle all the typical attacks, and Morphisec will protect the system from the memory exploits that Defender, or any antivirus program, is weak against. That way, users get a full spectrum of protection that is more complete than any antivirus program alone. As a nice bonus, Morphisec provides an enterprise console for Defender that lets users see how it is performing across the entire network.

Morphisec Defender Integration CSO

Because Morphisec only protects against advanced attacks that try to reside or execute from system memory, it can miss more traditional malware. By teaming up with Microsoft Defender, it can block the whole spectrum of attacks, while also providing an enterprise console to monitor Defender.

It’s important to know that Morphisec does not have any remediation component beyond the forensic analysis of thwarted attacks. For the most part, anything it catches will be prevented from gaining a foothold, so remediation is unnecessary. However, it’s possible that a threat could remain resident on a system even if it’s technically prevented from doing any harm since it can’t exploit the memory. But it might sit there and keep trying and would need to be expunged by other cybersecurity tools. In that case, Morphisec would at least provide great forensic and target data so the remediation could be successful.

Morphisec Stop Attack CSO

Here Morphisec has stopped an attack from executing in memory, because the malware tried to use resources from their default locations, and not the new ones where Morphisec moved them. In this case there is no need to remediate the attack because it was prevented from gaining a foothold in the first place.  

Pricing for Morphisec is based on the number of endpoints being protected per year. The pricing matrix is very similar to what an enterprise would typically pay for antivirus protection, a few dollars per user in most cases. With the integration of Defender, that makes Morphisec a solid choice. Regulated industries that require antivirus will be able to check that box, while everyone would get protection that stops both traditional threats and advanced exploits that antivirus alone is weak against.

Morphisec calls their solution a moving target defense, and while that is a good description, it doesn’t go far enough. A marksman can hit a moving target, at least some of the time. But there is almost no way that preprogramed threats and malware would be able to find the secret, scrambled locations where Morphisec constantly moves the memory objects they need. So, it’s more of a perpetually moving, hidden and scrambled target defense, and one that is sorely needed to beef up outflanked antivirus protection in the enterprise.