Why should IT Auditors use Memory Forensics to enhance the cybersecurity posture of their clients?

Auteur: Robert Jan Mora

1. Introduction

In the last decade, organizations have adopted Endpoint Detection and Response (EDR) capabilities to combat nation-state threats and cybercrime, often based on auditors' recommendations. However, EDR alone has not significantly reduced ransomware attacks. This is partly due to a lack of staff to interpret alerts and the growing ability of threat actors to evade EDR. A recent study showed that 26 EDR vendors failed to prevent all tested evasion techniques, with tools like EDRBlast rendering several EDR solutions ineffective1 en 2.

The fight against cybercrime requires more than traditional security measures. IT auditors, who assess the robustness of an organization's cybersecurity, must step up their game. Despite passing audits, many organizations still suffer from ransomware, highlighting the inadequacy of current controls. Auditors typically rely on interviews, documentation, and limited technical checks, which is no longer sufficient.

But how can auditors determine if a client's system or network is in a trusted state, compromised, or without specific "stated" controls without ever sampling and analyzing the volatile memory of critical systems?

[....]