Microsoft yesterday revealed Project Freta, a new Microsoft Research development that is a virtual-machine (VM) forensics platform. Users will be able to leverage Freta to find malicious software on cloud infrastructure.
Of course, Microsoft has some enterprise-grade cloud security tools already. Most notable of them is Microsoft Defender Threat Protection (ATP). It seems Project Freta is not meant to replace ATP. In fact, this is still very much a research project that Microsoft describes as a “technology demonstration”.
“Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button – no setup required,” says Mike Walker,who is a senior director at Microsoft Research’s New, or NExT, Security Ventures team.
Project Freta is free and is based on the cloud. Microsoft says it offers “automated full-system volatile memory inspection of Linux systems“. This basically means the service takes a memory snapshot of the Hyper-V Linux guest OS. When a user taps into Freta and submits images of the Linux OS running on Azure, they will see a memory dump.
Microsoft says Freta has the potential to stop all cloud-based malware attacks on Azure. Yes, that seems wholly unlikely on the surface, but it will be interesting to see how the company develops this goal.
Walker points out that Freta may simply provide a financial deterrent. It would become too expensive for malware writers to create rootkits for Microsoft cloud.
Below are some of the core benefits of Project Freta:
- “Detect novel malicious software, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots
- Very easy to use: submit a captured image to generate a report of its content
- Memory inspection means no software to install, no notice to malware to evacuate or destroy data
Designed for automating IR-like discovery tasks directly into a cloud fabric — though volatile memory snapshots captured from an acquisition tool can also be used for bare iron scenarios where virtualization is not available”