VMware Incident Response: Responding to Attacks on Virtualized Environments

VMware Incident Response: Responding to Attacks on Virtualized Environments

By Contributing Writer
Gilad David Maayan
  |  February 14, 2022

What is VMware?

VMware is a US software vendor offering cloud computing and virtualization technology. VMware’s server virtualization technology employs a bare-metal hypervisor ESX/ESXi to virtualize x86 architecture.

VMware virtualization involves installing a hypervisor on a physical server and allowing each virtual machine to run an operating system. This process enables several virtual machines (VMs) to run on the same physical server and share server resources like RAM (News - Alert) and networking.

VMware’s hypervisor can also run containerized workloads in a Kubernetes cluster. It enables security, development, and operations teams to manage container-based infrastructure similarly to managing VMs while deploying as many containers as needed. VMware virtualization is the basis of many large scale infrastructure as a service (IaaS) deployments.

There are several common alternatives to VMware virtualization, including Microsoft Hyper-V and the Citrix Hypervisor.

What is Incident Response?

Incident response is a preemptive business function that ensures an organization is able to rapidly respond to cybersecurity threats. All representatives from core aspects of the business can and should be involved in the incident response process. The focus of incident response is to limit the damage caused by a cyberattack and reduce recovery time and cost.

Incident response is typically handled by an organization’s computer security incident response team (CSIRT). The CSIRT comprises information security, IT staff, legal, human resources representatives, and public relations departments, all conducting incident response activities.

The CSIRT should follow a set of procedures outlining the organization’s response to network events, security incidents and confirmed breaches. This set of instructions is known as the incident response plan (IRP).

Incident Response Challenges in a Virtualized Environment

An organization can gain productivity and flexibility in a virtualized environment. However, virtualized environments pose unique risks so an organization needs the ability to respond to an attack, unwanted device, or malicious user behavior. Here are some of the unique security challenges posed by virtualized environments:

  • VMs can share information, provided they are managed by the same hypervisor instance, without transmitting it to a physical network.
  • Separation between partitions not implemented by default, yet is important for security. Isolation between VMs requires careful system design.
  • VMs can move between machines, either manually or automatically, reacting to resource or workload changes.
  • Limited physical access from outside the host to partition running inside it.
  • Moving a partition from a compromised platform to a recovery host can be prevented by direct host’s memory access capabilities.
  • The same host can have several trust levels depending on the VM workloads running on it at any given time.

VMware Incident Response Solutions

VMware has reacted to the challenges of security in virtualized environment, and now provides its own incident response solution, based on technology it acquired from Carbon Black in 2019. VMware incident response solutions include endpoint detection and response (EDR), which can help react to security incidents affecting individual VMs, and Cloud-Managed Detection and Response, which can help respond to incidents across entire cloud environments.

Carbon Black EDR

Carbon Black EDR is VMware’s incident response and threat hunting solution. It aims to provide continuous visibility for security operations center (SOC) teams working with offline environments and on-premises resources.

The solution continuously records and stores endpoint activity data to enable security professionals to visualize the entire attack kill chain and hunt threats in real-time. It employs threat intelligence aggregated from VMware’s Carbon Black Cloud to identify behavior patterns and detect endpoint threats.

Here are key features of Carbon Black EDR:

  • Continuous and centralized recording—the solution centralizes access to endpoint data recorded continuously. This functionality enables security professionals to obtain the information needed for real-time threat hunting and in-depth investigations.
  • Live response for remote remediation—this functionality enables incident responders to establish secure connections to infected hosts. Teams can use this secure connection from any location worldwide to pull or push files, perform memory dumps, and kill processes to remediate quickly.
  • Attack chain visualization and search—the solution offers intuitive attack chain visualization to facilitate quick root cause identification. It helps teams quickly analyze each attack stage and gain insight into attack behavior. Teams can use this feature to gain insights on new attack techniques and close security gaps.
  • Automation via integrations and open APIs—the solution includes a robust partner ecosystem and open platform that enables teams to integrate products into an existing security stack.

VMware Carbon Black Cloud Managed Detection and Response

This managed service is supported by a team of security experts monitoring and analyzing all data in your VMware Carbon Black Cloud. The team leverages advanced machine learning and algorithmic toolsets to provide you with insights into attacks within your VMware Carbon Black Cloud environment.

VMware Carbon Black Cloud Managed Detection and Response experts notify you via email of threats. They provide recommendations for specific policy changes to remediate detected threats as well as incident remediation guidance and threat containment during security incidents.

Here are notable features of VMware Carbon Black Cloud Managed Detection and Response:

  • Threat validation and insight—the service provides 24x7x365 coverage. The team proactively validates alerts and sends email notifications to help ensure that you do not miss critical alerts.
  • Roadmap to root cause—the service offers analyst insight into Carbon Black Cloud Workload and VMware Carbon Black Cloud Endpoint Standard alerts. The team can help you streamline investigations by connecting alerts caused by the same root cause. The goal is to enable you to resolve security issues quickly.
  • Outbreak advisories—VMware’s threat analysis unit continuously monitors threat trends worldwide. Once widespread outbreaks occur, the team sends advisories listing indicators of compromise to help you quickly assess risks and close gaps.
  • Monthly reporting—VMware’s detection experts offer monthly reports summarizing activities across your environment. It includes insights into the most targeted machines and the most common suspicious events. You can leverage these reports to refine policies and understand big-picture trends.
  • Incident response communication with analysts—VMware’s security analysts are available 24x7 to guide you during security incidents. The service offers two-way communication via email to help support your incident remediation efforts.
  • Threat containment—VMware’s team employs VMware Carbon Black Cloud tools to stop threats quickly. The team can update reputations of hashes, modify behavioral prevention rules, and quarantine devices to prevent the threat from escalating.


In this article, I explained the basics of virtualized environments, incident response, and how teams can react to cyber threats in VMware data centers. I also described two security solutions provided by VMware, which can help secure virtualized environments:

  • Carbon Black EDR—an incident response and threat hunting solution that enables continuous monitoring, live response to threats, and attack chain visualization.
  • Carbon Black Cloud Managed Detection and Response—enables threat validation, root cause analysis, threat containment, and incident response support from VMware experts.

I hope this will be useful as you improve the security posture of your VMware data center.


Author Bio: Gilad David Maayan

Get stories like this delivered straight to your inbox. [Free eNews Subscription]