Once targeted attacks are developed and executed, the details often become easily accessible to cyber criminals at-large online. Translation? They grab the code and use it to attack you. We recently completed our annual State of the Endpoint report and it would seem IT departments everywhere are paying attention. The report hasn’t been released however one interesting data point to call out is IT administrators now consider APTs their “biggest headache.” (Watch for the release of our new State of the Endpoint report, conducted by the Ponemon Institute, the first week of December.)

The rise in APTs and of course malware in general is a serious concern. We won’t sit idly by and I urge you not to either. Recently, Gartner projected 50 percent of companies will deploy “deny all” technologies by 2015. This is a very strong supporting point for our recent announcement – the November 5 acquisition of CoreTrace Corporation, an innovative, Austin, TX-based application control software provider. We understand the threat landscape has evolved greatly and it will continue to. While we can’t predict the future of cyber crime, we can help our customers and the industry be as prepared as possible. Layered defenses that include application control is a very strong starting point.

The asset acquisition of CoreTrace will enhance our capabilities, portfolio of patents and other IP. We are now working to integrate key aspects of CoreTrace technology into Lumension® Application Control which is available via the Lumension Endpoint Management and Security Suite. For you, our customers and the industry, this means improved, advanced persistent protection in the fight against even the most sophisticated cyber attacks.

Regards,
Pat Clawson
Chairman & CEO, Lumension

In this short video, Dan answers three key questions:

1. What is Flame?
2. What is noteworthy about it from his point-of-view?
3. What should enterprises & government agencies do to combat threats like it?

Have a watch and feel free to let us know if you have any questions or comments.

The NSA approach is based in large part on the use of Microsoft’s Software Restriction Policies (SRP) to secure areas (such as paths) on target systems where downloaded applications typically reside and execute.  At its core, Microsoft SRP uses the same “default deny” approach that makes whitelisting a superior security offering.  If an application tries to run, it needs approval either via an administrator or via some pre-developed policy for that particular system.  In its media releases the NSA suggested that this would be a far less burdensome and more cost-effective approach to deploying commercially available application whitelisting technologies.  The SRP has to be modified and maintained by the administrator on each and every system, generally through some Group Policy activity. On the surface, this sounds like a very workable solution.  But SRP debuted in Windows 2003 nearly a decade ago. So why hasn’t it seen widespread adoption?

In some ways, the NSA approach is snapshot in time of the state of COTS application whitelisting 2-3 years ago. As it was then with whitelisting products, the “new” approach being touted by the NSA uses SRP to control which applications can or cannot run on a group of systems.  But COTS application whitelisting has advanced far beyond that rudimentary state. Advances have been made in areas like the ability to dynamically add/upgrade the whitelist for valid applications, and the protection of the memory space against both .dll injections as well as reflective memory injections (both of which are tips of the spear of the advanced persistent threat). And zero-day attacks have proven time and time again to be able to walk through the Windows operating systems.

But there are fundamental shortcomings in the NSA approach that need serious consideration before being considered a “Commercially viable” alternative. Software restriction policies do not apply to drivers or other kernel mode software. Modern application whitelisting solutions protect these files, which have been shown time and time again to be sources of breaches.  Software restriction policies also lacks the ability to control programs run by the Windows SYSTEM account. And there are numerous design deficiencies, such as the fact that SRP is essentially a “directory pathname-based” approach.   All of these shortcomings have long since been overcome by modern application whitelisting software. Lastly is the lack of centralized management of software restriction policies. Group Policy is not a suitable command and control center for endpoint security and threat prevention systems. Unlike modern application whitelisting solutions, Group Policy was not designed to collect and store information about the provenance and prevalence of the good software operating in the environment, much less the threats.  Modern AWL solutions store vast amounts of data about application usage, history, first-known use as well as all the binary and hash information for files running across the entire base or protected systems. Using this centralized database, organizations can view, manage and develop policy as well as analyze, detect and guard against malicious software. Nothing about the NSA approach affords this level of enterprise visibility and control over the deployed environment.

Then comes the issue of support for multiple operating systems and platforms, protection of the memory space, aggregating the event data and making it consumable by the other security systems in the enterprise and bundling all of this functionality into a footprint that a junior-level security or operations administrator can manage.  It is there that the NSA’s approach falls short, and why the Federal Government needs to leave software development to the experts.  Federal agencies are people and cash-starved, and labor-intensive, home-grown systems such as these could easily demand more overhead than their commercially available counterparts.

With the variant types and levels of threats, the exponential growth in numbers of attempted attacks and the possibility that some threats are state sponsored, federal government security professionals that are responsible for the nation’s information must do everything possible to minimize the attack surfaces provided to our enemies. The days when a Firewall and an antivirus product provided security to our resources are long gone.

We must utilize a Defense-in-Depth strategy to minimize our vulnerabilities. Defense-in-Depth relies on a layered stack of defense technologies joined together into a mesh, that properly designed and implemented, can provide a high level of fortification for our enterprises. These layers have typically been comprised of products such as: Firewalls, DMZ’s. Intrusion Prevention Systems, encryption technologies, VPN’s and antivirus products. Stopping short of the goal of complete protection, our endpoints have been a particular problem for security professionals. For years, protection for our endpoints has been based on blacklisting antivirus products. We all know that blacklist based antivirus products have their shortcomings. Application whitelisting based products not only overcome the shortcomings of antivirus products, but add addition functionality that most antivirus products do not or cannot perform.

“Lockdown” application whitelisting is a technology that has been around for many years and has been successfully deployed in narrowly focused controlled environments such as SCADA systems and fixed function devices. Advanced Threat Protection, which encompasses application whitelisting as well as memory protection and trusted change mechanisms, has matured to the place where it is being deployed and successfully maintained in large enterprises, including the Federal Government.

Many of the new threat vectors take advantage of vulnerabilities that other portions of the Defense-in-Depth stack cannot defend against. As security professionals, we have seen many breaches over the last 16 months that have one thing in common: a user on an endpoint within the organization or its ecosystem (like a defense contractor). People make mistakes, and we have to protect them (and our organization) as best we can.

Social engineering techniques make it easy to get a person to make a mistake and set off a malware attack; it happens every day. Once an attack has started, the perpetrator wants to have some form of payload (malicious code) loaded onto the user’s machine or leverage it to other systems inside the network. IDS and antivirus providers do a decent job at stopping this threat as long as they have seen it in the past and have developed hash values for the known malware. What these providers cannot stop are the threats that are zero-day (never seen before malware) and memory based attacks. Memory based attacks happens when malware is loaded into memory space of an already running program and can be executed from there. These memory attacks (e.g., DLL injections, Reflective injections) are hard and almost impossible to detect. CoreTrace Bouncer has been able to detect and terminate many DLL type attacks for some time. CoreTrace also has a patent pending process that can to detect and stop the Reflective Injection type payload. (Please see my colleague, Greg Valentine’s, video demonstrating the attack and how Bouncer stops it.)

We security professional must combine our tools and techniques into a successful formula in order to provide security for our enterprise and compliance with the regulations.

My Formula for Continuous Monitoring and Control.

(FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) * SOC/NOC/Reporting
Event Mitigation

The first part of the formula: (FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) is the portion that is your Defense-in-Depth mesh woven together in part or in whole by your security team.
The second part of the formula: * SOC/NOC/Reporting is the daily monitoring of events that occur within each and every security product within your domain; hopefully, correlated together into some manageable form via a SOC, NOC or reporting mechanism.

STOP!!!

For us to be compliant with the Continuous Monitoring regulations in FISMA we are done, right? Well yes, you can stop here and be compliant under the mandates, but have you accomplished real security in your relative domain or are you just filling out paperwork? If you stop here, you are doing yourself and this nation a disservice. The gist of the FISMA requirements are that the agencies must do monthly reporting of inventory assets, as well as the continuous monitoring and reporting of security controls. The key here is that the regulations mention security controls and do not mention security threats. This is where we must go above and beyond the letter of the law to truly perform our duties. So, please, by all means, do the paperwork, follow the regulations, but don’t stop there.

GO…

The final part of the formula: Event Mitigation is where the rubber meets the road, where you take action and move towards fixing the issues that have been uncovered. Without mitigation of the issues, you have not achieved real security. Vindicate yourself, your team and your organization. Grab the Grail…

Most security professionals today know that CoreTrace Bouncer provides advanced threat protection based on its adaptive application whitelisting technology. But Bouncer goes well beyond simple whitelisting–including extensive memory protection capabilities.

At CoreTrace, we believe actions are always better than words. So I recorded a video that shows how an attacker would use Reflective Memory Injection to compromise a victim computer, then demonstrates how Bouncer automatically prevents the attack.

Take a look and feel free to let me know if you have any questions.

BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

Sadly this scenario is now playing itself out more than ever. This is especially true with a loosely managed group of hactivists that call themselves ‘Anonymous’. The list of companies affected by Anonymous is large enough to raise national media attention—which is not exactly where your company wants to have its name mentioned.

The Problem:
Despite significant improvements to website server security, major companies continue to be the victimized by this type of vandalism. The motivation behind such attacks range from citizen protestors (“hacktivists”), to good old fashion revenge. Regardless of the motivation, you now have a very embarrassing problem on your hand.

Despite best practices of ‘locking down’ your website data files to prevent changes to them, it does no good if someone is able to gain root level access to the server; the attacker can simply open up the privileges for the data files with a single command. You need to be able to lock down these files at a lower level than standard operating system controls provides.

A Solution:
What can be done to prevent these defacements? The fundamental problem boils down to the fact that unauthorized changes are being made to the website files. The affected files could be simple html, cgi, or php, etc., but even a simple change to a .htaccess file can ruin your day. Regardless of how someone gains access to these files (there are many, many techniques that can be used to gain access such as sql injection, javascript vulnerabilities, etc), wouldn’t it be nice to know that they would not be able to modify or delete these files in any way? If you can tell your management team that the website is secure from defacement, then everyone would rest a lot easier at night.

As readers of our blog know, CoreTrace Bouncer is an application whitelisting product. The main benefit of this technology is that only programs that are explicitly defined on the whitelist are allowed to execute. Any programs not on the whitelist are considered to be ‘unauthorized’ so Bouncer prevents these unauthorized programs from executing. Bouncer takes the firewall paradigm of ‘default deny’ for network ports and applies it to program execution within the operating system.

Not only does Bouncer enforce the whitelist but Bouncer must also protect the integrity of the whitelisted applications as well. How effective would a whitelisting product be if someone could simply delete an authorized application such as notepad.exe, and replace it with a tainted program that has been renamed to notepad.exe? Bouncer blocks (from the kernel) all modifications to program files that are on the whitelist by default. Bouncer Administrators are able to define vectors of authorized change which enables transparent changes to these files so that upgrades and patches can easily be applied without difficulty.

CoreTrace has extended this kernel level ‘file integrity protection’ capability to any file which you wish to protect. While the html files will never execute, you can rest much more easily knowing that any file you wish to add to the list has this low level extra measure of protection available. This can also be applied to any file that you wish such as c:\boot.ini or the hosts file.

By the way, here are some examples that clearly show what you don’t want to deal with:

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package,

these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010

.”

Also earlier this week, McAfee released a report that just about everyone in the security industry has likely now read, “Revealed: Operation Shady RAT”. The report, written by Dmitri Alperovitch, VP Threat Research at McAfee, is an eye opening read covering targeted intrusions into over 70 global companies, governments and non-profit organizations over the last 5 years. The report covers the types of organizations hit the hardest (not shockingly, defense contractors led the list with 13 of the intrusions detected), the ramifications of the breaches, estimated times each were compromised (shortest being 1 month, an honor shared by 9 victims) and even outlines the generic attack approaches utilized:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

(Side note: Not to be outdone, Symantec did their own analysis of the attacks, which adds even more details. You can find that analysis here.)

In short, the McAfee report does an excellent job of driving home Dmitri’s (and most security professionals’) key message:

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that

know they’ve been compromised

and those that

don’t yet know

.”

Which finally brings me to the objective of this post. This is an Open Letter to McAfee, Symantec and the Australian DoD. Let’s find a way of making the “Operation Shady RAT” project truly useful. Please combine the known attacks from “Operation Shady RAT” with the best practice mitigation methodology utilized by the DoD in creating their 35 mitigation recommendations. Truly analyze the security processes and procedures that were in place at each victim, perhaps categorized by their effectiveness in shortening or avoiding the breach (I have to believe that the 9 entities that had the shortest compromises were doing something different than the ones that remained compromised for years), and create a modified (if necessary) version of the DoD’s mitigation recommendations. That would be truly useful… beyond the BFO (blinding flash of the obvious) from the original report: That all entities with any valuable infrastructure or information fit “into two categories: those that know they’ve been compromised and those that don’t yet know.

Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package,

these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010

.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications

e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities.

Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges.

Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting

to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

DoD’s cybersecurity plan creates more questions than answers

In July, the Department of Defense released its new strategy for operating in cyberspace, and how it plans to protect our nation’s computer systems and networks from cyber attacks. The plan includes a number of initiatives such as treating cyberspace as a domain it defends (with land, air, sea and space), introducing new network defenses to detect and stop malicious code, coordinating with the private sector, and working with other countries. However, in the article, “Critics: U.S. cyber security plan has holes, few new items,” the document has many analysts like Rich Mogull of Securosis wondering if the DoD can pull it off.

“Some of these things have been written about for years. The real challenge is, are they going to actually execute this?”

While Mogull is glad to see the government is finally getting serious about improving cyber defenses, he doesn’t see anything in the new plan that the DoD isn’t already working on. For example, the government has been talking about establishing partnerships with the private industry and international community for years now. Why hasn’t this already been done? But while critics may agree developing a strategy is a good first step, achieving the initiatives is paramount to securing our nation and critical infrastructure from more dangerous, harmful cyber attacks.

Shift to virtualized environments shaking up security practices

As more and more businesses move to virtualized computing environments, they’re quickly learning that the shift to server virtualization is creating a number of new security challenges. For companies that are beyond the halfway mark of operating a 100% virtualized environment, some of the top security concerns include access control, data encryption, monitoring virtual network traffic, and improving threat detection and rogue-device identification.

Along with a heightened security awareness, many organizations agree they need to re-evaluate their existing strategies and look at new security approaches that will adequately protect their virtualized environments without impacting the availability and performance of their systems. Either way you look at it, today’s infrastructures are changing fast. Organizations moving to virtualized environments need to adapt their security programs and policies to accommodate virtualization.

Will virtualization mark the end of host-based antivirus software?

In a related story, organizations are finding that traditional host-based anti-malware is not as effective as it was in the pre-virtualized era because the main problems they face are coming from Web-based malware. According to the article, “Is hosted-based antivirus software losing luster?” companies are choosing not to run antivirus software in their virtualized environments because it’s no longer useful in detecting malware and can disrupt application performance, said Johnny Hernandez, VP of information security at PrimeLending.

“Today, we don’t run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization.”

More telling is the fact that IT folks like Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C., doubt that most desktop antivirus software can even stop malicious code that is being unintentionally passed from employees to contractors to partners and others over the Web.

Hackers target intelligence contractors

The recent cyber attacks against Lockheed Martin and Booz Allen have shown that hackers are actively trying to steal classified government data by way of the computer networks of U.S. defense contractors.

In the article, “Hackers target intelligence agency contractors,” cyber criminals send emails with malicious software to employees of contractors that work for U.S. government agencies. Spear phishing attacks contained person information designed to deceive the highly targeted victims to click on infected links within the corrupt email. Once the software was installed on a computer, it downloaded payloads that enabled criminals to control a victim’s computer, access sensitive data and communicate with hackers.

Because the attacks target specific government contractors, experts say they are likely distributed and carried out by foreign actors, who persistently target multiple individuals to penetrate the network. To counter such attacks, government agencies and contractors need to push security standards across all endpoints within their networks and beyond the walls of their own defenses. Otherwise, their sensitive and proprietary information is only as safe as their partners’ vulnerabilities.

FBI arrests 14 alleged Anonymous members

As part of an international effort to crack down on cybercrime, the FBI conducted more than a dozen raids across the U.S. in July that resulted in the arrests of 14 members of the notorious hacker group, Anonymous, which has claimed responsibility for multiple high-profiled online attacks including the Internal Affairs and PayPal websites.

This is the latest in a number of international arrests that have shaken up the cybercrime underworld. A handful of others have been arrested in the UK and the Netherlands for alleged related cyber attacks, including an individual connected to attacks carried out by the theoretically disbanded hacktivist organization, LulzSec.

The ongoing cybercrime investigations are part of a concerted effort by multiple international, federal and domestic law enforcement agencies who are working together to stop coordinated cyber attacks targeting major companies and organizations.

I appreciate your interest in reading our blog and encourage you to provide comments and your unique perspective on the biggest stories in the security industry.