South Korea Cyber Attacks: Incident Response or Proactive Monitoring?

March 27, 2013 by Leave a comment

Last week’s malware attacks against several South Korean banks and television networks have left security experts questioning how malware continues to penetrate these “well-protected” networks. The problem is, how do we define “well protected?” Incident response teams such as those used in the recent attacks on the NYT/WSJ are part of the solution and no one is saying they don’t do good work, but tracking the source retroactively has become a tool that enterprises are solely falling back on. As stated accurately in this Network World article around the S. Korea attacks, “companies need to constantly examine hardware and software audit logs to track information that has left the network to look for abnormalities”. Constant and proactive monitoring on the end-point is what is lacking in each of these recent attacks.

A recent Threatpost article discussed the specific Wiper malware that was used in the attack. While Wiper malware is nothing new, it is very advanced in that it wipes any trace of itself from the infected computer, leaving incident response teams almost no way of detecting it. By the time incident response arrived, the entire network was shut down, when in reality, if a proactive monitoring tool was used, the malware would have been detected and potentially remediated.  Once again, these attacks underline the importance of using analytics-based, constant monitoring as a necessity to help mitigate similar cyber threats… not to mention the millions of dollars spent on incident response.

As with many of these high-scale attacks the causes are unknown. In this particular case, experts speculate that an offline extraction attack was used. Offline attacks are less common recently, as many of the major breaches use tools like spear-phishing emails to break into networks. The criminal networks have an insider and undercover plan that is rarely detected until the attack has finished. There is no silver bullet here, but the first step should always be detection, in real time, not after the fact. Why are these attacks still successful? With the most sophisticated technology in the US, most malware can be detected in less than 15 seconds, yet we still rely on incident response teams to come in hours and days after the attack. The bottom line: we should look to proactive endpoint protection, not retroactive scrambling.

 

Till next time,

John Prisco, President & CEO

Filed under Continuous Monitoring, Endpoint Security

APTs vs. AVTs? Cutting Through the Hype

March 11, 2013 by Leave a comment

Last month, security company Mandiant released a major report that revealed several organized cybercrime groups in China are actively trying to hack into U.S. entities. This report caused widespread attention due to the fact that this is the first time there has been direct evidence – attribution if you will – against the Chinese that they are responsible for what will likely become a very heated cyber war at some point.

The Chinese attacks that Mandiant found are commonly known as “Advanced Persistent Threats” or APTs, and these threats have been around for years. While, yes, APTs have successfully allowed other countries to steal U.S. intellectual property for cyber espionage, the security community has been battling these threats for quite some time. In the meantime, while our attention has been diverted towards APT1-style attacks, a more sophisticated and dangerous attack vector has emerged and will likely become more and more commonplace among cyber criminals: the Advanced Volatile Threat or AVT.

Unlike APTs that create a pathway into the system and then automatically execute every time you reboot, an AVT comes in, exfiltrates the data it is looking for and then immediately wipes its “hands” clean – leaving no trace behind as the computer is shut down.  An AVT executes within the volatile memory of a computer, which means that once it is turned off, the AVT is gone.  It’s important to note that all malware STARTS in the memory, but it doesn’t stay there. AVTs take what they need from the memory and get out once the computer shuts down and before anyone even knows they were there – they don’t install themselves on the hard drive.

These “in-memory” attacks have been done for years, but what’s happening now is that attackers are getting more sophisticated and looking for creative ways to beat current defenses. In-memory attacks are a great way to do that, because most signature or behavior-based tools won’t detect them.  Based on our own research at Triumfant and what we’re seeing with our customers, we believe that over time, the use of AVTs will increase as the preferred attack vector among very intelligent and diligent cyber criminals. Each time they want to run an AVT attack, the cyber criminals have to get creative and find a new way to re-enter the system with an exploit. APTs, like the ones Mandiant identified, are already in the system and stay in the system, and oftentimes leave telltale fingerprints behind.

Given the level of sophistication involved, AVTs are often executed by state run cyber criminals (as opposed to clumsy hackers) specifically to make sure they remain under the radar and are completely undetectable. Everything about the AVT shouts out “real time” – you have to be able to catch it in the act, red handed. If you don’t catch it in real-time, you’ve already lost, unlike an APT that could take weeks or months to execute.

We’re well aware that the security community has raised their eyebrows at AVTs – mainly because most pen testers and the like already know about these types of attacks in memory and there are some tools out there that address these. To be clear, we’re not saying AVTs are new. The problem is that up until this point, the industry as a whole has not been very good at detecting attacks in the memory. Since the cyber criminals are always 10 steps ahead of us, we know that they are constantly looking for creative ways to defeat our best defenses.  When APTs are no longer successful because our defenses have actually improved to better detect them, we firmly believe AVTs will take the limelight and be the root cause of cyber espionage and other damaging threats in the future.

Simply put, you’ve been warned.

Till next time,

John Prisco, President & CEO

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security

Why Security Technology Continues To Fail – And How We Can Stop The Cycle: Part 2

January 30, 2013 by Leave a comment

In our last post we addressed the fundamental failure of signature-based technologies, but an effective solution is tangible.

There is a slew of new technology emerging on the market that promises to solve the “signature problem,” but the truth is that some of them don’t fix the problem at all. The following are a few tips and observations to help you and your organization evaluate the available solutions, and choose the ones that will best defend.

1. Current signature-based security technologies are increasingly failing to stop malware. Evaluating the target of current technologies is a key first step in determining whether they will work for your enterprise. Many of our modern signature-based technologies are primarily geared toward consumer nuisance attacks, not addressing targeted malware attacks. These targeted attacks are engineered by an adversary with a specific end goal in mind. Classic “throw malware in a machine and hope it sticks” attacks are leaving targeted attacks with a wide-open door. Countless signature-based security technologies leave no way for a signature to exist – if a signature must be created, it will likely arrive too late to confront the problem. Cyber criminals have specific targets. Now it’s our job as security pros to do the same.

 2. Older vendors and technologies are being re-cast as solutions – but are no better at stopping the problem. Signature-based security tools look at millions of signatures – but signatures have to be written before technology can determine how they’re increasing, and how to stop them. With cloud computing, older vendors are recasting solutions that neglect new platforms. Cloud-based signature repositories are offering more of the same — an inelegant solution to the problem. Remember, all you need to miss is one piece of malware, and your system has been compromised. Many security companies aren’t selling this “one and done” mentality because they worry that their product can’t effectively fight off every attack – and with good reason. Even with wonderful, sophisticated databases, criminals can come up with one exploit that can bypass a network.

 3. Technologies that detect specific types of behavior and system changes have the best chance to actually find and eradicate next-generation threats. Although behavior detection strategies are seemingly up and coming, focusing solely on behavior changes can make a system rapidly vulnerable. Products that look at the intelligence of an attack do have the capability to find zero-day exploits – they send up a red flag you wouldn’t expect in detection systems that are solely anomaly-based. Combining behavior detection with anomaly based detection and removal is a vital, necessary strategy.

 4.  Companies and government agencies can build a new strategy that not only warns about new threats, but actually helps prevents them. Although complete prevention is unattainable, companies and government agencies need to focus on detecting AND removing the threat. Most products on the market focus on the detecting side and omit removal, leaving systems open to exploitation. Taking measures on both the network and the endpoint fronts is crucial if you don’t want to leave your systems exposed. The network is the easy part. Endpoint removal is the challenge, and the key.

The sophistication of today’s malware calls for a fundamental shift in the way anti-malware technology detects and remediates against new threats – and in the way people and processes respond. As long as technology and people continue to rely on what they know – such as signatures – they will continue to be defeated by what they don’t know, such as polymorphic malware. And as long as that trend continues, the tide of new breaches and infections will continue to rise.

It’s time for real change in security thinking, both at the technology level and at the process level. And if we don’t take action soon, 2013 is likely to be the worst year of malware yet.

Till the next post,

John Prisco, CEO

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security Tagged with , ,

Why Security Technology Continues To Fail – And How We Can Stop The Cycle: Part 1

January 29, 2013 by Leave a comment

Fingerprint

In 2012, as in previous years, commercial industry and government agencies spent record numbers of dollars on information security. Yet in 2012, as in previous years, the issue of breaches and malware infections grew more acute than in any year before.

Just look at the numbers. The most recent Verizon Data Breach Investigations Report indicates that breaches involving hacking and malware were both up considerably last year, with hacking involved in 81 percent of incidents and malware involved in 69 percent. According to the Ponemon Institute’s Cost of a Data Breach Report, malicious attacks on enterprise data rose last year, and the cost of a breach is at an all-time high ($222 per lost record). According to figures posted last month by Panda Labs, more than 6 million new malware samples were detected in the third quarter alone — and more than a third of machines across the globe are already infected.

So what does this tell us? Security technology is fundamentally failing. And we, as an industry, need to take action.

One of the chief reasons for this failure is our continued reliance on signature-based anti-malware technologies, such as traditional antivirus and intrusion prevention systems. Such systems block malware by blacklisting it – an approach that works only when the malware has been recognized and its “signature” is recorded in memory. Today’s sophisticated malware avoids this defense by constantly changing, morphing into new “zero-day” exploits that have not been detected or recorded.

Over the past month, several news organizations have once again pointed out the flaws in signature-based technologies, but even these reports are largely missing some fundamental points. A recent piece in the New York Times, for example, discusses the failure of antivirus software to stop next-generation malware. But, antivirus software imperfections have been known for years, and the Times did very little to advance the discussion of actual solutions.

Dark Reading on Dec. 27 took a more current view of the problem, discussing the flaws in today’s “layered” antimalware defenses. This article points out the flaws in today’s signature-reliant enterprise security strategies, but again, it fails to deliver much depth on how to solve the problem.

The fact is that signature-based technologies such as AV and IPS – still the cornerstones of many enterprise security strategies – are actually getting *worse* at preventing malware infections. A study published last month by Imperva indicates that the initial rate of detection of new viruses by AV solutions was less than 5 percent. While AV vendors took issue with the methods of this study, the substance of the findings is clear: signature-based solutions are failing at record rates.

With compliance regulations drowning our enterprise security professionals, proactive threat management falls to the way side and new technology solutions continue to neglect the data right in front of our eyes. End the failed attempt and address the real issues. How will you protect your corporate network?

In our next post we’ll discuss how we, as security practitioners can implement technology that truly combats the constant cyber threat cycle.

Till next time,

John Prisco, CEO

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security

Breach Counts: We Don’t Know What We Don’t Know (Foghorn Leghorn Edition)

May 9, 2012 by Leave a comment

I asked a question last week on Twitter that provoked some interesting discussion and even a slap on the hand.  I thought my question was relatively simple and sensible:

Is it reasonable to wonder if the breaches we know about – the adversary was caught for lack of a better term – might we only be viewing a sample that represents the less well conceived and/or constructed attacks?

Seemed reasonable.  I asked the question because I use the various breach reports for statistics, and they of course report on breaches that are discovered. Think back to the hide and seek of your childhood.  In my experience, the worst hiders were very likely the first caught.  I even mentioned the old Monty Python “How to Hide” sketch.  So it seemed sensible to ask if the reports were skewed to the worst hiders of the attack population.  Or to quote that great security analyst and philosopher Foghorn Leghorn: “that breach is about as sharp as a bowling ball”.

I try very far to stay away from fear, uncertainty and doubt (FUD), but my question pushed the FUD detector of Pete Lindstrom (@SpireSec), a security analyst and founder of Spire Security, past his tolerance point.  Pete’s contention was that raising the question without supporting evidence was a form of FUD, because I was raising a level of uncertainty and perhaps fear.  Point taken, but that does not stop my intellectual curiosity because I still believe there is a bit of Gordian Knot at play here.  I raised the question because I really study the reports and use the presented statistics to support my points about Triumfant so I am not spreading FUD.  Foghorn would likely say that I am ”more mixed up than a feather in a whirlwind”.  But the more I look at the statistics, the more I see unanswered questions that lie beyond the available evidence.

Which takes me back to the point of my original question: it is impossible to gauge the problem we collectively face in IT security because we do not know what we do not know.  And what we do not know is the proportion between detected and undetected breaches.  I raised a similar question in a blog post about malware detection rates tow years ago and noted that an undetected attack is still an attack, even if we can’t count it.

The breach counts in the collective reports actually rely on two things: detection and disclosure.  The Verizon Business report is based on the Verizon caseload and cooperation from law enforcement agencies from several countries.  How many breaches are detected that do not show up on the Verizon report or the others? How many breaches are not reported to the authorities?  There are regulatory mandates that require an organization to disclose breaches that involve the loss of certain types of data, but what happens when those regulatory lines are not crossed?  The Verizon Report is actually called the Data Breach Investigations Report.

I go back to what we don’t know.  How many breaches go undiscovered?  How many breaches are discovered and not disclosed?  Are the detected and disclosed breaches representative of the broader population or are they representative of the less well written and less well executed breaches? Are the breaches in the report 99% of the breaches? 50%? The tip of the proverbial iceberg?

These questions have ramifications, particularly when we put them in the context of what evidence we do have.  For example, if we discover that the discovered breaches are not exactly, as Foghorn would note, the sharpest knives in the drawer, what does it say about the ability of organizations to detect breaches when the average time from infiltration to detection is 173.5 days as reported by the Trustwave report?

I agree with Pete – we need evidence.  Unfortunately, a reasonable conclusion that can be drawn from the collective evidence of these studies is that most organizations are not equipped to detect breaches.  Which of course adds to the conundrum the evidence points to the fact that we will struggle to gather the proper evidence.

I don’t think the collective industry will answer these questions, because they are the uncomfortable detritus of years of placing so much emphasis on prevention. The “2011: Year of the Breach” declarations have been an uncomfortable public realization for the industry and for organizations.  Even if we were better at detecting breaches, organizations will not self-disclose unless required to do so for a variety of valid reasons.

So, FUD accusations aside, I stand by my question.  Of course, Foghorn would likely say that I “Got a mouth like a cannon. Always shooting it off”.

Filed under Endpoint Security Tagged with , , , ,

2011 – The Year We Recognized We Were Getting Breached

May 2, 2012 by 1 Comment

I just read the Symantec 2011 Internet Security Threat Report from cover to cover, which is a great report with a lot of great information.  But I have the same problem with this report as I do with the ones from Verizon Business, IBM X-Force, Trustwave, and Mandiant (also all great reports with great information) and several of the writers and general industry pundits.  In their report, Symantec calls 2011 “The Year of the Breach” which is consistent with the other reports and other discussions in the broader market.

I am sorry, but I just hate that term.  Hate it.  The fact that the industry, in many case begrudgingly, has had to publicly acknowledge that shields are being evaded and organizations are getting breached does not make 2011 a milestone for breaches.  Companies were getting breached in 2010 and prior, and will be breached in 2012 and beyond.  Breaches are not a 2011 thing, or some annual phase we entered, watched peak, and ultimately ebb away

I will agree that 2011 is the year that the IT Security Industry came to terms with the fact that vendors that sold preventative software could no longer conveniently ignore that organizations were being breached.  Many of the statistics that have been a consistent theme of reports like the Verizon Business 2012 Data Breach Investigation Report seem to have suddenly found resonance.  Statistics such as the 173.5 days on average from breach to detection reported in the Trustwave 2012 Global Security Report became impossible to ignore.

Therefore, calling 2011 “The Year of the Breach” seems disingenuous to me.  In fairness, calling 2011

“The Year We Stated the Obvious” or

The Year We Woke up and Smelled the Coffee” or

“The Year We Got Our Heads Out of Our Collective… (filters engaging) the Sand” or

“The Year Vendors Realized They Could No Longer Sell Just Shields”

is clearly not as catchy.

For the record, this is not a criticism of the reports or the people that produce them.  These reports are hugely informative and I respect the efforts of those who produce them.  As I noted previously, the relentless presentation of the statistics in those reports was at least partially responsible for changing the predominant messaging in the market.  The hype could no longer shout down the reality presented by the numbers.  Notice I said messaging, because I think most pragmatic, right-thinking folks in IT security already knew about the breach situation.

Don’t get me wrong; I am happy that the market has decided to recognize that organizations are being breached.  I work for the company that I think offers the best and most innovative solution for detecting breaches at the point of infiltration.  And with one child about to leave for college, I am all about contributions to the Ivers Foundation.

Which leads me to another comment about these reports.  The reports – rightfully so – talk about detected breaches.  The reports indicate that a high percentage (>90%) of breaches are discovered by someone outside of the organization, indicating that organizations are not equipped to detect breaches.  One could make the case that the breaches that get detected do not represent the best and brightest because they were detected.  Without dissolving into hype or FUD, what percentage of breaches do we really detect? All? Half? 10%?  It is a question worth asking, and as organizations begin to put breach detection capability in place, the resulting statistics will be interesting.

By the way – anyone want to place bets that 2012 will be “The Year of the Targeted Attack”?

Filed under Endpoint Security Tagged with , , , , ,

Detection is the Horse, Investigation is the Cart – Use in That Order

April 30, 2012 by 1 Comment

I received some interesting responses from my last week’s post (Incident Detection, Then Incident Response) so let me try to answer them all collectively.

No, my post was not a knock against incident response (IR) or forensics tools.  I believe we are getting things out of order.  It is about detection first.  Better analysis? Good. Better Response. Good. But it all starts with breach detection.  In fact, if we had better breach detection, organizations would actually get more value out of their IR/forensics tools.

The inability of organizations to detect breaches is easily explained.  The picture below is my attempt to illustrates what I call The Breach Detection Gap.  This gap exists  between the numerous layers of prevention solutions and IR/forensics tools leaving organizations unable to detect breaches at the point of infiltration.

The IT security  market has been fixated – technically and emotionally – on prevention. Hence the numerous “usual suspects” on the left side of the breach.  I think my position is clear (cystal) that a prevention-centric strategy is doomed to failure.  Tradecraft relentlessly and rapidly evolves to evade any gains in prevention, and targeted attacks and the Advanced Persistent Threat are engineered to evade the specific defenses meant to defend their target.

IR and Forensic tools provide deep insight and valuable analysis to the breach investigation process, but are only brought to bear after the breach is detected.  Unfortunately, this is where most organizations spend the meager budget slice that is set aside for post infiltration.

The Breach Detection Gap is the critical exposure between prevention tools and IR/forensics tools that leave organizations without the means necessary to detect breaches in real-time.  Obviously, without detection there can be no timely response.  Which is my point of last week’s post: re-packaging IR tools as the solution for breach detection problems is not the answer.  The answer must start with faster and more accurate detection.

Someone also asked why I don’t name names.  I try to write this blog to stimulate thought and while I unashamedly say where Triumfant solves specific issues I try very hard to keep this from being an ongoing advertisement.  I also have never believed that there is any value from directly speaking in a negative manner about any other vendor.  There are some good IR/forensics tools in the market that are very hot right now, and when products get hot, the market begins to act strangely around them.  My post was not a knock on those products, but on the efforts I see in the market to position those tools with professional services as the solution to the Breach Detection Gap.  Make no mistake, the organizations around these hot products and event the vendors behind these products see this as a chance to sell professional services projects to hunt down breaches.  I will leave it to you to figure out who those vendors are, but I think in most cases the answer will be easily discerned if organizations resist the hype.

What I did not say in last week’s post is that Triumfant is positioned to detect breaches in real time.  There are ample posts that address that directly as well as a new whitepaper on our site, so I won’t go into details here.   I will say that while heuristics, behavioral, and IPS/HIPS are also being directed to the problem, I think that Triumfant’s use of change detection and the analysis of change in the context of the host machine population is uniquely suited for the role of breach detection.  You get rapid detection (real-time), and within minutes we provide detailed information to help formulate an informed response, and we custom-build a remediation to stop the attack and repair the machine.  That is rapid detection and response.

And while Triumfant provides a wealth of IR/forensics data, we fully endorse the use of IR/forensics tools to provide the full range of post-breach investigative work.

But it all starts with detection.

Filed under Endpoint Security Tagged with , ,

Incident Detection, Then Incident Response

April 26, 2012 by 1 Comment

There seems to be an interesting and, I believe unfortunate, trend emerging in IT security:  Incident Response (IR) and Forensics tools are being wrapped in professional services and being sold as the solution to the breach detection problem. While I am happy that there is growing understanding that there is a breach detection problem, the reaction to that recognition is disappointing and misses the mark.

I think the point is obvious and is right there in the name “Incident Response”.  Response is not detection.  It is a step after detection – 1. Detect the problem. 2. Analyze the problem. 3. Fix the problem.  You could group #2 and #3 as respond, but they still follow detect.

You see, I thought detection was the issue.  While coming up with faster and more efficient ways to respond is laudable, I did not think what we needed was a better response to breaches that go undetected for an average of 173.5 days (Trustwave Report).  Just to make sure I was not missing something, I reviewed all of the excellent breach investigations and reports (Verizon Business, Trustwave, IBM X-Force, and Mandiant).  While some note that the time from detection to containment, but it is certainly not the focus.  The consistent focus I take from my reading is that organizations are getting breached and are not prepared to detect those breaches.

Unfortunately, there are several organizations making hay with selling professional services engagements under the umbrella of incident response.  The IT security market has a long history of seeing success and extrapolating that success into a rush to copy that success.  This is one of those cases.  Then marketing kicks in and the opportunity for the market to take constructive steps forward is squelched by the vendors rushing toward the next pot of gold, and organizations being swept into the hype.  Then these same reports will come out next year and there will be collective head scratching as to why the numbers have not improved.

The winner is the adversary, who is quite fine with 173.5 days of undetected access to organizational networks.

A simple analogy is firefighting.  Firefighters diligently and continuously train to better respond to a fire when called.  There are constant technological breakthroughs in equipment that also help them respond to a fire when called.  All of that training and equipment is put into use when they are called (the fire is detected).  Firefighters are not responsible for detection, they are all about the response. And while I am not a firefighter, my guess is that firefighters would tell you that the sooner the fire is detected, the better their response.  I would also guess that rapid detection is a key component to reducing loss.  Having a better, more expensive fire investigator will not reduce loss.

The first step to solving the breach detection problem is deploying tools that rapidly detect breaches at the point of infiltration.  Studies prove that prevention tools cannot provide that detection, and IR/Forensic tools are not built for detection.  Detection must be addressed first.  Then you can deploy all of these marvelous response offerings.

Another explanation is that organizations have twisted themselves into a really unfortunate Gordian knot. Maybe they are just beginning to understand the problem, but have reconciled that they will take action if and when then are breached.  This is not a good strategy, because statistics say it is likely they already have been breached, but simply don’t know it yet because they lack the tools to detect breaches.   There is no more “if”, and the “when” has likely already happened.  That is not FUD, that is what the statistics say.  Once a breach is detected  - the statistics say that 92% of those breaches will be detected by a third party and not the breached organization – then they will spend enormous amounts of money to have someone come in and do lots of expensive analysis and make recommendations that they will likely ignore.  The organization of course must deal with the financial, regulatory, and reputational effects of the 173.5 days the adversary had access to their confidential data and intellectual property.

To paraphrase a quote from Churchill I have used before, people frequently stumble over the truth; unfortunately, they often pick themselves up and carry on as if nothing happened.  I fear this is one of those collective moments when organizations have stumbled onto the truth and will not be the better for it.

Filed under Endpoint Security Tagged with ,

In 10 Days, the Mac Safe Haven Becomes a Botnet Spewing, APT Vulnerable OS

April 19, 2012 by Leave a comment

In rapid succession, the IT security world, not to mention the perceived cocoon of safety for Mac users, was rocked by two announcements.  On April 4, Russian antivirus company Dr. Web announced that they had discovered a Mac Botnet, called Flashback, and that the bot had infected 600,000 machines.  About ten days later, Kaspersky announced the discovery of a backdoor trojan called Backdoor.OSX.SabPub.  This attack leverages an exploit that uses malformed Word documents to deliver malware that opens a backdoor that can be used for advanced, persistent attacks.  Holy APT Batman!  Perceived safety to botnet to advanced persistent threat in 10 days!

Oh the shame.  The Mac went from safe haven to botnet spewing, APT exploitable platform tied to three-year old vulnerabilities before our very eyes.  As I tweeted, the heads of the Mac fanboys and the APT crew were simultaneously exploding.  Mac users were sent to various sites to download software to check their machines for Flashback like common Windows XP users.  I could not help but wonder if some enterprising bad guys had set up malware delivery disguised as Flashback checkers – wouldn’t that have been ironic.

I am really just having some fun here.  I take no joy in the Mac becoming a target, although it is good for business.  I am also not on some war against “smug” Mac owners because I have made the jump myself.

For me, the folklore/mythology of the Mac world as a safe haven from malicious attack reminds me of a scene from the classic movie and personal favorite, Butch Cassidy and the Sundance Kid.  In this scene, Butch and Sundance have fled to Bolivia and have taken a legitimate job guarding the payroll for a mining company.  At the beginning of the scene they are riding with the old, hardened mine boss (played perfectly by the great character actor Strother Martin) and begin to argue where the inevitable ambush will occur.  The mine boss responds disdainfully: “Morons. I’ve got morons on my team. Nobody is going to rob us going down the mountain. We have got no money going down the mountain. When we have got the money, on the way back, then you can sweat.”

Mac users, I hope you have enjoyed the ride down the mountain.  The recent Mac malware news just means that the downward portion is over, and now that there is a critical mass of Macs plugged into the networks and systems where the money lies. It is time for Mac users to sweat.

We could engage in what I am sure will be an animated conversation about the superiority of the Mac OS and the inherent vulnerabilities of Windows, but I contend this was all about opportunity.  Sure Windows machines were likely the road of least resistance, but malware writers have proven to be a resilient and industrious bunch and repeatedly rise to find a way around every barrier put in their path.  So now that the opportunity has arrived – what the adversary wants is on or accessible via the Mac – the Mac OS barriers will also be breached.

I should point out that Mac users are not finished with their journey into the seedy underbelly of IT security.  Not surprisingly, the sales of Mac AV software has gone way up.  Wait until the Mac people connect the dots that the same crew that discovered the malware also sells them AV software.  Of course, that AV software will at least partially return their cocoon of safety, until they find out that motivated adversaries will drive around their new shiny AV software like a traffic cone on the interstate.

I hope they enjoyed the ride down the mountain.

Filed under Endpoint Security Tagged with , , ,

Digitally Signed Malware Proves Again That Attacks Get Through Your Shields

March 16, 2012 by Leave a comment

So what, Triumfant guy, exactly gets through my shields?  You tell me I will be breached and you give me statistics, but I have AV, whitelisting, deep packet inspection, and every other acronym and buzzword in place. Oh yea, and I have “the cloud” (pause for tympani emphasis) providing me prevalence information and other cloud-based stuff.

Well, digitally signed malware gets past your protections.  Not according to me, but according to several sources – Symantec, Kaspersky, AlienVault and BitDefender – cited in a March 15, 2012 PC World article “Digitally Signed Malware Is Increasingly Prevalent, Researchers Say”.

It is the blackhat version of “these are not the droids The Droids You Are Looking Foryou are looking for”, using the certificates to get the malicious code waved through.  Some of the first evidence of this technique was found in 2010 in the analysis of Stuxnet.  The PC World article provides evidence that the technique is showing up with increasing frequency.  The article tells in good detail how it works and what protections it can evade, including whitelisting.

This technique is illustrative of the ongoing battle between good and evil in IT security.  Operating system advances in Windows 7 and other OS versions were thought to advance the security of systems, and the adversary then takes the very techniques used to make the systems more secure and subverts them to find new ways to deliver malicious code and evade protections.  I have no interest in impugning the efficacy of prevention software and I have never said to turn off protection software.  What I have said consistently is that attacks will get through your shields.  Here is yet another example of how, and demonstrates that the adversary will always find a way to get through.  No FUD here – I would point out that every vendor cited in this story is a protection software vendor.

This story also illustrates that there are no silver bullets in protection.  Prospects often cite the use of whitelisting tools as their raison d’etre  of why they do not need something like Triumfant, but here is a clear example of how such tools are being evaded.  If you need more, there is a video from Shmoocon that shows multiple techniques for evading several whitelisting tools.  Yet another silver bullet falls short. I am not singling out whitelisting – it is just the current “It” tool of IT security.

Lastly, it is illustrative of how the foundations of trust have become less…well…trustworthy.  I have seen the validation process of a certificate authority up close, and let’s just say I am not shocked to know that malware writers can obtain certificates with false identities. With the RSA breach and other certificate authorities being hacked, the foundation of trust was already showing cracks.  Now we see examples of how trust can be subverted using this technique.

So if this technique essentially waves malware through your shields, how are you going to detect the infiltration?  That is where Triumfant fills the gap, detecting the zero day attacks and targeted attacks, including the advanced persistent threat, that infiltrate your endpoint machines and servers.

I once had a product manager from another company disdainfully tell me “when you find something that gets past my shields, you call me”.  I am looking for his number as soon as I finish this post.

Filed under Endpoint Security Tagged with , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 439 other followers