Post on 03-Oct-2020
transcript
eGuide: Designing a Continuous Response Architecture
Cracking the Endpoint: Insider Tips for Endpoint Security
eGuide: Designing a Continuous Response Architecture
2
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Table of ContentsIntroduction 3
Your Endpoints Are Vulnerable 4
How Vulnerable is Your Endpoint Software? 5
Social Engineering 6
Zero-Day Initiative 7
The Cyber Kill Chain 8
Inside the Head of an Attacker 11
Insider Tips for Endpoint Security 13
The Endpoint in Focus 16
Stopping Attacks at Delivery 18
How Bit9 Can Help 19
Summary 20
eGuide: Designing a Continuous Response ArchitectureeBook
Cracking the Endpoint: Insider Tips for Endpoint Security 3
IntroductionDespite decades of attacks, many organizations continue to struggle with the fundamentals of endpoint security IT organizations,
large and small, continue to wrestle with basic endpoint challenges such as understanding what applications are running in their
environment, who has administrative privileges, and what versions of software are installed on endpoints
In today’s dynamic security landscape, each new day brings new and
different threats targeting your organization Cyber criminals today are
more sophisticated than in day’s past and are launching higher profile,
more coordinated attacks against specific organizations of interest
Over the past 18 months, these attacks have reached new heights as
breaches across the retail, financial, entertainment, and healthcare
sectors have caught the eye of the media and for the first time, the
general public While media attention has focused on large-scale
attacks, it’s worth noting that the vast majority of attacks continue to be
focused on small and medium businesses
As the threat landscape has evolved, corporate servers and endpoints – and the employees operating them – have become the
primary target of attack
This eBook will outline the strategies and tactics cyber criminals use to attack corporate endpoints and servers and provide you
with strategies and solutions your organization can use to arm your endpoints against these attacks
71 percent of attacks target user devices and this
percentage continues to grow each year
— Verizon 2013 Data Breach Investigations Report
eGuide: Designing a Continuous Response Architecture
4
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Your Endpoints Are Vulnerable
While the motivation behind individual attacks may vary, the object is always the same: to steal your organizations most
valuable data
In the past, the impact of cybercrime was limited to an individual level with limited strategic scope or impact However, with the
rise of organized cybercrime and state-sponsored actors attacks today have organizational, even national security level impacts
Since 2009, servers and end-user endpoints have risen to become the preferred point of entry for today’s cyber criminals to gain a
foothold in your corporate network As a defender, it is useful to understand this information as it can help shed light on gaps you
may have in your current security program and where you need to implement extra protection
As the crown jewels of corporate data, servers have always been the number one asset cyber criminals want to breach However,
as organizations move to adopt cloud and other web powered services, end user devices are growing in favor as they can often
serve as a backdoor into an organization’s corporate server system and are more likely to be managed by individuals susceptible to
social engineering attacks
Server
KioskPerson
Network
User Devices
800
600
400
200
2009 2010 2011 2012 2013
Figure 1
Source: Verizon 2014 Data Breach Investigations Report
eGuide: Designing a Continuous Response Architecture
5
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
How Vulnerable is Your Endpoint Software?
Cyber criminals often leverage vulnerabilities in software already running on a system to gain access and establish persistence on
a machine
Figure 2 lists the top 15 programs from Secunia’s 2014 Vulnerability Review, Top-50 Software Portfolio It shows the type of program
(Microsoft® or third party), the 2013 market share, and the number of vulnerabilities affecting the software programs
in 2012 and 2013
For example, Adobe Reader with an 856 percent market share had:
+ Five Secunia Advisories (an approximation of the number of security events in a given period)
+ 67 Common Vulnerabilities and Exposures (CVES: a dictionary of publicly known information security
vulnerabilities and exposures of security events)
+ 67 Secunia Vulnerability Count (VULNS: the number of vulnerabilities covered by the Secunia Advisory
We all remember when Adobe announced that their software was compromised in October 2013 Eventually 38 million accounts
were affected
According to the same report, 1,208 vulnerabilities were discovered in 27 products from seven desktop vendors in 2013, including
the most used operating system, Microsoft Windows® 7 This is a 45 percent increase in a five-year trend and a four percent
increase from 2012 to 2013 In addition, 68 percent of the 2013 vulnerabilities were rated as Highly Critical while 7 percent were
rated as Extremely Critical
Figure 2: The Top Software Portfolio
Source: 2014 Secunia Vulnerability Review
RANK TYPE PROD SHARE ADVS CVES VULNS
1 MS MICROSOFT XML CORE SERVICES (MSXML) 99.9% 1 2 2
2 MS MICROSOFT WINDOWS MEDIA PLAYER 99.4% 1 1 1
3 MS MICROSOFT INTERNET EXPLORER 99.1% 14 123 126
4 MS MICROSOFT NET FRAMEWORK 99.1% 6 18 18
5 TP ADOBE FLASH PLAYER 97.5% 12 56 56
6 MS MICROSOFT VISUAL C++ REDISTRIBUTABLE 95.4% 0 0 0
7 TP ADOBE READER 85.6% 5 67 67
8 MS MICROSOFT SILVERLIGHT 84.3% 3 9 9
9 MS MICROSOFT POWERSHELL 82.1% 0 0 0
10 TP ORACLE JAVA JRE 82.1% 7 181 181
11 MS MICROSOFT WINDOWS DEFENDER 77.1% 1 1 1
12 MS MICROSOFT WORD 74.9% 4 17 17
13 MS MICROSOFT EXCEL 73.8% 3 6 6
14 MS MICROSOFT POWERPOINT 71.7% 1 1 1
15 MS WINDOWS DVD MAKER 70.8% 0 0 0
eGuide: Designing a Continuous Response Architecture
6
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Social EngineeringMore often than not, cyber criminals target people rather than technology because they are far easier to manipulate
Why break through a wall if you can convince someone to open the door?
Cyber criminals understand this so they are increasingly using social engineering and phishing attacks to obtain stolen credentials
and open a doorway into corporate networks According to the Verizon Data Breach Investigations Report for 2013, stolen
credentials are used in four out of five breaches
The reality in today’s world is that cyber criminals have learned that the weakest link in the security chain is the end user because
they are often naive and gullible to social engineering tactics Whether it is a mobile device or a traditional endpoint – such as
workstation or laptop – cyber criminals are leveraging the end user as a primary vector to gain access - initially to a single system
and ultimately to the larger corporate infrastructure
For example, the passwords of nearly 65 million LinkedIn accounts were hacked by Russian cyber criminals in 2012 Owners of
the hacked accounts were no longer able to access their accounts and LinkedIn encouraged its users to change their passwords
after the incident More significant than access to a Linked-In account is that many users use the same passwords for other online
accounts including their employee log-on Stealing credentials from one account can provide cyber criminals with access to
corporate networks as well
eGuide: Designing a Continuous Response Architecture
7
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Zero-Day InitiativeZero Day Initiative (ZDI) is but one example of a website that chronicles existing software flaws that software developers or IT
experts have either discovered or are up and coming
Figure 3 displays a portion of the Upcoming Advisories Report from the Zero-Day Initiative website, which shows that Microsoft
and Adobe Reader have upcoming vulnerabilities Not shown in this snapshot of Figure 3 are other vendors including HP,
Motorola, Lexmark, Apple, and Solar Winds to mention a few Cyber criminals will often look for vulnerabilities in network
management software or other applications that are used by network engineers or IT professionals who have a high level of
security privilege This helps the cyber criminal more quickly gain access to the high value data they seek to steal
ZDI ID Affected Vendor(s) Severity Reported Deadline
ZDI-CAN-2626 Microsoft CVSS: 6.9 2014-11-06 (1 days ago) 2015-03-06
ZDI-CAN-2610 Adobe CVSS: 6.8 2014-11-04 (3 days ago) 2015-03-04
ZDI-CAN-2608 Microsoft CVSS: 5.1 2014-11-04 (3 days ago) 2015-03-04
ZDI-CAN-2607 Microsoft CVSS: 2.6 2014-11-04 (3 days ago) 2015-03-04
ZDI-CAN-2605 Adobe CVSS: 5.1 2014-11-04 (3 days ago) 2015-03-04
ZDI-CAN-2602 Adobe CVSS: 6.8 2014-11-04 (3 days ago) 2015-03-04
ZDI-CAN-2601 Adobe CVSS: 6.8 2014-11-04 (3 days ago) 2015-03-04
Figure 3: Zero Day Initiative: Upcoming Advisories
eGuide: Designing a Continuous Response Architecture
8
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
The Cyber Kill ChainWhen cyber criminals seek to infiltrate an organization, they follows a sophisticated, well-defined process that enables them to
leverage their skills effectively to quickly identify their targeted assets and avoid detection
To help security practitioners better understand and defend against this process, Lockheed Martin researchers Eric Hutchins,
Mike Cloppert, and Rohan Amin, developed a model known as the Cyber Kill Chain Widely recognized as a foundational model
for information security, the Cyber Skill Chain is an invaluable tool for helping security professionals understand the process and
techniques cyber criminals use to plan and conduct an attack
While the specifics and flow will vary from one attack to the next, the Cyber Kill Chain provides a model for understanding the
techniques cyber criminals will use to break into your environment
Figure 4: The Cyber Kill Chain1
1 http://digital-forensicssansorg/blog/2009/10/14/security-intelligence-attacking-the-kill-chain
Exploitation
Delivery C & C
Ex�ltration
Reconnaissance
Weaponization
eGuide: Designing a Continuous Response Architecture
9
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Phases of the Cyber Kill Chain
ReconnaissanceSmart military planners never act without knowledge of the enemy’s defenses and tactics This is just as true in the domain of
cyber warfare as cyber criminals today spend extensive resources to understand the tactics and environment of their targets
The first step of reconnaissance is to identify appropriate targets that, if compromised, would meet the attacker’s objectives For
example, an attacker seeking to infiltrate a hospital’s medical records system may target the system administrator as a likely way to
gain access
After they’ve selected a target, cyber criminals then attempt to gather as much intelligence as possible to inform the next stages of
their attack This can include gleaning information from public websites, social networking, media reports, and other sources The
attackers seek to learn as much as possible about their target before launching any form of attack
WeaponizationAfter attackers have identified and researched an appropriate target, they then develop a weapon custom-tailored to their target
They analyze the information systems used by the attacker and select an exploit that affects an operating system or application
known to be used by the intended victim This may include the use of a zero-day exploit if both required by the technical
sophistication of the target and justified by the target’s value to the attacker
Attackers are reluctant to use zero-day vulnerabilities against all but the most valuable target Each time they launch a zero-day
exploit, they run the risk of the attack being detected and made known to the security community After this occurs, the zero-day
attack loses its effectiveness as a weapon
When an exploit is selected, it must be embedded in a delivery mechanism appropriate to the exploit and target For example, the
attacker may embed code exploiting a vulnerability in Adobe Reader in a PDF file Java exploits then may be coded into a website
that uses Java technology
DeliveryAfter carefully selecting a target and weapon, a cyber criminal must then deliver the weapon to the intended target Common
delivery mechanisms include the following:
+ Sending a carefully designed spear phishing message that tricks the target into clicking a link
+ Placing an infected file on a USB drive and getting it into the target’s hands as a gift or leave-behind
+ Storing the infected file on a website known to be frequented by the target
+ Sharing an infected file with the target through a cloud-based file sharing mechanism
+ SQL-injection attacks, where users try to send malformed data to database and backend-systems via websites and online forms to try
to gain access or retrieve data
Unlike the phishing messages some attackers send to large numbers of individuals seeking to find a couple of unwitting victims,
the spear phishing messages used by advanced threats are carefully designed to look like legitimate email sent directly to the
intended victim They make use of information that the attacker gathered during the reconnaissance phase to increase the
likelihood that the target will act on the message
eGuide: Designing a Continuous Response Architecture
10
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
ExploitationAfter malware is delivered to a target system, the malware engages the selected exploit mechanism to gain control of the system
The exploit gives the weapon the ability to manipulate the target system with administrative privileges This level of access
enables the weapon to configure system settings, install additional malware, and perform other actions normally limited to system
administrators
Command and ControlAfter a system is compromised, cyber criminals typically attempt to establish outbound connections to command-and-control
servers These command links provide attackers with a way to communicate with the software on their victim systems without
establishing a direct inbound connection
The connections made to command-and-control servers often use standard HTTPS connections to emulate normal web browsing
activity Because the connections are encrypted, they’re indistinguishable from any other HTTPS connection, other than the fact
that their destination isn’t a normal website This approach allows cyber criminals to limit the likelihood of their detection by
intrusion detection systems monitoring traffic on the victim organization’s network
In addition to bypassing intrusion detection systems, the command-and-control connection is also designed to evade firewall
controls on the victim network While most network firewalls are set to block unsolicited inbound connections from the Internet,
they often allow unrestricted or minimally restricted access to Internet sites when a system on the internal network initiates the
connection The attacker may then use this command-and-control connection to deliver instructions to the compromised system
ExfiltrationThe ultimate goal of the attack, exfiltration, is the stealing and removal of corporate or consumer data from your network Having
established persistence, the cyber criminal can and will remain present inside your corporate network for weeks, months, or years
at a time to slowly exfiltrate organizational data Today, it takes organizations on average more than 200 days to detect an attack
providing attackers with more than enough time to identify, steal, and exfiltrate large amounts of critical data
eGuide: Designing a Continuous Response Architecture
11
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Inside the Head of an AttackerTo help you understand how each of these phases is executed, we will describe a fictional attack so you can see the Cyber Kill Chain in action.
Step 1 – ReconnaissanceJoe is a hacker and looking to infiltrate Company X He uses LinkedIn to identify employees who work there, primarily focusing on
the company’s engineers He starts to stalk some engineers on LinkedIn, Twitter, Facebook, and their blogs He sees that several of
the engineers announce on Foursquare when they go to the Starbucks location next to their company headquarters for lunch Joe
goes to this Starbucks location and watches the engineers work on their laptops He starts to sniff traffic using tools like Firesheep
and sees some of the basic information that the engineers are sending across the untrusted network
Soon, Joe is grabbing data off the open network He now has a few email addresses and knows what web sites the engineers are
visiting including techstuffscom With more reconnaissance work on LinkedIn, Google Groups, Facebook, and Maltego, Joe knows
who knows whom and begins to build an idea of how these engineers operate and what goes on in their lives
Joe then calls the organization’s help desk and gets information about the standard builds on the company’s endpoints
He goes to online support forums to see if any of these engineers have ever posted anything
Step 2: Weaponization and DeliveryOnce Joe has enough information, he is ready to take the
next step – a spear-phishing attack This takes the form of a
personalized email from engineer #1 (one of the engineers
he tracked on-line at Starbucks) to engineer #2 (Joe
obtained this email address during reconnaissance) The
email is very personal and very casual It says, “Hey man,
here is a catalog I found for tech stuff and it happens to
have a discount code in it, check it out”
Using social media, industry events, and information on
the company website, Joe will work hard to embellish
the “lure” in this spear-phishing tactic to build a message
that appears familiar and relevant to their target In some
extremely sophisticated attacks, Joe may even attend corporate or industry events in which their target participates
Captured:
Email address (engineer@gmail.com) Friend’s email (Engineer2@gmail.com)Interests (www.techstuff.com)
Spoofed, of course
Most certainly clicking here
eGuide: Designing a Continuous Response Architecture
12
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
With a tailored subject line and message, the “lure” will contain a malformed document or perhaps a spreadsheet or it will prompt
the recipient to visit a dummy website or to run a program
If the engineers do not take the initial lure, Joe will continue to try him at different times with tweaked subject lines, messages and
payload vehicles
Step 3: ExploitationWhen engineer #2 clicks on the spear phishing email link, the attachment is not a PDF but AN EVIL PDF with embedded malicious
code that secretly drops an unknown malicious payload onto engineer #2’s machine Clicking on this PDF, kick-offs a chain reaction
which provides Joe with a foothold into the corporate environment and achieves his first necessary first-step, persistence This
chain-reaction can include the dropping of additional payloads, automated lateral movements to other network machines, and
ultimately an attempt to connect outside the network, on a different communication channel, to Joe to kick-off “Step 4”, command
and control
Step 4: Command and ControlHaving infected engineer #2’s machine and successful established both persistence on the system and outbound connectivity, Joe
is able to step into the drivers seat Having established outbound connectivity and remote control over engineer #2’s system, Joe
can now initiate a plethora of future malicious activities to advanced his goals
He could begin recording engineers #2s activity and conversations by copying emails, keystrokes or even accessing his computer’s
camera and microphone He could attempt to move laterally and establish additional infections on corporate servers or another
high-target user’s machine, such as executives, to gain access to log-in credentials or files of particular interest or value
Step 5: ExfiltrationOnce Joe has located targeted data, he will begin leveraging his C&C connections to exfiltration data This could be done in a
single push, but is more commonly done over a period of weeks or months to avoid detection
Having established persistence within a network, Joe will often bounce between step 4 and step 5 as new information of value
is discovered or as new infections are made Key to this point understands that the advancement of an attack to step 5, the
exfiltration of data, does not constitute the end of an attack In fact, often it can just be the beginning as attackers continue to
leverage their foothold to steal new information or compromise additional systems, both inside or outside of your organization
eGuide: Designing a Continuous Response Architecture
13
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Insider Tips for Endpoint SecurityIn order to detect and stop cyber-attacks, you must have “empathy” with the cyber criminal, get into the head of the attacker, and
figure out how he or she thinks As in a combat situation, it is useful to think like your adversary and have a model, such as The
Cyber Kill Model, to align your defense to reflect the realities of the war you are fighting
Bear in mind that you have the home field advantage and can acquire various tools to detect and deny attacks by disrupting or
degrading the attack and deceiving the cyber criminal Your objective is to respond to attacks by actively engaging with the cyber
criminal In this way, you can reduce the time it takes to detect and respond to an attack from days or weeks to seconds
The Reconnaissance PhaseThe reconnaissance phase is an important part of this model for the cybercriminal but unfortunately, you as the victim do not have
a view into it If a cybercriminal is using Shodan, Google, or searching sites like LinkedIn trying to get information about you,
you do not necessarily know it However, you can use one little trick to get a clue if somebody is doing reconnaissance on you
For example Frank, a security professional, knows that cybercriminals search technical forums looking for instances where
administrators are careless when asking questions – perhaps they post sensitive data such as a router configuration, etc Frank put
together a fake router configuration for a Cisco router This contained an access password and IP address that he posted within a
question to one of the forums The fake router config actually pointed to a honeypot that Frank’s team created When someone
came into the honeypot, logging in with the user name and password that was included in the fake router config, it signaled Frank
that someone was actively performing reconnaissance on the company’s network
There are opportunities to detect this kind of behavior if you execute security strategies like this In addition, you can set up tar pits
and make sure that you are alerted when people do Google-style reconnaissance on you
The Weaponization PhaseObviously, as an intended victim, you do not have any direct visibility into this phase However, it is important that you understand
what is happening as it can provide intelligence you can use to prevent future attacks
Even the most sophisticated cybercriminals have a tendency to reuse certain toolkits and techniques If you have an
understanding of these, you can leverage this intelligence to detect an attack at the next phase, which is delivery
Insider Tip: Leverage intelligence sharing communities, such as ISACs, to stay-up-to date on the latest cyber war weapons
Adversary Activity Potential Intelligence for Defender
Research IP Addresses
Identification and Selection of Targets Identifying Agent Strings or Referrals
Website Crawling, Googling, et cetera Unique Browser/Crawler Behavior
Areas of Focus
Adversary Activity Potential Intelligence for Defender
Creating a Deliverable Payload Trojan Toolkits
Scripting Actions Obfuscation Techniques
Crafting Phish Bait
Setting Up a Waterhole
eGuide: Designing a Continuous Response Architecture
14
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
The Delivery PhaseThe Delivery Phase is the first time where an attack comes into your realm of control This is the point where a spear phishing email
is delivered or someone receives a link over Twitter, Instant Messaging, or Skype The attack can also be a waterhole attack where
delivery is multi-staged For example, the cybercriminal may pose as someone the victim knows and ask a question to entice
conversation via several emails back and forth Eventually, the cybercriminal sends an email with a link or attachment – the attack
payload It is important that you are aware of these kinds of social engineering tactics
The Exploitation PhaseMany times, traditional endpoint defenses are incapable of preventing exploitation from advanced attacks However, there are
actions your organization can take to reduce your attack surface such as rapidly installing updates / patches and deploying
application control solutions that only allow trusted software to execute Regardless of your current capabilities, you can
get a decent amount of intelligence from this phase If you have real-time visibility into your endpoints, you will know what
vulnerabilities and exploit techniques the cyber criminal used You can also identify techniques or specific malware signatures that
the cyber criminal may reuse on other devices inside your organization
The exploitation phase is where endpoint security comes into play because it involves dropping files, making a registry change,
stealing a cookie, or any activity that establishes a persistence mechanism or potential means to access your system
If you can consistently stop a targeted attack at this phase, you can reduce the risk of a data breach Network defenses, such as
sandboxes, can provide a first line of defense These technologies can give the cyber criminal the impression that he achieved a
successful installation, but ultimately you must secure the endpoint as it is the primary target of an attack
This is a very good example of using deception to trick the cyber criminal and let him think he actually reached the C&C phase
Unfortunately, in most cases, sandboxing will not stop an application from executing in your environment, but can help you
identify malicious activity faster Ideally, your organization should deploy an endpoint solution that integrates with your network
security defenses to coordinate the identification and blocking of malicious software
Adversary Activity Potential Intelligence for Defender
Transmission of Weapon to Target Environment IP Addresses
Sending an Attachment Via Email Hostnames
Sending a link via Twitter, IM, Email Email Senders
Attacking a Webserver Identifying Browser Information
Might be Multi-Stage Handles on Twitter, IM, etc
Payload Characteristics
Filenames
Targeted Individuals
and more
Adversary Activity Potential Intelligence for Defender
Weapon Will Exploit a Vulnerability or Flaw Vulnerability Details
Tricking a User Exploit Techniques
Installation of RAT or Backdoor Social Engineering Techniques
Change to System Configuration Details of Malware
Changes to System Configuration
eGuide: Designing a Continuous Response Architecture
15
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Command and Control PhaseThis phase is your last chance to stop an attack before your network and systems are compromised Using available tools, you can
detect when something beacons out and block it, or detect when something beacons out and quarantine the host Either way,
you break the kill chain While IP blacklisting and IP anomaly detection systems can help, cyber criminals have developed ever
increasingly sophisticated techniques to evade these types of traditional network alerting systems
ExfiltrationThis is the final phase of the Cyber Kill Chain The cyber criminal now has a foothold on an endpoint or a server and he owns that
machine He is exfiltrating data out of your organization At this point, you have been breached and the Cyber Kill Chain ends Now,
the question you ask yourself is not Will there be damage but rather How great will the damage be?
From this point, the cybercriminal can go many different ways For example, he might:
+ Focus on privilege escalation and getting information off the machines he has compromised
+ Start scanning or trying to enumerate the network from the inside
+ Use this opportunity to study the network to launch a more complex attack
+ Already have stolen credentials and attempts to use them
Adversary Activity Potential Intelligence for Defender
Research IP Addresses
Identification and Selection of Targets Identifying Agent Strings or Referrals
Website Crawling, Googling, et cetera Unique Browser/Crawler Behavior
Areas of Focus
Adversary Activity Potential Intelligence for Defender
Achieve Original Objectives Adversary’s Information Targets
Privilege Escalation Additional Tools Used
Internal Reconnaissance
Lateral Movement
Data Collection
Data Exfiltration
eGuide: Designing a Continuous Response Architecture
16
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
The Endpoint in FocusThere are several ways you can prevent exploitation First, minimize your attack surface by keeping software up-to-date and
implementing solutions that only allow trusted software to execute In the past when Microsoft released security updates and
patches, most IT teams installed them on a handful of workstations or non-essential servers and waited for two weeks before
installing the update across the entire fleet Today, that is not the case When security updates drop, you must get them in place
within 24 hours for servers, 48 hours for desktops
Today, Microsoft does extremely good regression testing and we do not see security updates that have a major operational impact
However, if you are six months behind in updates, that may not be the case - another reason why it we recommend that you stay
on top of updates and patches It is worth investing time to achieve the level of operational excellence you need to get updates
and patches installed quickly
When Microsoft makes it Patch Tuesday announcements, always refer to their Exploitability Index This helps you prioritize security
bulletin deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security update will
be exploited2
If you see something that is potentially exploitable, even if it has not been seen in the wild4, you can assume it will be
exploited quickly
To prevent the installation of malware, there are several approaches that vendors incorporate into their security solutions:
+ Signature-based Blacklisting
+ Application Containers
+ Trust-based Application Control
Bulletin Vulnerability Title CVE ID
Exploitability Assessment for Latest
Software Release
Expolitability Assessment for Older
Software Release
Denial of Service Expolitability Assessment
Key Notes
MS14- xxx
User After Free Vulnerability
CVE- 2014- XXXX
2 - Exploitation Less Likely
1 - Exploitation More Likely Temporary
2 http://technetmicrosoftcom/en-us/security/cc998259aspx 3 http://searchsecuritytechtargetcom/definition/in-the-wild
Figure 5: Example of an Exploitability Assessment
eGuide: Designing a Continuous Response Architecture
17
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Signature-based Blacklisting, or traditional anti-virus
software, stops malware installation based on a default-allow
approach This means the software has a list of known bad
conditions and if an attack matches a bad condition, the anti-
virus software will not allow it to run
Today, the blacklist approach is rarely effective and only of
real use against nuisance malware Advanced cyber criminals
will use various packing techniques to get past most antivirus
software and go undetected While there is no reason not
to filter against known bad, you cannot count on it as your
only approach and should be integrated with signature-
less approaches to advanced threat prevention, such as
application whitelisting
Application Containers are an increasingly popular approach
that has been gaining in popularity and leading endpoint
providers offer integrations to take advantage of network-
based sandbox technologies While containers can be
useful, most of these solutions do not natively protect
your organizations endpoints from advanced attacks While a few select vendors have attempted to bring containers, or micro-
virtualization, to the endpoint, these solutions are often Windows-only and even then protect only a select list of applications With
these limitations they cannot stop all zero-day attacks or attacks targeting vulnerabilities in unprotected applications
Last but most importantly, there are trust based approaches that stop the installation of malware based on a default deny
approach For any application or condition to run, it has to be approved by name, by publisher, by reputation or via other
mechanisms Proven to be effective against advanced attacks, trust-based solutions are the best way to prevent, detect, and
respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility
140,000,000
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
New Malware 2006
-
2007
-
2008
-
2009
-
2010
-
2011
-
2012
-
2013
-
2014
-
100%
% A
V VE
ND
ORS
DET
ECTI
NG
0
100
200
300
DAYS TO DETECTION
90%
80%
Antivirus Detection Rates
1st Percentile - Least Detected Malware(Advanced Attacks)
70%
60%
50%
40%
30%
20%
10%
0%
eGuide: Designing a Continuous Response Architecture
18
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
Stopping Attacks at DeliveryA very effective technology to stop attacks at delivery is network detonation Detonation software, FireEye or Palo Alto Network
Wildfire, sees executable code coming over the network, determines whether it is malware (based on what it does versus
matching against a signature), and if bad, detonates it Network denotation software is incredibly useful and moderately effective
at protecting activity for devices inside a corporate network However, network detonation solutions will not protect a device
when an employee is working offline – an increasingly common scenario with mobile employees In addition, many solutions
monitor the network passively and are not in line In these instances, there can be a lag between execution and detonation This
lag can provide an opportunity for an attacker to deploy a secondary payload that can go undetected To help address this issue,
leading endpoint security solutions offer integrations with network detonation services to extend these capabilities beyond the
network by sending files from off-network endpoints for analysis
Even if any employee is working online, bad conditions do not always present initially on the network If a file comes in over an
encrypted tunnel, like SSL, and you do not have a SSL man in the middle, you might not see it If that file comes in some type of
sandbox, like a ZIP, RAR, or 7Z file for example, the network detonation software cannot examine that sandbox and will let a bad
condition get into the network Lastly, a USB stick with a Trojan virus is also going to be first seen at the endpoint
eGuide: Designing a Continuous Response Architecture
19
eBook
Cracking the Endpoint: Insider Tips for Endpoint Security
How Bit9 Can HelpThe Bit9 Security Platform provides real-time visibility, detection, response, and proactive, customizable signature-less prevention
from advanced persistent threats At the heart of the Bit9 Security Platform is a unique policy-driven approach to application
control It combines real-time visibility and a file discovery agent, with IT-driven controls aided by trust ratings from the Bit9 Threat
Intelligence Cloud, to help organizations simplify and automate the set-up and administration of a secure whitelisting platform
This results in a customizable application control solution that combines the highest level of advanced threat protection with
minimal end-user impact and administrative overhead
With Bit9, you get three forms of protection:
+ Default-Deny: allows only software you trust to run and treats everything else as suspicious
+ Detonate-and-Deny: Bit9 automatically sends files from endpoints to network detonation services to be detonated and evaluated for suspicious behavior
+ Detect-and-Deny: Leverages advanced threat indicators to identify patterns of compromise and enables a security administrator to identify and ban malicious files where appropriate with little to no end-user impact
To learn more about the Bit9 Security Platform, please visit wwwbit9com/solutions/security-platform
eGuide: Designing a Continuous Response ArchitectureeBook
SummaryToday, cyber criminals are more sophisticated using complex attack strategies and social engineering tactics to get into corporate
networks The reality in today’s world is that cyber criminals target your endpoints and end users to gain access to your to gain
access to your company’s most critical and valuable data Many times, your employees are not diligent about data protection, are
naïve about hacker strategies, or too trusting in the Internet of Everything world It is getting more difficult to keep up with cyber
criminals’ exploits, particular in large distributed environments where you have thousands of global users
To ensure the protection of your endpoints, your organization must execute several strategies:
+ Incorporate the Cyber Kill Chain into your strategy This model will help you identify and determine how far an attack has progressed
and where / how the damage occurs
+ To take advantage of the information you can gather via the Cyber Kill Chain, acquire the tools you need to detect and deny attacks
by disrupting or degrading the attack and deceiving and engaging with the cyber criminal This can help reduce the time it takes to
detect and respond to an attack from days or weeks to seconds
+ Be sure to quickly install updates and patches to reduce your attack surface
+ To prevent the installation of malware, install an application control solution that only allows trusted software to execute
Today, there are three types of data protection software:
+ Anti-virus software is a blacklisting approach that is rarely effective and only stops nuisance malware Cyber criminals can use
various packing techniques to get past most antivirus software and go undetected While valuable at stopping nuisance malware,
organizations should look to leverage antivirus solutions that are integrated with next-generation endpoint protection platforms
+ While application containers can be useful, most of these solutions cannot protect your organization’s endpoints from zero-day
attacks, attacks targeting unpatched vulnerabilities, non-Windows machines, or actors in lateral movement Many also do not provide
real-time visibility into endpoint activity
+ Trust based approaches that stop the installation of malware based on a default deny approach are the best way to prevent, detect,
and respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility
+ Some organizations cannot implement default-deny especially in cases where IT doesn’t have full control over the software on a
given endpoint and must allow end users to install software on-demand In those cases, multistage detect deny and detonate and
deny are the best strategies to bridge this gap
Lastly, it is important that you integrate your entire security stack so that your network devices and endpoint security solutions
pass information back and forth Intelligence is useful but can have a short life The sooner you know that a security breach has
happened, the sooner you can stop it
ABOUT BIT9 + CARBON BLACK
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable.
More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.
© 2015 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.
266 Second Avenue, Waltham, MA 02451 USAP 617.393.7400 F 617.393.7499 www.bit9.com
20150318