Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9
About Me
• Chief Security Officer @ Bit9
• Former Director of Technical Operations and Information Security
@ Center for American Progress
• Former Director of Global Systems and Tools @ NASDAQ:IAWK
• Practicing professionally since 1997
• Certified Information Systems Security Professional
• Educational background in Communications
• Areas of focus:
– Information Warfare
– Cyber Counterintelligence
– Security Operations
– Development Operations
– Social Media / Social Network Analysis
• NJ TN Silicon Valley Asia * DC MA
* Frequent movement between aforementioned locations
the assumption of
breach the inevitability of
compromise
“In 2020, enterprises will be in a state of continuous compromise.”
-- Gartner
more like 2010…
Rethink Your Security Strategy
security is not a solution it is a process
prevention is no longer enough invest in detection and response
consider your technologies move from reactive to proactive
“The attacker has the advantage.” The attacker does not have the advantage,
unless we cede it to them.
Enterprise Network as a Battlespace
Situational awareness enables real-time, accurate
decisions in tactical situations.
Most enterprises have no internal or endpoint situational awareness.
the battlefield prepare
the battle win
Prepare for breach. Avoid forensics & expensive
consultants.
Defense-in-depth / Layered Controls
• Network security controls – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation
• Service security controls – Authentication, permissions, naming lookup, lots of logging
• Endpoint security controls – Anti-virus, application control, endpoint threat detection and
response
If you are depending on one control to stop an attack,
you are doing it wrong.
The Attacker’s Process & Enterprise Capabilities
• The often misunderstood meaning of “empathy”
• The “Cyber Kill Chain”™ model
– Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at
Lockheed Martin
– Useful for …
• Breaking down stages of an attacker’s process
• Formulating strategy for deploying security controls
• Facilitating iterative intelligence gathering
• Effective intelligence use
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
DETECT – DENY – DISRUPT – DEGRADE – DECEIVE
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in the Kill Chain
Preventing Exploitation Patching matters! (Most basic way to minimize threat surface) Enforce ASLR/DEP (Microsoft EMET) Inter-process memory controls Unfortunately, there’s little you can do at this stage
Preventing Installation
Dropping of binaries, touching other processes, et cetera Blacklist approaches – Default-Allow Sandbox approaches – Default-Allow + “Deny-over-there” Trust based approaches – Default-Deny (Application Whitelisting) Hybrid approaches – Detonate-and-Deny, Detect-and-Deny
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Default-Allow Blacklisting – Blocking known bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
OP
PO
RTU
NIS
TIC
“A
dva
nce
d”
Goal is to maximize slope.
Goal is to minimize slope.
Opportunistic vs “Advanced” Attacks
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
OP
PO
RTU
NIS
TIC
“A
dva
nce
d”
THRESHOLD OF DETECTION
THRESHOLD OF DETECTION
Goal is to maximize slope.
Goal is to minimize slope.
Opportunistic vs “Advanced” Attacks
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Default-Deny Whitelisting – Trust Based – Known Good Most effective protection Easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can’t prevent/detect lateral movement
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
Challenges stopping attacks at Delivery
Network detonation solutions often not in-line “Known Bad” point comes after delivery, becomes detection only
Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Removable media (USB stick, DVD/CDs, et cetera)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
Actionable intelligence passing
Transfer alerts
Submit files automatically Submit files on-demand
Incoming files on
network
“Detonate” files for analysis
Prioritize network alerts
Investigate scope of the threat
Remediate endpoints and servers
Correlate endpoint/server
and network data
Automatic analysis of all suspicious files
On-demand analysis of suspicious files
Endpoint and server files
Threat Intelligence
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
Leveraging Indicators to Facilitate Detection
IP Addresses Hostnames File Hashes Et cetera
Threat Intelligence
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
Leveraging Intelligence to Determine Trust
Software Reputation Service (SRS)
Reputation levels for files Thresholds can drive approvals
Firefox == 10 Keylogger == 0
Complete Forensic Record of Endpoint Activity
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
All file modifications
All file executions
All registry modifications
All network connections
Copy of every executed binary
All the information you need to respond
telemetry
telemetry
detection focus
seconds to minutes w e e k s t o y e a r s
detection focus
detection focus
seconds to minutes w e e k s t o y e a r s
detection focus
seco
nds
to
min
ute
s
we
ek
s
to
y
ea
rs
detection focus
?
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Attacks happen on the endpoint
How can you protect your assets if you don’t know what’s running on them?
Traditional security tools provide no visibility
Visibility needs to be live, not poll or scan-based
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Reducing your attack surface
Symantec saw 240 million unique threats in 2009 – we’ve crossed the billion mark cumulatively
Apply trust-based policies to allow only known good software to run
Prevent
Stop threats with proactive,
customizable prevention
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
See and record everything
You can’t always know what’s “bad” ahead of time
Apply advanced indicators to detect unknown threats in real-time Detect
Detect threats in real-time without
signatures
Prevent
Stop threats with proactive,
customizable prevention
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Traditional incident response is expensive and time consuming
With historical recording, you can identify scope and impact in minutes, not weeks
Use that information to contain, remediate and further reduce attack surface
Detect
Detect threats in real-time without
signatures
Respond See the full
evolution of a threat; contain
and control
Prevent
Stop threats with proactive,
customizable prevention
Endpoint and Server Telemetry/Control
• Monitor & Record:
– File executions
– File modifications
– Registry modifications
– Network connections
• Retain:
– Telemetry from periods when system is offline
– Copies of all executed binaries
• Control:
– File executions
– Inter-process memory access
– Registry modifications
Conclusions
• Compromise is inevitable; You must plan for response
• Proactive defense starts with visibility
• You’ve got to collect telemetry from EVERYTHING
• You can leverage the home-field advantage against adversaries
• Defense tactics are changing – Shift from Default-Allow to Default-Deny
• Not all assets are protected the same way
• Your endpoints and network must work together
• There are no silver bullets
• THERE ARE TWO THINGS YOU NEED TO DO: – Decrease your threat surface
– Increase your response capabilities
All questions welcome
Share experiences
Keep it short & leave room for others
Discussion
Thank You!