From myth to reality: How to understand Turkey’s role in ...
The Role of Application Control in a Zero-Day Reality
-
Upload
lumension -
Category
Technology
-
view
933 -
download
4
description
Transcript of The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
Today’s Speakers
2
Paul ZimskiVP of Solution StrategyLumension
Richard StiennonChief Research AnalystIT-Harvest
Today’s Agenda
Evolution of Game Changing Threats
Securing Endpoints from Zero-Day Attacks
Q&A
Game Changers: Targeting, Custom Trojans and Zero-Day
Malware
Threat hierarchy is a time line!
• Information Warfare• CyberCrime• Hactivism• Vandalism• Experimentation
Custom Trojans, tools of the trade
Michael Haephrati shows us how.
China knows Trojans
• In the UK, the Home Office has warned about a spate of attacks in recent months involving e-mail Trojans. "We have never seen anything like this in terms of the industrial scale of this series of attacks," said Roger Cumming, director of NISCC
Shawn Carpenter uncovers Titan Rain
• From Z-machine mechanic to IDS analyst
• Fort Dix attack
• Sandia
Ghost Net
• 1,200 computers including ministry and NATO machines
• Looking for attribution
• Attacks on the office of the Dalai Lama
• A special purpose botnet
Joint Strike Fighter
Project Aurora • Social networks used
as vectors to target Google employees
• Zero-day vulnerability in IE
Result• Loss of customer
data
• Loss of source code
Cyber Sabotage: Stuxnet
Step 7 software DLLRootkit
DLLoriginal
Programmable Logic Controller
New data blocks added
s7otbxdx.dll s7otbxsx.dll
Other advanced features of Stuxnet
• Stolen digital certificates!
• Multiple zero-day vulnerabilities
• Command and control for morphing
What do control systems control?
What to do?
• Allow only that which is good. Deny all else.
• Vet and test all new apps.
• Use intelligence to determine reputation of applications.
• Monitor behavior.
• Stay sane.
Securing Endpoints from Zero-Day Attacks
18
A Perfect Storm At The Endpoint
18
Increasing sophistication
& attack targeting
Rising 3rd party application risk
& zero day vulnerabilities
Ineffectiveness of AntiVirus as a stand-alone
defense
Attack Originates from the network (Internet, LAN, WAN) and actively attacks a listening service on the endpoint.
End-user is working with a “client application” and opening code that was downloaded from the network.
Attacker has physical access to the target machine and can mount drives, hardware, insert disks.
Listening Services
Client Applications
Local MachineHardware
Physical Access
Client –side
Network-based
Webservers, Databases, RDP (remote desktop, file sharing, registry)
Browsers, email, documents, movies, flash
Drives, USB devices, NICs
Type Target Examples End Goal
Install payloadElevate privilegeEstablish beach-head
Install payloadElevate privilegeRetrieve dataEstablish beach-head
Install payloadElevate privilegeEstablish beach-head
19
Attack Types, Targets and End Goals
2020
• Malware infections are symptoms of change control failure
Fundamental Breakdown in Change Control
Test & ApproveChange
ImplementChange
Monitor &LockdownChange
20
Build a Solid Foundation
21
Patch & Configuration Management
Application Control
Enable OS Memory Protection
AntiVirus
22
23
Malware is Malware – Payloads are Payloads
Rootkits | Remote Access Trojan | Bots | Keyloggers | SniffersAdware | Spyware | Crimeware | Worms | Virus | Logic Bombs
In the eyes of Application Control these are all the same
23
24
Preventing Malware
1) Eliminate your Vulnerabilities
• Most attacks rely on known vulnerabilities
• Patching the vulnerability eliminates the attack vector
• Patching endpoints remains a first and best line of defense!
24
Stopping a Malware Payload
2) Stop the Payload
• Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal
• However as attack sophistication and targeting increases, malware becomes less effective as a primary defense
• Application control is a much better defense to stop unknown payloads from installing
25
AV Vendors Recognize the Limitation
“You can’t just rely on antivirus software – and we’re an antivirus company..….Antivirus, firewalls and intrusion detection are a start. But “white listing” offers a stronger defense…. McAfee believes that’s where the future is going.” George Kurtz, Worldwide Chief Technology Officer, McAfee
“Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough.”
Rowan Trollope, Senior Vice President, Symantec
26
Malware
What is Application Whitelisting?
27
Authorized•Operating Systems•Business Software
Known• Viruses• Worms• Trojans
Unauthorized•Games•iTunes
•Shareware•Unlicensed S/W
Unknown• Viruses• Worms• Trojans• Keyloggers• Spyware
ApplicationsU
n-T
rust
ed
Flexible Trust
Trusted Publisher• Authorizes applications based on the vendor that “published” them through
the digital signing certificate.
28
Trusted Updater• Authorizes select systems management solutions to “update” software, patches
and custom remediations, while automatically updating them to the whitelist.
Trusted Path• Authorizes applications to run based on their location.
Local Authorization• Allows end-users to locally authorize applications which have not been otherwise
trusted by the whitelist or any other trust rules.
28
29
Protecting Against Buffer Overflows
3) Police OS Memory
• Microsoft has developed effective capabilities in the OS itself to stop Buffer Overflow Attacks
• Data Execution Prevention (DEP) - marks unused buffers as “non executable”
• Address Space Layout Randomization (ASLR) – randomizes the memory components that make buffers
29
A Complete Defense
30
An
tiV
iru
s
Pat
ch M
anag
emen
t
Ap
pli
cati
on
Co
ntr
ol
Mem
ory
Pro
tect
ion
Intelligent Whitelisting
Q&A
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828