The Role of Application Control in a Zero-Day Reality

Today’s Speakers

2

Paul ZimskiVP of Solution StrategyLumension

Richard StiennonChief Research AnalystIT-Harvest

Today’s Agenda

Evolution of Game Changing Threats

Securing Endpoints from Zero-Day Attacks

Q&A

Game Changers: Targeting, Custom Trojans and Zero-Day

Malware

Threat hierarchy is a time line!

• Information Warfare• CyberCrime• Hactivism• Vandalism• Experimentation

Custom Trojans, tools of the trade

Michael Haephrati shows us how.

China knows Trojans

• In the UK, the Home Office has warned about a spate of attacks in recent months involving e-mail Trojans. "We have never seen anything like this in terms of the industrial scale of this series of attacks," said Roger Cumming, director of NISCC

Shawn Carpenter uncovers Titan Rain

• From Z-machine mechanic to IDS analyst

• Fort Dix attack

• Sandia

Ghost Net

• 1,200 computers including ministry and NATO machines

• Looking for attribution

• Attacks on the office of the Dalai Lama

• A special purpose botnet

Joint Strike Fighter

Project Aurora • Social networks used

as vectors to target Google employees

• Zero-day vulnerability in IE

Result• Loss of customer

data

• Loss of source code

Cyber Sabotage: Stuxnet

Step 7 software DLLRootkit

DLLoriginal

Programmable Logic Controller

New data blocks added

s7otbxdx.dll s7otbxsx.dll

Other advanced features of Stuxnet

• Stolen digital certificates!

• Multiple zero-day vulnerabilities

• Command and control for morphing

What do control systems control?

What to do?

• Allow only that which is good. Deny all else.

• Vet and test all new apps.

• Use intelligence to determine reputation of applications.

• Monitor behavior.

• Stay sane.

Blog: www.threatchaos.com

email: richard@it-harvest.com

Twitter: twitter.com/cyberwar

Securing Endpoints from Zero-Day Attacks

18

A Perfect Storm At The Endpoint

18

Increasing sophistication

& attack targeting

Rising 3rd party application risk

& zero day vulnerabilities

Ineffectiveness of AntiVirus as a stand-alone

defense

Attack Originates from the network (Internet, LAN, WAN) and actively attacks a listening service on the endpoint.

End-user is working with a “client application” and opening code that was downloaded from the network.

Attacker has physical access to the target machine and can mount drives, hardware, insert disks.

Listening Services

Client Applications

Local MachineHardware

Physical Access

Client –side

Network-based

Webservers, Databases, RDP (remote desktop, file sharing, registry)

Browsers, email, documents, movies, flash

Drives, USB devices, NICs

Type Target Examples End Goal

Install payloadElevate privilegeEstablish beach-head

Install payloadElevate privilegeRetrieve dataEstablish beach-head

Install payloadElevate privilegeEstablish beach-head

19

Attack Types, Targets and End Goals

2020

• Malware infections are symptoms of change control failure

Fundamental Breakdown in Change Control

Test & ApproveChange

ImplementChange

Monitor &LockdownChange

20

Build a Solid Foundation

21

Patch & Configuration Management

Application Control

Enable OS Memory Protection

AntiVirus

22

23

Malware is Malware – Payloads are Payloads

Rootkits | Remote Access Trojan | Bots | Keyloggers | SniffersAdware | Spyware | Crimeware | Worms | Virus | Logic Bombs

In the eyes of Application Control these are all the same

23

24

Preventing Malware

1) Eliminate your Vulnerabilities

• Most attacks rely on known vulnerabilities

• Patching the vulnerability eliminates the attack vector

• Patching endpoints remains a first and best line of defense!

24

Stopping a Malware Payload

2) Stop the Payload

• Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal

• However as attack sophistication and targeting increases, malware becomes less effective as a primary defense

• Application control is a much better defense to stop unknown payloads from installing

25

AV Vendors Recognize the Limitation

“You can’t just rely on antivirus software – and we’re an antivirus company..….Antivirus, firewalls and intrusion detection are a start. But “white listing” offers a stronger defense…. McAfee believes that’s where the future is going.” George Kurtz, Worldwide Chief Technology Officer, McAfee

“Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough.”

Rowan Trollope, Senior Vice President, Symantec

26

Malware

What is Application Whitelisting?

27

Authorized•Operating Systems•Business Software

Known• Viruses• Worms• Trojans

Unauthorized•Games•iTunes

•Shareware•Unlicensed S/W

Unknown• Viruses• Worms• Trojans• Keyloggers• Spyware

ApplicationsU

n-T

rust

ed

Flexible Trust

Trusted Publisher• Authorizes applications based on the vendor that “published” them through

the digital signing certificate.

28

Trusted Updater• Authorizes select systems management solutions to “update” software, patches

and custom remediations, while automatically updating them to the whitelist.

Trusted Path• Authorizes applications to run based on their location.

Local Authorization• Allows end-users to locally authorize applications which have not been otherwise

trusted by the whitelist or any other trust rules.

28

29

Protecting Against Buffer Overflows

3) Police OS Memory

• Microsoft has developed effective capabilities in the OS itself to stop Buffer Overflow Attacks

• Data Execution Prevention (DEP) - marks unused buffers as “non executable”

• Address Space Layout Randomization (ASLR) – randomizes the memory components that make buffers

29

A Complete Defense

30

An

tiV

iru

s

Pat

ch M

anag

emen

t

Ap

pli

cati

on

Co

ntr

ol

Mem

ory

Pro

tect

ion

Intelligent Whitelisting

Q&A

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com