Friday, August 17, 2012

Containing User-Activated Security Threats


The single largest security threat at this time is through network breaches. Employees are direct targets of adversaries who have the objective of penetrating networks to gain access and then exploiting it do further damage. The most successful attack is spear-phishing employees with email containing links to malicious sites. The adversary is tricking an employee into becoming an accomplice to network breach every time they click on a link that looks innocent but hides an attack. Every employee is therefore a potential point of weakness in security.

A well-designed attack has a high chance of success. Every employee is a potential contributor to a security breach, from the intern to the chief executive. The adversaries also know that internal network security to protect many incoming transactions is for all practical purposes non-existent. After gaining access to a single machine, an attacker can move laterally to seek out the keys to the entire network. This is a problem that demands a sophisticated technology solution to aid the internal security team in identifying and then isolating the adversary while protecting the network.

At present, the infections are usually detected weeks and even after the fact.  Damage is prevented after the adversary has had ample time to both access the network and steal sensitive data. While one attack gets cleaned up, the adversaries are already launching another penetration.

Most of the existing counter-measures rely upon are reactive technologies. They require a list of known bad malware or websites in order to detect or block malware. These technologies no longer work against today’s adversaries who morph their signature while bringing down websites on an instant basis. Malware authors have produced seven millions brand new variants in the first quarter of 2012 (https://portal.mcafee.com/downloads/). Malware authors are also utilizing polymorphic techniques in which malware mutates instantly to evade detection. The reactive defense perimeter has been shrinking while the vendor provided anti-virus protection keeps detect less than 19% of new incursions.

The existing anti-malware paradigm must now change. It must evolve from protecting assets that are statically placed behind layered defenses to one of protecting those assets wherever they may be. The employee has now become the primary target.  Every one of multiple mobile computing devices must be guarded. According to the US-CERT first quarter FY2012 phishing and malicious websites now account for 58% of direct attacks against employees who clicked permission for access.

One traditional way of protection is to build a better network firewall.  Firewalls are designed to stop inbound threats to services that should not be available to an outsider. Unfortunately, firewalls are ineffective since they block only inbound attacks. But, browser malware is initiated by outbound requests that pass through the firewall after a user clicks to admit them. The attacker therefore doesn’t need to try to penetrate the network. The employee pulls it in from the inside!

While application whitelisting is effective at preventing standalone malware, more than a half of attacks exploit known applications including the browser, document readers, and document editors. Increasingly, Microsoft Office documents are the most vulnerable and widely used applications.  These applications present a rich environment for attackers to exploit vulnerabilities. They also provide fertile ground for adversaries to dupe users into clicking on links and opening social applications such as Facebook and Linked-In. As malware exploits those applications, the cyber adversary gains a foothold in the enterprise.  The malware has then access to that machine, to the data on that machine, and to all network devices to which that machine is connected.

For example, two of the recently most widely reported attacks – on RSA and on the Iranian nuclear site – were initiated through penetration of employees’ computers. In each case an infected transaction was inadvertently admitted. This enabled further attacks to proceed even though there was extraordinary security protection already in place.

SUMMARY
Over the past few years it was believed that a breach that has been admitted into a desktop couldn’t be stopped.  After the fact detection offered the only prevention means. Reactive list-based reject approaches could not stop direct threats. Intruders had to be detected first but the question remained how to identify an intruder.

A new approach takes the most highly targeted unprotected applications in a network (such as the Web browser, PDF reader, Office suite, .zip files, e-mail) and places them into a separate virtualized computer. Every time any application is opened, or anytime an attachment comes from outside the network, a completely separate Virtual Machine environment is created. By creating such an environments, all malware – whether zero-day or already known – is tagged and prevented from attacking the host as a pathway for breach. It remains completely isolated on its own VM.
When an infection is detected inside such controlled environment, the user is alerted for potential discarding the tainted transaction and then to rebuild it to a clean state. Forensic details are then captured to feed such intelligence into security infrastructure surveillance.

It will require a massive conversion of millions of existing DoD desktop and mobile devices to operate through Virtual Device Interfaces (VDI) to achieve anti-phishing protection.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com