Defense in Depth – There is No Perfect Shield

Everyone wants the perfect shield for their endpoint population.  All malware should be detected and blocked before it has a chance to do anything bad to any given machine.  Nothing less is acceptable.

Not going to happen.  Sorry.  Truly I am.   See “Why Bad Things Happen to Good Endpoints” and “It is Raining and You Will Get Wet

Defense is always playing catch up.  Always has been, always will be.  Today’s stellar defense is one offensive innovation from being compromised.  It is the nature of the game and examples abound.

A failed defense in depth strategyMy family spent spring break in London and Paris and saw all manner of personal armor that was quite effective – until the crossbow was perfected.  In the 19th century, the best and brightest were trained as military engineers because the construction of earth works was critical to defending fortified positions against cannon fire – until the airplane arrived and munitions could be delivered from directly above a position.

The gap does not always come from leaps of technology or sophistication.  When the U.S. forces entered Iraq it was the improvised explosive device (IED) – crude, homemade weapons – that forced the need to retrofit our advanced vehicles with additional armor.  Statistics abound how major threats (Conficker) were based on simple vulnerabilities that had been identified six months or more before their use.

Today we in IT security chase the same elusive goal and ignore the obvious: there will always be gaps and stuff will always get through.   It is time that government agencies and businesses come to terms with the inevitable and think about technologies that can help them detect what does make it through their defenses instead of continuously chasing the promise of the perfect shield.

The adversary is tirelessly creating new attacks that evade existing defenses.  Sometimes those attacks evade detection for weeks and even months.  And when they are detected, there is lag between when the attack is analyzed, a protection built, and the protection deployed.  During that gap organizations are at risk.  And given that so much of the detection tools still rely on previous knowledge of an attack to see the attack, organizations are often left unaware that they were breached, much less empowered to fight back.

Stuff will get through.  Any vendor or expert that tells you otherwise is not being honest.  There is nothing wrong with seeking protection from attacks, but you are putting your organization at risk if you do not have something in place when the inevitable happens.  It also makes sense that a new approach is needed, because if the attack got through it follows that the normal protection techniques have been evaded.

Change detection has long been viewed as the right approach for detecting attacks that make it to a machine.  The logic is simple – unless the attack can enter the machine, start itself and perform its malicious activity without changing the machine, change detection is an effective triggering mechanism for analysis and ultimately identifying the attack.

Triumfant can not only detect and analyze these attacks, it will correlate changes so you can see the full extent – primary and secondary artifacts – of the attack and will even build a remediation that is contextual to that attack on that specific machine.  It can take what it learns and recognize subsequent attacks, or if the attack morphs it will still see it based on the changes.

One of the most downloaded blog entries was called “Antivirus Detection Rates – It Is Clear You Need a Plan B”.  The more I think about the title, the more I realize I was wrong: having a tool in place that will detect what passes through your shields is a Plan A item and must be part of any defense in depth strategy.  Stuff will get through, and you need some form of detection capability when all of the shields fail.

Security fails of 2009 – Adobe Takes the Exploit Crown from Microsoft

This is the fourth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

For years, Microsoft sat comfortably atop its throne as the world’s number one source for exploits.  Malware writers around the globe fattened themselves at the Microsoft trough, turning these exploits into a vast array of attacks, including the media darling of 2009, Conficker.  For years, Microsoft sat uncontested on this Mount Olympus, issuing Patch Tuesday thunderbolts to the masses and continuing to churn out code with new exploits to replace those gaps just closed with the newest patch.

In 2009 a new contender eagerly stepped into the ring, and countered with products that were equally ubiquitous and, most importantly, full of exploits.  As we entered 2009, the list of attacks that leverage exploits in Adobe products continued to steadily rise.  Eventually stories began to break claiming that Adobe had passed Microsoft as the new top dog in regards to providing exploits to the malware community.

The problem eventually prompted Adobe to announce in May that they were initiating their own Patch Tuesday process.  Even after this announcement, Adobe continued to get heat about their questionable patching policies that allowed users to download unsecure versions of the product with the assumption that they would then apply patches in a timely manner. 

I can’t imagine that this newfound notoriety was viewed with enthusiasm by the folks at Adobe.  On a positive side, you could only knock Microsoft of its perch if you were very widely deployed.  But I somewhat doubt the Adobe exec team were having “We’re Number 1” balloons distributed. 

Microsoft on the other hand was likely very ready to give up their crown.  Seizing the opportunity, Microsoft began to note that many of the browser based exploits were not an IE problem but were instead could be attributed to third party utilities and other tools.  Of course Microsoft was able to create the exploit used by Conficker so they did not retire from the game. 

So the ascension of Adobe to the leading supplier of exploits is one of my security fails for 2009.  And Lord knows the world needs more regular patches to deploy because we all know how well the patching process performs.  It is also instructive to see that the bad guys are always looking for the road of least resistance and will happily use someone other than Microsoft as their supplier of exploits.

Security Fails of 2009 – Conficker Becomes a Media Darling

Today is my third in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

Conficker made the jump from malware attack to media darling in 2009, finding its way onto the front page and 60 Minutes.  For those of us who work in the general anonymity of IT security, Conficker (aka Downup, Downandup, Conflicker, and Kido) was one of those things that took on a life of its own and rose quickly into the public consciousness.    

To be accurate, Conficker actually surfaced in November of 2008, but its effect really peaked in 2009.  The Conficker Working Group estimates that 9 million to 15 million PCs are infected with the worm.  Costs have been placed at a wide range of numbers with some estimates reaching $9B.  The worm was noteworthy from its use of sophisticated techniques to avoid detection and its ability to morph via commands from a well designed command and control process.  It has been through three iterations, each making it harder to detect and defeat.  It spread rapidly – in May it was reported to be spreading to 50,000 new machines a day – and is widely believed to be the largest worm infection since Slammer in 2003.   

What became almost humorous was the effect it had even when it did not do anything.  When the command and control elements of Conficker would stir, there was rampant speculation as to what it would do.  Conficker appeared to be readying for something big on April 1 and the speculation became somewhat comical as predictions ranged from minor attacks to global Armageddon. Eventually people became to see Conficker in every shadow, with the paranoia coming to a crescendo when Conficker was suspected as the cause when Big Ben stopped just before midnight on March 31.  I wrote then that such blame “makes sense – build a worm, get it distributed to millions of computers worldwide, have it confound the best and brightest of IT security, and then instruct it to stop Big Ben.”

The real lessons of Conficker are many.  First, the worm took advantage of an exploit that Microsoft patched in October of 2008 and many noted that the infection vector was not exceptional, just opportunistic.  The fact that it spread so rapidly and continues to spread illustrates the issues we have in patch management and maintaining the security readiness of endpoint machines.  In spite of all research and recommendations, business and government agencies still take far too long to close well known, dangerous gaps in their security.  Second, the sophistication of the worm, the command and control structure and its evolving nature all are illustrative of the growing sophistication of malicious activity.  Conficker is an attack with the careful engineering of a commercially available application.  Third, the traditional endpoint protections have long been left behind by the growing sophistication of the current attacks.  It took far too long to come up with a viable detection process for Conficker, and even longer to come up with a fix.  Most have to re-image and start over at enormous costs when one considers 9M computers.

Finally, Conficker brought IT security issues to the masses.  Lots of people that never considered the security readiness of their PC began to ask some serious questions.  The size and scope of the infection woke people up to the enormous potential of a mass attack.  And the sophistication was instructive to the public as to how malicious attacks have evolved from the days of the Anna Kournikova virus.   

Conficker is a noteworthy fail because it all started by leveraging a known exploit that savvy malware writers saw as an easy path to a significant infection that will cost the world billions of dollars.  Best of all, Conficker is still out there on a very large number of machines.  Even in its most benign state, the fact remains that someone controls a huge botnet that has the potential to be used for harm.

Triumfant – First Line of Defense or Last Line of Defense (or Both)

I was reading Byron Acohido’s latest post in The Last Watchdog about the new SMB2 zero day vulnerability and it provoked a lot of thinking around how Triumfant is characterized as endpoint protection. Specifically, we get asked if we consider Triumfant a first line of defense or a last line of defense.  Reading Acohido’s post made me realize the answer is “yes”.

In the case of the SMB2 zero day vulnerability there is no patch and no malware has been detected that exploits the vulnerability as of yesterday (9/9/09).  Traditional defenses for the endpoint will have no knowledge of the eventual attacks that will undoubtedly come and will therefore be ineffective in shielding endpoints from the malware.  In this case the traditional defenses offer no defense, so Triumfant is the first line of defense for the endpoint machine.  Because Triumfant uses granular change detection to detect attacks and therefore does not require prior knowledge of the attack, it is uniquely able to protect the machine.  Acohido predicts that the eventual exploit could be a “Conficker-type worm attack” and when it eventually comes, Triumfant will see it and protect the affected machines.

In short, if the incoming attacks is specifically designed to evade detection from traditional endpoint defense or is a zero day (or very early in its lifecycle), then it is as if the traditional defenses are not even there.  So Triumfant becomes the de facto first line of defense.  Add to the list rootkits, the work of maliciously intended insiders and corruption to the software supply chain and you get a lot of vectors where Triumfant is the endpoint protection that first engages the enemy.  I always add the caveat that we do not position Triumfant as a shield – it detects the malware when it gets to the machine. 

In the case of known attacks that the other tools simply miss or the variants that just slip past the signatures or those attacks that get through because the defensive software is improperly configured or deployed, then Triumfant is the last line of defense.   Everything that falls through the nets – and there is a lot of evidence (read here, here and here) that there is plenty that does – and makes it to the endpoint will be detected and remediated by Triumfant.   We have never positioned Triumfant as a replacement for the existing nets, but we do believe that the holes in those nets are plentiful enough that we provide an excellent complement to traditional defenses.

So there you are – Triumfant is both a first and last line of defense.  It simply depends on the context of the attack.  Either way, Triumfant is filling critical and frequent gaps in endpoint protection.  What makes the story even better is that Triumfant remediates what it detects by synthesizing a remediation and restoring the machine to its pre-attack condition in minutes without human intervention. 

Whether it is acting as the tip of the spear or backstop, Triumfant does what no other endpoint protection product can.  So when I answer “yes” to the first line or last line of defense question I am not being glib or sarcastic, just accurate.

The Korean DoS Attacks, Securing the Sofware Supply Chain and More

I will take potpourri for $200 Alex…

  • Triumfant CEO John Prisco is quoted in the July 10 post of Byron Acohido’s The Last Watchdog blog regarding the Korean DoS attacks. These attacks have taken an interesting turn as the botnets created by attackers are now literally turning on the infected machines, deleting files and ultimately corrupting the system until it will not boot.  I have read a lot about this attack from many respected members of the IT security community.  Some have assessed the attacks as unsophisticated and poorly executed while others like Acohido and Brian Krebs of Security Fix (which was targeted in the actual attack) are speculating on if is a practice run – a war game – for more targeted attacks down the road.  Either way, it is one of the most interesting story lines since we were all gripped with Conficker fever in the early spring.  I suspect there will be more intrique to come.  If it was a war game, it will be interesting to see how the good guys grade themselves. 
  • I posted a blog entry in June about Securing the Software Supply Chain and how Triumfant can help manage that important part of any organization’s security strategy.  The white paper on the subject is now available on the Triumfant web site for your reading pleasure.  Since many defensive products do their monitoring as malicious software is inbound to the machine, attacks imbedded in what appears to be legitimate software may evade protection.  Because Triumfant looks for changes on endpoint machines, it will detect the event where the imbedded malware “wakes up” and begins its malicious activity.
  • I recently was away at the beach for a week with my family.  I mention that because I did not tweet or blog about the fact that I was gone as there have been reports that people have been robbed after letting the world know through social media outlets that they would be away from their home for extended periods. Which brings me to two points.  First, never underestimate the speed in which the bad guys will find and exploit new paths – in this case social media – to do their criminal work.  Second, security, whether it is IT security or physical security, requires an element of good old prudent thinking to succeed no matter how much technology is deployed.  Human factor eengineering (or stopping stupid as I call it) has been and will always be the biggest failure point in security.
  • Isn’t it time for someone in the Obama Administration to tell us why we do not have a cyber czar yet? I mean really.  I agree with our CEO John Prisco completely and join him in wondering why they would first make the announcement without a person in the spot much less go six weeks after the announcement without a nomination.  The claims of IT Security being a priority are starting to sound very hollow.

The Worldwide Malware Counter, Gumblar, and Conficker

As we near the holiday weekend allow me to do some quick hits on some topics of interest:

  • Reaction to the Worldwide Malware Counter, launched by CEO John Prisco in his Tuesday blog post, has been exciting to say the least.  The activity to our web site has significantly spiked as people are coming to have a look.  We have gotten some interesting emails and comments, which is the most gratifying result as we had hoped to start an open debate.  I have also received some suggestions on how to enhance the counter, so stay tuned. 
  • The Gumblar attack, which loads Google searches with malicious links, has spread to over 3,000 servers and is characterized by another only-in-IT-security-term: a drive by download.  When such an attack comes out, we always get asked if we would have seen it.  Our technical people assure me we would see the malware when it hit either an endpoint machine or server.  Furthermore, when Triumfant synthesizes the situational remediation for the attack it would find all of the backdoors that Gumblar creates to survive.  This is why the fact that we see all of the changes in the machine is so critical – we can remediate all of the primary and secondary aspects of an attack and bring it to a halt.  I read one AV company’s blog about Gumblar and they noted that their AV software detects “some of the malicious code and malware” and likened the process of stopping Gumblar to “wac a mole”.  I am sorry, if I am a customer I would want to know if terms like “some” and “wac a mole” are good enough when it comes to protecting my data and my public perception.  This is why we created the counter to point out that signature based tools are no longer a sustainable protection.
  • I see that my old friend Conficker is still at large and infecting 50,000 computers a day.  This attack is 6+ months old and out in the open and still infecting 50,000 computers a day! Maybe we should start a Conficker counter.  I think we should have called it the Cher worm – it never goes away. Anna Kournikova got a virus named after her, why not Cher?

That is all for now. Time to start thinking about the BBQ plans for the long weekend.

Conficker Infects Hospital Diagnostic Equipment

New stories, like this one by Stephanie Condon in CNET News,  hit over the weekend about Conficker infections to hospital devices used in diagnostics, some in trauma centers and intensive care units.  Given my time in the security industry and my pre-disposition not to be a conspiracy theorist or general worrier, I am used to accepting news of cyber crime without much visceral reaction.  But this strikes me a bit close to home.

I recently had an MRI for a shoulder issue and now I find myself thinking that the devices used to guide my doctor toward decisions about if I will be having surgery and exactly what will be done may have been infected by Conficker.  I carried the MRI images in digital form from the hospital where the MRIs were performed to my doctor’s office, and now I wonder if I was an unwilling pawn in a sneakernet based process of spreading something quite malicious.

Conficker has certainly changed the conversation about cyber crime and brings a certain mental edge to that conversation.  For example, it has raised the awareness that malicious activity can go well beyond IT processes and affect the infrastructure of our daily lives – power grids, hospital equipment and the like.  Kind of like the Y2K scare that had reasonable and sane people stockpiling freeze dried foods in their basement. While Conficker waits for instructions, its apparent lack of activity causes an uneasy silence that plays on the psyche while we process the latest revelations of infection and extrapolate the potential consequences of these revelations. 

I don’t know if Conficker was written to get into the minds of the general public, but it sure seems to be doing so.  It has sure gotten into mine.