Vulnerabilities / Threats
7/9/2013
07:12 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Below The Application: The High Risk Of Low-Level Threats

In-memory attacks and rootkits may hit your systems below the OS. Here are some tips to help your defense

Excerpted from "Below the Application: The High Risk of Low-Level Threats," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

In all of the publicity around application attacks, cloud security and virtualization, many experts in the security field have let lower-level, more direct system attacks fall by the wayside. While there may be a reason to relax a little, given the huge leaps forward in network and computer system security, there are many good reasons to continue to pay special attention to these types of attacks.

While we have secured the perimeter, hardened our operating systems and trued up our weakest points, low-level threats have evolved -- and become more and more sinister.

Even more disturbing is that we don't have a full understanding of these threats, not to mention that fact there is more funding and resources behind them than ever.

Delving into the details of what defines traditional low-level attacks, we find ourselves looking at the attack surface and its evolution during the last few decades. The one thing that hasn't changed is the exploitation life cycle that these attacks utilize.

Attack surfaces range from physical ports to virtual ports and from browsers to operating systems. Effectively, Anything that can process or be processed is going to effectively expand the attack surface of a given system. And with the expansion of USB 2.0, FireWire and other high-speed data transfer technologies, local attack surfaces are more vulnerable than ever.

"Hacking hasn't changed," says Daniel Clemens, owner of Packetninjas. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

He's right. The trend of focusing on the application has desensitized us to the more traditional threats that are still evolving.

"I think the downside we face is a false sense of security because many have been trained to abstract only to the 'web application level,'" he adds. "In the end, configuration, implementation and design flaws exist from the human endpoint to the structures pushed onto the stack in the CPU."

Applications also make it much easier for the notorious eighth layer--the users--to fall victim to drive-by downloads and spear phishing attacks that ultimately lead to low-level compromises.

For the purposes of differentiation, we have broken down attack types into categories: Advanced volatile threats (AVTs), memory attacks, advanced persistent threats (APTs), firmware attacks, and rootkits.

Originally coined by anti-malware vendor Triumfant, the term "advanced volatile threat" (AVT) refers to attacks made on a computer's volatile memory, such as RAM, which are dynamic and are never stored in long-term memory. Triumfant, whose highly-granular endpoint change management technology is able to detect such attacks, states that AVTs are becoming an increasingly popular attack vector, and Triumfant CEO John Prisco warns that AVTs may one day replace APTs as the most common form of obfuscated online attack.

AVTs are a new spin on (and almost the opposite in some ways of ) the traditional APT. Rather than write data to disk to maintain access and expand capabilities, an AVT will simply stay in memory and per form its malicious actions in that location entirely. By avoiding writes to disk, the AVT makes itself even harder to detect and a lot harder to perform forensic analysis on.

By staying in memory, the AVT will disappear on reboot or when it's overwritten, effectively leaving no trace at all. This presents challenges on both ends. Attackers don't get the persistence, so they would be required to re-exploit the system should they need access after the memory flush. At the same time, the lack of persistence makes it especially challenging to know you've even been attacked.

In most cases, the primary overall goal of the AVT will mirror that of the APT. AVTs, however, are considered more advanced due to the fact that they operate exclusively from RAM.

To read about other low-level attacks -- including memory attacks, APTs, firmware attacks, and rootkits -- and what you can do about them, download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.