Below The Application: The High Risk Of Low-Level Threats
In-memory attacks and rootkits may hit your systems below the OS. Here are some tips to help your defense
Excerpted from "Below the Application: The High Risk of Low-Level Threats," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]
In all of the publicity around application attacks, cloud security and virtualization, many experts in the security field have let lower-level, more direct system attacks fall by the wayside. While there may be a reason to relax a little, given the huge leaps forward in network and computer system security, there are many good reasons to continue to pay special attention to these types of attacks.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- State of Cloud 2011: Time for Process Maturation
- Research: Federal Government Cloud Computing Survey
- Closing the Book on Windows Server 2003: Planning for Windows Server 2012 Opens New Possibilities
- Smarter Process: Five Ways to Make Your Day-to-Day Operations Better, Faster and More Measurable
While we have secured the perimeter, hardened our operating systems and trued up our weakest points, low-level threats have evolved -- and become more and more sinister.
Even more disturbing is that we don't have a full understanding of these threats, not to mention that fact there is more funding and resources behind them than ever.
Delving into the details of what defines traditional low-level attacks, we find ourselves looking at the attack surface and its evolution during the last few decades. The one thing that hasn't changed is the exploitation life cycle that these attacks utilize.
Attack surfaces range from physical ports to virtual ports and from browsers to operating systems. Effectively, Anything that can process or be processed is going to effectively expand the attack surface of a given system. And with the expansion of USB 2.0, FireWire and other high-speed data transfer technologies, local attack surfaces are more vulnerable than ever.
"Hacking hasn't changed," says Daniel Clemens, owner of Packetninjas. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."
He's right. The trend of focusing on the application has desensitized us to the more traditional threats that are still evolving.
"I think the downside we face is a false sense of security because many have been trained to abstract only to the 'web application level,'" he adds. "In the end, configuration, implementation and design flaws exist from the human endpoint to the structures pushed onto the stack in the CPU."
Applications also make it much easier for the notorious eighth layer--the users--to fall victim to drive-by downloads and spear phishing attacks that ultimately lead to low-level compromises.
For the purposes of differentiation, we have broken down attack types into categories: Advanced volatile threats (AVTs), memory attacks, advanced persistent threats (APTs), firmware attacks, and rootkits.
Originally coined by anti-malware vendor Triumfant, the term "advanced volatile threat" (AVT) refers to attacks made on a computer's volatile memory, such as RAM, which are dynamic and are never stored in long-term memory. Triumfant, whose highly-granular endpoint change management technology is able to detect such attacks, states that AVTs are becoming an increasingly popular attack vector, and Triumfant CEO John Prisco warns that AVTs may one day replace APTs as the most common form of obfuscated online attack.
AVTs are a new spin on (and almost the opposite in some ways of ) the traditional APT. Rather than write data to disk to maintain access and expand capabilities, an AVT will simply stay in memory and per form its malicious actions in that location entirely. By avoiding writes to disk, the AVT makes itself even harder to detect and a lot harder to perform forensic analysis on.
By staying in memory, the AVT will disappear on reboot or when it's overwritten, effectively leaving no trace at all. This presents challenges on both ends. Attackers don't get the persistence, so they would be required to re-exploit the system should they need access after the memory flush. At the same time, the lack of persistence makes it especially challenging to know you've even been attacked.
In most cases, the primary overall goal of the AVT will mirror that of the APT. AVTs, however, are considered more advanced due to the fact that they operate exclusively from RAM.
To read about other low-level attacks -- including memory attacks, APTs, firmware attacks, and rootkits -- and what you can do about them, download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.