Advanced Attacks Call For New Defenses

This is the third and final installment in an occasional series on security's new reality.

A senior security executive at Adobe earlier this year rocked the research community by urging security researchers to channel their expertise into building the next sandbox or other attack-mitigation method.

Few researchers were thrilled with the idea of shifting their focus from bug hunting to building a better mousetrap -- some argued that Adobe was, in effect, asking for free research -- but Brad Arkin, senior director of security for Adobe products and services, wasn't asking them to change job descriptions. His main point was that the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack, like sandboxing and Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do.

With a growing acceptance that there's really no way to stop a determined attacker from infiltrating your network and it's all about containing the attacker before he steals your intellectual property or does any other damage, has the time come to create the next "sandbox" or other defensive method?

Microsoft is doing its part in encouraging research into next-generation mitigation methods: Its Blue Hat Prize contest will offer more than $250,000 in cash and prizes for contestants who come up with new ways to mitigate exploits that go after memory-safety flaws such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand-prize, second-, and third-place winners will be announced at the upcoming Black Hat USA 2012 conference in Las Vegas, and will retain ownership of the intellectual property. They will be required to grant Microsoft a license to the technology.

And according to Arkin, Adobe is already investing in mitigation methods like sandboxing, rather than just rooting out and fixing bugs.

Tim Rains, director of Microsoft Trustworthy Computing, says Microsoft is hopeful that the Blue Hat Prize will yield that "next groundbreaking" defense and mitigation technology. The Blue Hat Prize is also a way to give researchers incentive to build these new defenses, he says.

"We are fortunate to have a group of researchers across the industry who continue to help us by identifying vulnerabilities and reporting them in coordinated vulnerability disclosure," Rains says. "At the same time, I do think that there's a realization that vulnerabilities are always going to exist in software, and that mitigations make it really expensive to exploit those vulnerabilities."

[ It's time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say. See Security Teams Need Better Intel, More Offense. ]

But not everyone agrees that a new technology is the answer. "I'm not sure we need [new] technologies, per se," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "I think we need to find a better way of applying existing technologies."

Wang says there's just not enough time for an enterprise to analyze all content and traffic coming in and to isolate the bad stuff. "Communication has to happen in real time. So there needs to be innovation to make sure the analysis we do more accurately and more quickly delivers the performance we need," Wang says.

Even as new vendors and products emerge touting features for spotting and ultimately containing any damage an attacker can do once he gets inside, no one is saying to ditch your firewall or your antivirus software. But most experts agree that in addition to the old defense-in-depth mantra, there may be other ways to mitigate the attack that haven't been explored.

The reality is that many of today's security products -- even those that are touting anti-advanced persistent threat (APT) attacks -- still rely on signature and blacklist technology, notes HD Moore, chief security officer at Rapid7 and creator of Metasploit. And new products that monitor the attacker's actions may not be the answer, either, he says. "It's like standing outside [and watching] while someone breaks into your house. I'm not sure if that helps," Moore says.

Whether Microsoft's Blue Hat Prize will set the stage for a new emphasis on building new defense-mitigation methods remains to be seen.

Meanwhile, mitigation methods such as sandboxes, DEP, and ASLR have indeed raised the bar for attackers. "They have made a big difference," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group.

But like any security defense, ultimately they can be beaten. "The problem is the [attackers are] just going to move somewhere else -- that's what has happened for the last two decades," Friedrichs says. "They moved from the network surface to the client side. Ultimately, the user is the weakest link, which is why social engineering and spear-phishing are still very successful."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.