Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/30/2012
06:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Advanced Attacks Call For New Defenses

With conventional wisdom now that 'advanced attacks happen,' has the time come to create the next-generation sandbox or other containment method?

This is the third and final installment in an occasional series on security's new reality.

A senior security executive at Adobe earlier this year rocked the research community by urging security researchers to channel their expertise into building the next sandbox or other attack-mitigation method.

Few researchers were thrilled with the idea of shifting their focus from bug hunting to building a better mousetrap -- some argued that Adobe was, in effect, asking for free research -- but Brad Arkin, senior director of security for Adobe products and services, wasn't asking them to change job descriptions. His main point was that the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack, like sandboxing and Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do.

With a growing acceptance that there's really no way to stop a determined attacker from infiltrating your network and it's all about containing the attacker before he steals your intellectual property or does any other damage, has the time come to create the next "sandbox" or other defensive method?

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst
>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

Microsoft is doing its part in encouraging research into next-generation mitigation methods: Its Blue Hat Prize contest will offer more than $250,000 in cash and prizes for contestants who come up with new ways to mitigate exploits that go after memory-safety flaws such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand-prize, second-, and third-place winners will be announced at the upcoming Black Hat USA 2012 conference in Las Vegas, and will retain ownership of the intellectual property. They will be required to grant Microsoft a license to the technology.

And according to Arkin, Adobe is already investing in mitigation methods like sandboxing, rather than just rooting out and fixing bugs.

Tim Rains, director of Microsoft Trustworthy Computing, says Microsoft is hopeful that the Blue Hat Prize will yield that "next groundbreaking" defense and mitigation technology. The Blue Hat Prize is also a way to give researchers incentive to build these new defenses, he says.

"We are fortunate to have a group of researchers across the industry who continue to help us by identifying vulnerabilities and reporting them in coordinated vulnerability disclosure," Rains says. "At the same time, I do think that there's a realization that vulnerabilities are always going to exist in software, and that mitigations make it really expensive to exploit those vulnerabilities."

[ It's time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say. See Security Teams Need Better Intel, More Offense. ]

But not everyone agrees that a new technology is the answer. "I'm not sure we need [new] technologies, per se," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "I think we need to find a better way of applying existing technologies."

Wang says there's just not enough time for an enterprise to analyze all content and traffic coming in and to isolate the bad stuff. "Communication has to happen in real time. So there needs to be innovation to make sure the analysis we do more accurately and more quickly delivers the performance we need," Wang says.

Even as new vendors and products emerge touting features for spotting and ultimately containing any damage an attacker can do once he gets inside, no one is saying to ditch your firewall or your antivirus software. But most experts agree that in addition to the old defense-in-depth mantra, there may be other ways to mitigate the attack that haven't been explored.

The reality is that many of today's security products -- even those that are touting anti-advanced persistent threat (APT) attacks -- still rely on signature and blacklist technology, notes HD Moore, chief security officer at Rapid7 and creator of Metasploit. And new products that monitor the attacker's actions may not be the answer, either, he says. "It's like standing outside [and watching] while someone breaks into your house. I'm not sure if that helps," Moore says.

Whether Microsoft's Blue Hat Prize will set the stage for a new emphasis on building new defense-mitigation methods remains to be seen.

Meanwhile, mitigation methods such as sandboxes, DEP, and ASLR have indeed raised the bar for attackers. "They have made a big difference," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group.

But like any security defense, ultimately they can be beaten. "The problem is the [attackers are] just going to move somewhere else -- that's what has happened for the last two decades," Friedrichs says. "They moved from the network surface to the client side. Ultimately, the user is the weakest link, which is why social engineering and spear-phishing are still very successful."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sweerek
50%
50%
sweerek,
User Rank: Apprentice
5/1/2012 | 7:03:52 PM
re: Advanced Attacks Call For New Defenses
Even better than no root is no persistence. Boot the machine from ROM (think LiveCD) and then reboot occasionally to insure a pristine machine. -Also, don't 'not allow' but rather not even provide the code/kernel to do those things. In other words, don't lockdown, gut instead. -These and other approaches are old hat to AFRL and form the Three Tenets of CyberSecurity -- see-http://spi.dod.mil/tenets.htm. Wrt clients, the solution is Secure End Nodes, see -http://en.wikipedia.org/wiki/S.... -
sweerek
50%
50%
sweerek,
User Rank: Apprentice
5/1/2012 | 6:58:24 PM
re: Advanced Attacks Call For New Defenses
The best yet weak solution will be some new software or patch. -You cannot have a true sandbox on the same hardware. -Instead, why not use many-many core processors to each run their own environment (OS, apps, etc.) and contain it there. -AFRL created something like this about a decade ago, called the Cyber Sensing Station ---http://spi.dod.mil/docs/CSS_DS.... -It was built for many remote users to have full root / hardware access to servers, yet not exfiltrate data. -Wrt this article and jumping ahead a decade, each environ could run on its own hardware (not VM) yet be bounded inward & outward by hardware. -Just a thought.....
macker490
50%
50%
macker490,
User Rank: Ninja
5/1/2012 | 1:10:07 PM
re: Advanced Attacks Call For New Defenses
you got it!! production machines need to be locked down and then certified using a Software Inventory Audit.- If they pass the audit they get a production certificate (x.509 ) which remains valid until the machine requires maintenanace.- as soon as maintenace starts its x.509 certificate is REVOKED .After the maintenance it will be re-certified and a new certificate created.

MSFT AppLocker is a very important concept in this. In AppLocker YOU specify what OS and apps you will allow; anything else is ejected.

remember: the common element in hacking is un-authorized programming, used to compromise the operation of the victim.
macker490
50%
50%
macker490,
User Rank: Ninja
5/1/2012 | 1:04:23 PM
re: Advanced Attacks Call For New Defenses
System Intake: where you have web-browsers and e/mail programs taking in data pages all day every day -- and Hackers busy building kits to manufacture polymorphic virus attacks, well yes: you do need to proceed with the idea that you are going to take in some bad code

and that bad code will attempt to direct one of your applications to do something it should never have been allowed to do: update your system

and so: the "sandbox"- -- essentially Problem State a'la System /360, c.1965

way to go, margie [belated applause]

the appearance of executable documents -- i.e. documents containing Java, Visual Basic etc creates a new and worse problem: what occurs if an executable document is moved from its intake area into another directory on the system and is picked up by a user or process that has sensitive privileges?

creating executable documents was a bad idea to begin with but now that we have them we will have to determine what to do when such a document is moved from its intake area

this will turn out to be an ugly problem
CiscoJones
50%
50%
CiscoJones,
User Rank: Apprentice
5/1/2012 | 12:36:51 PM
re: Advanced Attacks Call For New Defenses
Just a quick thought.- We need two new operating systems.- One for Dev and Q&A and the other for Prod.- The Prod server has two modes: maintenance and on-line.- When in on-line mode, nothing can be changed and least privilege is strictly enforced with no admin privileges.- Any admin changes will be done when the server is put into maintenance mode which will force all Internet applications (web, ftp, ssh, email, etc...) to shut down.- The Prod server will not allow connections to originate from it to the outside world so browsing, ftp/tftp, file share, etc... clients will not work.- The only way for an admin to move files on or off the server will be through the security hardened console mode.- Logs will be configured in maintenance mode to send to a SIEM in an encrypted tunnel.- This should fix the server issue.- Protecting the clients is going to be tougher.-
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/1/2012 | 2:31:03 AM
re: Advanced Attacks Call For New Defenses
I think there is room for both Arkin and Wang's points of view. Both are correct in a sense...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.