Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/30/2012
06:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Advanced Attacks Call For New Defenses

With conventional wisdom now that 'advanced attacks happen,' has the time come to create the next-generation sandbox or other containment method?

This is the third and final installment in an occasional series on security's new reality.

A senior security executive at Adobe earlier this year rocked the research community by urging security researchers to channel their expertise into building the next sandbox or other attack-mitigation method.

Few researchers were thrilled with the idea of shifting their focus from bug hunting to building a better mousetrap -- some argued that Adobe was, in effect, asking for free research -- but Brad Arkin, senior director of security for Adobe products and services, wasn't asking them to change job descriptions. His main point was that the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack, like sandboxing and Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do.

With a growing acceptance that there's really no way to stop a determined attacker from infiltrating your network and it's all about containing the attacker before he steals your intellectual property or does any other damage, has the time come to create the next "sandbox" or other defensive method?

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst
>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

Microsoft is doing its part in encouraging research into next-generation mitigation methods: Its Blue Hat Prize contest will offer more than $250,000 in cash and prizes for contestants who come up with new ways to mitigate exploits that go after memory-safety flaws such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand-prize, second-, and third-place winners will be announced at the upcoming Black Hat USA 2012 conference in Las Vegas, and will retain ownership of the intellectual property. They will be required to grant Microsoft a license to the technology.

And according to Arkin, Adobe is already investing in mitigation methods like sandboxing, rather than just rooting out and fixing bugs.

Tim Rains, director of Microsoft Trustworthy Computing, says Microsoft is hopeful that the Blue Hat Prize will yield that "next groundbreaking" defense and mitigation technology. The Blue Hat Prize is also a way to give researchers incentive to build these new defenses, he says.

"We are fortunate to have a group of researchers across the industry who continue to help us by identifying vulnerabilities and reporting them in coordinated vulnerability disclosure," Rains says. "At the same time, I do think that there's a realization that vulnerabilities are always going to exist in software, and that mitigations make it really expensive to exploit those vulnerabilities."

[ It's time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say. See Security Teams Need Better Intel, More Offense. ]

But not everyone agrees that a new technology is the answer. "I'm not sure we need [new] technologies, per se," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "I think we need to find a better way of applying existing technologies."

Wang says there's just not enough time for an enterprise to analyze all content and traffic coming in and to isolate the bad stuff. "Communication has to happen in real time. So there needs to be innovation to make sure the analysis we do more accurately and more quickly delivers the performance we need," Wang says.

Even as new vendors and products emerge touting features for spotting and ultimately containing any damage an attacker can do once he gets inside, no one is saying to ditch your firewall or your antivirus software. But most experts agree that in addition to the old defense-in-depth mantra, there may be other ways to mitigate the attack that haven't been explored.

The reality is that many of today's security products -- even those that are touting anti-advanced persistent threat (APT) attacks -- still rely on signature and blacklist technology, notes HD Moore, chief security officer at Rapid7 and creator of Metasploit. And new products that monitor the attacker's actions may not be the answer, either, he says. "It's like standing outside [and watching] while someone breaks into your house. I'm not sure if that helps," Moore says.

Whether Microsoft's Blue Hat Prize will set the stage for a new emphasis on building new defense-mitigation methods remains to be seen.

Meanwhile, mitigation methods such as sandboxes, DEP, and ASLR have indeed raised the bar for attackers. "They have made a big difference," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group.

But like any security defense, ultimately they can be beaten. "The problem is the [attackers are] just going to move somewhere else -- that's what has happened for the last two decades," Friedrichs says. "They moved from the network surface to the client side. Ultimately, the user is the weakest link, which is why social engineering and spear-phishing are still very successful."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sweerek
50%
50%
sweerek,
User Rank: Apprentice
5/1/2012 | 7:03:52 PM
re: Advanced Attacks Call For New Defenses
Even better than no root is no persistence. Boot the machine from ROM (think LiveCD) and then reboot occasionally to insure a pristine machine. -Also, don't 'not allow' but rather not even provide the code/kernel to do those things. In other words, don't lockdown, gut instead. -These and other approaches are old hat to AFRL and form the Three Tenets of CyberSecurity -- see-http://spi.dod.mil/tenets.htm. Wrt clients, the solution is Secure End Nodes, see -http://en.wikipedia.org/wiki/S.... -
sweerek
50%
50%
sweerek,
User Rank: Apprentice
5/1/2012 | 6:58:24 PM
re: Advanced Attacks Call For New Defenses
The best yet weak solution will be some new software or patch. -You cannot have a true sandbox on the same hardware. -Instead, why not use many-many core processors to each run their own environment (OS, apps, etc.) and contain it there. -AFRL created something like this about a decade ago, called the Cyber Sensing Station ---http://spi.dod.mil/docs/CSS_DS.... -It was built for many remote users to have full root / hardware access to servers, yet not exfiltrate data. -Wrt this article and jumping ahead a decade, each environ could run on its own hardware (not VM) yet be bounded inward & outward by hardware. -Just a thought.....
macker490
50%
50%
macker490,
User Rank: Ninja
5/1/2012 | 1:10:07 PM
re: Advanced Attacks Call For New Defenses
you got it!! production machines need to be locked down and then certified using a Software Inventory Audit.- If they pass the audit they get a production certificate (x.509 ) which remains valid until the machine requires maintenanace.- as soon as maintenace starts its x.509 certificate is REVOKED .After the maintenance it will be re-certified and a new certificate created.

MSFT AppLocker is a very important concept in this. In AppLocker YOU specify what OS and apps you will allow; anything else is ejected.

remember: the common element in hacking is un-authorized programming, used to compromise the operation of the victim.
macker490
50%
50%
macker490,
User Rank: Ninja
5/1/2012 | 1:04:23 PM
re: Advanced Attacks Call For New Defenses
System Intake: where you have web-browsers and e/mail programs taking in data pages all day every day -- and Hackers busy building kits to manufacture polymorphic virus attacks, well yes: you do need to proceed with the idea that you are going to take in some bad code

and that bad code will attempt to direct one of your applications to do something it should never have been allowed to do: update your system

and so: the "sandbox"- -- essentially Problem State a'la System /360, c.1965

way to go, margie [belated applause]

the appearance of executable documents -- i.e. documents containing Java, Visual Basic etc creates a new and worse problem: what occurs if an executable document is moved from its intake area into another directory on the system and is picked up by a user or process that has sensitive privileges?

creating executable documents was a bad idea to begin with but now that we have them we will have to determine what to do when such a document is moved from its intake area

this will turn out to be an ugly problem
CiscoJones
50%
50%
CiscoJones,
User Rank: Apprentice
5/1/2012 | 12:36:51 PM
re: Advanced Attacks Call For New Defenses
Just a quick thought.- We need two new operating systems.- One for Dev and Q&A and the other for Prod.- The Prod server has two modes: maintenance and on-line.- When in on-line mode, nothing can be changed and least privilege is strictly enforced with no admin privileges.- Any admin changes will be done when the server is put into maintenance mode which will force all Internet applications (web, ftp, ssh, email, etc...) to shut down.- The Prod server will not allow connections to originate from it to the outside world so browsing, ftp/tftp, file share, etc... clients will not work.- The only way for an admin to move files on or off the server will be through the security hardened console mode.- Logs will be configured in maintenance mode to send to a SIEM in an encrypted tunnel.- This should fix the server issue.- Protecting the clients is going to be tougher.-
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/1/2012 | 2:31:03 AM
re: Advanced Attacks Call For New Defenses
I think there is room for both Arkin and Wang's points of view. Both are correct in a sense...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.