Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:56 PM
Connect Directly

Advanced Attacks Call For New Defenses

With conventional wisdom now that 'advanced attacks happen,' has the time come to create the next-generation sandbox or other containment method?

This is the third and final installment in an occasional series on security's new reality.

A senior security executive at Adobe earlier this year rocked the research community by urging security researchers to channel their expertise into building the next sandbox or other attack-mitigation method.

Few researchers were thrilled with the idea of shifting their focus from bug hunting to building a better mousetrap -- some argued that Adobe was, in effect, asking for free research -- but Brad Arkin, senior director of security for Adobe products and services, wasn't asking them to change job descriptions. His main point was that the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack, like sandboxing and Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do.

With a growing acceptance that there's really no way to stop a determined attacker from infiltrating your network and it's all about containing the attacker before he steals your intellectual property or does any other damage, has the time come to create the next "sandbox" or other defensive method?

Read the other articles in this series on security's new reality:

>> Part 1: Security's New Reality: Assume The Worst
>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses

Microsoft is doing its part in encouraging research into next-generation mitigation methods: Its Blue Hat Prize contest will offer more than $250,000 in cash and prizes for contestants who come up with new ways to mitigate exploits that go after memory-safety flaws such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand-prize, second-, and third-place winners will be announced at the upcoming Black Hat USA 2012 conference in Las Vegas, and will retain ownership of the intellectual property. They will be required to grant Microsoft a license to the technology.

And according to Arkin, Adobe is already investing in mitigation methods like sandboxing, rather than just rooting out and fixing bugs.

Tim Rains, director of Microsoft Trustworthy Computing, says Microsoft is hopeful that the Blue Hat Prize will yield that "next groundbreaking" defense and mitigation technology. The Blue Hat Prize is also a way to give researchers incentive to build these new defenses, he says.

"We are fortunate to have a group of researchers across the industry who continue to help us by identifying vulnerabilities and reporting them in coordinated vulnerability disclosure," Rains says. "At the same time, I do think that there's a realization that vulnerabilities are always going to exist in software, and that mitigations make it really expensive to exploit those vulnerabilities."

[ It's time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say. See Security Teams Need Better Intel, More Offense. ]

But not everyone agrees that a new technology is the answer. "I'm not sure we need [new] technologies, per se," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "I think we need to find a better way of applying existing technologies."

Wang says there's just not enough time for an enterprise to analyze all content and traffic coming in and to isolate the bad stuff. "Communication has to happen in real time. So there needs to be innovation to make sure the analysis we do more accurately and more quickly delivers the performance we need," Wang says.

Even as new vendors and products emerge touting features for spotting and ultimately containing any damage an attacker can do once he gets inside, no one is saying to ditch your firewall or your antivirus software. But most experts agree that in addition to the old defense-in-depth mantra, there may be other ways to mitigate the attack that haven't been explored.

The reality is that many of today's security products -- even those that are touting anti-advanced persistent threat (APT) attacks -- still rely on signature and blacklist technology, notes HD Moore, chief security officer at Rapid7 and creator of Metasploit. And new products that monitor the attacker's actions may not be the answer, either, he says. "It's like standing outside [and watching] while someone breaks into your house. I'm not sure if that helps," Moore says.

Whether Microsoft's Blue Hat Prize will set the stage for a new emphasis on building new defense-mitigation methods remains to be seen.

Meanwhile, mitigation methods such as sandboxes, DEP, and ASLR have indeed raised the bar for attackers. "They have made a big difference," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group.

But like any security defense, ultimately they can be beaten. "The problem is the [attackers are] just going to move somewhere else -- that's what has happened for the last two decades," Friedrichs says. "They moved from the network surface to the client side. Ultimately, the user is the weakest link, which is why social engineering and spear-phishing are still very successful."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
5/1/2012 | 2:31:03 AM
re: Advanced Attacks Call For New Defenses
I think there is room for both Arkin and Wang's points of view. Both are correct in a sense...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
5/1/2012 | 12:36:51 PM
re: Advanced Attacks Call For New Defenses
Just a quick thought.- We need two new operating systems.- One for Dev and Q&A and the other for Prod.- The Prod server has two modes: maintenance and on-line.- When in on-line mode, nothing can be changed and least privilege is strictly enforced with no admin privileges.- Any admin changes will be done when the server is put into maintenance mode which will force all Internet applications (web, ftp, ssh, email, etc...) to shut down.- The Prod server will not allow connections to originate from it to the outside world so browsing, ftp/tftp, file share, etc... clients will not work.- The only way for an admin to move files on or off the server will be through the security hardened console mode.- Logs will be configured in maintenance mode to send to a SIEM in an encrypted tunnel.- This should fix the server issue.- Protecting the clients is going to be tougher.-
User Rank: Ninja
5/1/2012 | 1:04:23 PM
re: Advanced Attacks Call For New Defenses
System Intake: where you have web-browsers and e/mail programs taking in data pages all day every day -- and Hackers busy building kits to manufacture polymorphic virus attacks, well yes: you do need to proceed with the idea that you are going to take in some bad code

and that bad code will attempt to direct one of your applications to do something it should never have been allowed to do: update your system

and so: the "sandbox"- -- essentially Problem State a'la System /360, c.1965

way to go, margie [belated applause]

the appearance of executable documents -- i.e. documents containing Java, Visual Basic etc creates a new and worse problem: what occurs if an executable document is moved from its intake area into another directory on the system and is picked up by a user or process that has sensitive privileges?

creating executable documents was a bad idea to begin with but now that we have them we will have to determine what to do when such a document is moved from its intake area

this will turn out to be an ugly problem
User Rank: Ninja
5/1/2012 | 1:10:07 PM
re: Advanced Attacks Call For New Defenses
you got it!! production machines need to be locked down and then certified using a Software Inventory Audit.- If they pass the audit they get a production certificate (x.509 ) which remains valid until the machine requires maintenanace.- as soon as maintenace starts its x.509 certificate is REVOKED .After the maintenance it will be re-certified and a new certificate created.

MSFT AppLocker is a very important concept in this. In AppLocker YOU specify what OS and apps you will allow; anything else is ejected.

remember: the common element in hacking is un-authorized programming, used to compromise the operation of the victim.
User Rank: Apprentice
5/1/2012 | 6:58:24 PM
re: Advanced Attacks Call For New Defenses
The best yet weak solution will be some new software or patch. -You cannot have a true sandbox on the same hardware. -Instead, why not use many-many core processors to each run their own environment (OS, apps, etc.) and contain it there. -AFRL created something like this about a decade ago, called the Cyber Sensing Station ---http://spi.dod.mil/docs/CSS_DS.... -It was built for many remote users to have full root / hardware access to servers, yet not exfiltrate data. -Wrt this article and jumping ahead a decade, each environ could run on its own hardware (not VM) yet be bounded inward & outward by hardware. -Just a thought.....
User Rank: Apprentice
5/1/2012 | 7:03:52 PM
re: Advanced Attacks Call For New Defenses
Even better than no root is no persistence. Boot the machine from ROM (think LiveCD) and then reboot occasionally to insure a pristine machine. -Also, don't 'not allow' but rather not even provide the code/kernel to do those things. In other words, don't lockdown, gut instead. -These and other approaches are old hat to AFRL and form the Three Tenets of CyberSecurity -- see-http://spi.dod.mil/tenets.htm. Wrt clients, the solution is Secure End Nodes, see -http://en.wikipedia.org/wiki/S.... -
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).