The big lesson from 12 months of security product vulnerabilities: there’s no foundation of trust in any piece of software. They all represent a potential new attack vector.

Dave Aitel & Alex McGeorge, CEO & Head of Threat Intelligence, Immunity Inc.

March 2, 2016

5 Min Read

There is a deep and amusing irony when products that are supposed to make you more secure are themselves subject to serious vulnerabilities. This isn’t particularly surprising considering that writing complex and secure software continues to be something humanity struggles with. Avastium’s ill-conceived and poorly executed browser is a good example, as Tavis Ormandy recently pointed out. Another recent example courtesy of Tavis was the trivial remote command execution and read-all-your-passwords feature from a Trend Micro browser plugin.

The popular opinion is that anti-virus is broken, and while this is true, it isn’t the entire story. In addition to AV not catching all threats, it is also creating them. Anti-virus attempts to safely parse countless file types in a non memory-safe language. This is one of the challenges that has bedeviled developers since someone’s initial fever dream told them it would be a good idea. It is the idea that AV companies have run with since the 1990s and we in our foolishness have bought into and made a regulatory necessity like when we all bought JNCO jeans. 

The thing many are now realizing is that “defense in depth” is a double edged pantaloon, since it also expands the attack surface. With anti-virus vendors struggling to stay relevant, they’re forced to differentiate themselves by getting into areas they should stay away from. Why would Trend Micro or Avast want to meddle with a browser? Writing a browser is exceptionally difficult to do securely. Your AV company shouldn’t be making software security decisions based on quarterly revenue projections, but it is. Someone at those companies probably said it was a bad idea, but they got overruled.

Another hard truth: your AV solution is a rootkit belonging to the country where development occurred. Contrary to recent events, having your enterprise compromised by the Russians is not part of anyone’s strategic plan. Good rootkits follow the “nobody but us” rule of backdoors but AV tends to be a different kind of rootkit where most continuing development tries to violate that rule.

But AV isn’t the only problem. Any security tool, the ubiquitous Wireshark for example, has been prone to vulnerabilities. These will be harder to identify and mitigate because teams inherently trust these tools as the foundation of how they do their jobs. These vulnerabilities are a common blind spot in defense in depth strategy that need to be accounted for. 

So what is the solution?

The overall lesson from the last 12 months of security product vulnerabilities is that whenever a new piece of software or device enters your network you must ask “what are the consequences of someone using this against me?” Once you’ve listed those consequences the next step is to eliminate, mitigate, monitor and contain as many of them as possible.

To start with, focus on the security tools you actually need. Instead of heaping mountains of security related software onto end user PCs, engineer a solution where a user can click on anything (because they will) and the impact will be something you can live with. From a security perspective, Windows users should have three pieces of software installed: some type of (domestic) AV that only does AV, Microsoft’s EMET and a monitoring daemon that will export logs and watches for new unrecognized binaries/DLLs. 

Focus on segmentation/compartmentalization too. Deploying Qubes OS enterprise wide would be an engineering Mt. Everest, but their compartmentalization through virtualization idea is the way of the future. One of Qubes OS’s basic theses is that every desktop application gets its own dedicated VM through Xen. In such an environment, effective exploits need to function in a very limited time window and include a hypervisor escape. 

Put more emphasis on faster incident response rather than prevention, but remember, monitoring tools can have flaws too. Our brothers and sisters on the defense side of the security spectrum have shifted their liturgy to embrace the idea that being compromised is no longer an “if” but a “when.” And those of us on the side of darkness have been insufferably chortling ever since, as though this is a declaration of defeat. Moving away from the antiquated signature-based model to one focused on meta analysis to detect suspicious behavior is a better overall strategy. We’ve seen this work in our own consulting practice at Immunity. A well engineered and analyzed monitoring infrastructure is a formidable opponent.

The battle doesn’t end when the first host is compromised and defenders have some distinct advantages they can capitalize on. Minimizing the attack surface on hosts and networks and making those attacks more costly is a big step. Effective monitoring can only come from deep knowledge of the environment and its patterns, which attackers won’t typically have.

Remember that there is no foundation of trust on any piece of software; think of each of them as a potential vector. Plan your incident response around this idea, maximize your advantages as a defender and become a hard target.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author(s)

Dave Aitel & Alex McGeorge

CEO & Head of Threat Intelligence, Immunity Inc.

Dave is CEO of Immunity Inc., an offensive security firm that serves many Fortune 500s, major financials and federal agencies. The company provides penetration tests and develops pen-test tools like Canvas, Silica, Innuendo and Swarm. Immunity is a past contractor with DARPA's Cyber Fast Track program.

Prior to founding Immunity in 2002, Dave served as a "computer scientist" at the NSA, and later as a security consultant with @stake. He is also the founder of INFILTRATE CON, a "pure offense" security conference, and co-author of "The Shellcoder's Handbook" and "Beginning Python."

Alex McGeorge serves as head of threat intelligence at Immunity Inc. His personal skill set ranges from penetration testing to threat modeling, software security and social engineering attacks. Alex leads many of the company's penetration testing engagements for multinational banks and Fortune 500s. He's discovered security flaws in a number of critical systems, including high-speed trading applications.

Prior to joining Immunity, Alex served as a cybersecurity contractor for the US Department of Transportation and as a senior network security engineer at Robbins Gioia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights