Trusteer Apex: Advanced Malware Protection

Transcription

1 Trusteer Apex: Advanced Malware Protection Technical White Paper

2 Table of Contents Executive Summary 3 Trusteer Apex: Next Generation Advanced Malware Protection 4 Stateful Application Control: Validating the Application State 4 Stopping Zero-Day Application Exploits 4 Stopping Data Exfiltration 6 Protecting Enterprise Credentials from Compromise and Theft 8 Anti-Keylogging 8 Phishing Protection 8 Enterprise Credentials Reuse Prevention in Public/Consumer Websites 8 Transparent With No Impact on End User Experience or Productivity 9 Simplified Management with Minimal IT Overhead 10 Automated Application State Whitelist Management 10 Ad-Hoc Security Content Updates 10 Web-Based Management Application 10 Flexible Deployment Options 11 Enterprise Controlled Deployment for Managed Devices 11 On-Demand Deployment for Unmanaged Devices 11 Conclusion 12 Appendix A: The RSA Breach: Anatomy of a Targeted Attack 13 Appendix B: The Challenge of Stopping APTs, Targeted Attacks and Advanced Malware 14 Application Vulnerabilities Persist 14 Unmanaged Endpoints Enter the Enterprise 14 Blacklisting Technologies Can t Keep Up with New Malware Strains 14 Application Control and Whitelisting is Difficult to Deploy and Manage 14 Trusteer Apex: Advanced Malware Protection 2

3 Executive Summary Information is the new currency of the 21 st century. From trade information and financial data to new product designs and government secrets; it s being relentlessly pursued by cybercriminals and nation states. To enable information-stealing attacks, cybercriminals focus on a serious weakness in the enterprise defenses: unpatched or zero-day endpoint application vulnerabilities. Attackers use weaponized documents and malicious web content to exploit vulnerabilities in widely-deployed Internet-facing applications like the browsers, Acrobat Reader, Adobe Flash, Java and Microsoft Office products. By exploiting application vulnerabilities, cybercriminals can infect employee endpoints with malware and establish a foothold in the enterprise network 1. To address the inability of blacklisting solutions (like Anti-Virus) to address zero-day attacks, a new approach has emerged: Application Control that doesn t rely on detecting specific threats. Instead it 2 restricts file execution by either allowing only good application files to execute, or by sandboxing untrusted applications in runtime. However, managing the full list of all trusted files has proven very difficult. Restricting application execution to a sandbox can cause usability problems and impact end user productivity. As a result, the deployment of Application Control is often limited to 2 a small subset of static endpoints, exposing unprotected endpoints to the risk of compromise. Trusteer Apex introduces a new approach: Stateful Application Control. This approach delivers the stopping power of application control with no management overhead and no impact to the end user experience. By analyzing what the application is doing (a sensitive operation) and why it is doing it (application state), Trusteer Apex can automatically and accurately determine if an application action is legitimate or malicious. This transparent, automated protection enables customers to rapidly deploy Trusteer Apex, at scale, to protect all enterprise endpoints. This document discusses Stateful Application Control, the technology at the core of Trusteer Apex - how it is automatically sustained by Trusteer and the deployment options available for managed and unmanaged devices. 1 See Appendix A: the story of the 2011 RSA Breach 2 See Appendix B: The Challenge of Stopping APTs, Targeted Attacks and Advanced malware for an overview of trends, risk factors and technology gaps that impact enterprise ability to address these emerging threats. Trusteer Apex: Advanced Malware Protection 3

4 Trusteer Apex: Next Generation Advanced Malware Protection Stateful Application Control: Validating the Application State Trusteer Apex introduces Stateful Application Control - its next-generation malware protection approach for stopping advanced malware. Stateful Application Control. By analyzing what the application is doing (operation) and why it is doing it (the context can be analyzed from the application state), Trusteer Apex can automatically and accurately determine if an application action is legitimate or malicious. Trusteer s Stateful Application Control enables automated enterprise malware protection that maximizes security while simplifying deployment and minimizing management overhead. Trusteer Apex monitors the state of the application the memory state and other kernel level processes at the time the application performs a sensitive operation, like writing a file to the file system, or opening an external communication channel. Validates the application state against approved legitimate application states. Trusteer created a map of legitimate application states, based on research performed on tens of millions of protected endpoints. Trusteer s research group has analyzed these endpoints platforms and targeted applications, and concluded that when an application executes a legitimate sensitive operation (like writing a file to the file system) its state is consistent. By examining the Application State at the time a sensitive operation is executed, it is possible to understand the context in which the application is operating and determine if the sensitive operation is legitimate or not. Stopping Zero-Day Application Exploits Cybercriminals target vulnerabilities in widely-deployed, Internet-facing applications that process external content such as web pages and documents. Such applications include: Browsers that render HTML pages and execute Javascript code Adobe Acrobat Reader that renders PDF files which often embed executable code Adobe Flash that runs ActionScript code Java virtual machine that executes Java applets Microsoft Office applications like Excel, Word and PowerPoint that run macros In order to infect the endpoint with malware, an attacker will create weaponized content (a malicious PDF, Web page etc.) that contains an exploit: a piece of embedded code that takes advantage of a vulnerability in order to cause unintended application behavior. The weaponized content can be delivered to the user by attaching it to a spear-phishing (a specially crafted designed to target the user), including a link to a site that contains the exploit in an or Instant Messenger (IM) or even by placing it as an advertisement on a trusted site. Trusteer Apex: Advanced Malware Protection 4

5 When the user requests to view the content, the targeted application processes the weaponized content and the embedded exploit uses the vulnerability to alter the application s behavior and download a malicious file (dropper or malware) to the file system. Distinguishing between a legitimate application file download (for example, as a result of a user-initiated save-as ) and a malicious exploitation process file download is download is extremely difficult. Trusteer Apex protects targeted applications from exploitation by validating the application state at the time the file is downloaded and executed. A legitimate application state is created by known authorized application operations. Figure 1: Allow application operations with a legitimate application state Trusteer Apex executes at the kernel level and is triggered to analyze the application memory state when sensitive operations take place. If the application registers a file to the file system under a legitimate state the file will be allowed to execute. However, if the file is registered as a result of an exploit, creating an unknown application state, the operation will be considered out-of-context. In this case the downloaded file will not be allowed to execute on the endpoint. Because Trusteer Apex uses Stateful Application Control, it doesn t matter if the exploit code is new or if it exploits a known or unknown, zero-day vulnerability. Nor does it matter how the exploit is delivered: through a drive-by download or a weaponized document. As soon as the exploit tries to execute, Trusteer Apex will identify the unknown application state, preventing a downloaded dropper or malware from executing. Trusteer Apex: Advanced Malware Protection 5

6 Figure 2: Stop application actions with unknown state Unlike whitelisting solutions which list all trusted files, Trusteer Apex uses legitimate application states of Internet-facing exploited applications. Because these applications have very few legitimate states in which they are allowed to perform sensitive operations, and these states are fairly static (do not change often, not even when the application is patched or upgraded to a new version), managing the Application State updates is a task that is owned by Trusteer. Trusteer manages the updates for all of its customers. When a new legitimate state is created, Trusteer automatically adds the new application state and sends the update to all protected endpoints. Stopping Data Exfiltration By stopping application exploits, Trusteer Apex prevents the majority of malware infections. But infections can also occur through means other than application exploits. Once advanced information-stealing malware establishes a foothold on the end user machine, it attempts to communicate with a command and control center (C&C) to register and receive further instructions from its operator. While it is possible for the malware to open a direct communication channel to connect to the Internet, this type of communication channel is highly visible and easily detected by endpoint security controls (personal firewalls, proxies, etc.). To evade detection by endpoint security controls, advanced malware will try to hide the communication in other legitimate communication channels, making it look as if it is coming from an application process that is allowed to generate network traffic (for example, a browser process). The malware will compromise the legitimate process and use it as a container for the malicious code. To do that, the malware will start a new legitimate process like an Internet Explorer browser process on the system. At launch, the malware suspends the process, injects code into the process, Trusteer Apex: Advanced Malware Protection 6

7 replacing the legitimate code with malicious code, and then resumes the process. The malware uses this compromised process to hide its communication channel and register with the C&C server. To the operating system this still looks like an Internet Explorer process is opening a legitimate communication channel. You can even see this compromised Internet Explorer process in the Windows Task Manager and it appears normal. However, if you look at the employee s desktop you will see that there is no user interface for this browser process. Trusteer Apex prevents malware from opening direct external communication channels, and from compromising other processes to hide its external communications. To do this, Trusteer Apex applies a set of rules to determine that an executable is suspicious. These rules take into account various file heuristics, including, but not limited to, the file s author, location in the file system, age, entropy level and more. Trusteer Apex monitors sensitive operations at the kernel level. If it detects that a suspicious file is attempting to execute a sensitive operation, like opening a direct communication channel, or attempting to compromise another process, it will block these operations. In rare cases, Trusteer Apex may determine that an unknown legitimate file is suspicious and prevent it from using external communication channels. This can happen, for example, when an organization develops custom applications which need to communicate with external sources. To eliminate false-positives, administrators can apply exception handling for such applications, enabling them to execute on the endpoint and open communication channels. This unusual situation is typically discovered and addressed during product evaluation. Figure 3: Blocking a suspicious executable that creates an unapproved data exfiltration state Trusteer Apex: Advanced Malware Protection 7

8 Protecting Enterprise Credentials from Compromise and Theft Cybercriminals are using phishing schemes and malware to steal credentials that would enable them to access enterprise systems and networks. Trusteer Apex includes specific measures to protect enterprise credentials: Anti-Keylogging Keylogging malware captures the user keystrokes when the user enters his/her credentials to log into corporate web applications like SSL VPN, Outlook Web Access, CRM and more. If compromised, such credentials can allow cybercriminals to access enterprise networks and data without being detected. To prevent keylogging malware from capturing user credentials, Trusteer Apex encrypts the user keystrokes at the keyboard driver and decrypts them as they are fed into the application input field. This makes the captured keystrokes unreadable and unusable. Phishing Protection Cybercriminals use spear-phishing s to manipulate users to surrender credentials and other sensitive information on fraudulent websites (a.k.a. phishing sites). Such an is designed to look as if it was sent by a trusted source, and typically requests the user to log into a fake corporate web application in order to verify his/her information or approve a request. The webpage will appear legitimate as well, but in fact, it is not. Cybercriminals will collect the credentials entered by the user and use them to access enterprise applications and networks. Trusteer Apex stops phishing attacks by validating that users are entering enterprise credentials only to pre-approved enterprise web applications. Trusteer validates that the webpage URL is in fact a corporate web application. If the URL is not pre-approved, Trusteer Apex will not allow the user to submit his/her credentials. Enterprise Credentials Reuse Prevention in Public/Consumer Websites Many people like to reuse passwords because it makes their life easier with less passwords to remember. However, password reuse across public and enterprise websites represents a significant risk to enterprises. In recent years cybercriminals have hacked into many public websites extracting the complete user database, including user credentials. They have then used these stolen credentials to log into other websites and applications. Stolen credentials were used, for example, to log into Best Buy accounts that keep a credit card on file and steal hundreds of dollars in gift cards. If enterprise passwords are exposed by such hacks, they can provide cybercriminals access to enterprise applications and networks. Trusteer Apex: Advanced Malware Protection 8

9 To prevent users from reusing enterprise passwords 3 on public (non-enterprise) websites, Trusteer Apex validates that enterprise passwords are used only for logging into approved enterprise application login pages. If the user attempts to submit the same credentials to other sites, Trusteer Apex will alert IT security or block the access. Figure 4: Protecting enterprise credentials Transparent With No Impact on End User Experience or Productivity Trusteer Apex is designed to transparently prevent application exploitation and data exfiltration. It is extensively tested in over millions of endpoints to ensure compatibility with business applications and enterprise security software products. Trusteer Apex protections are conclusive and deterministic, so the user isn t prompted to make decisions (such as allowing/denying access to specific resources) that could create security exposure. 3 Trusteer uses a one-way hash of enterprise passwords which is kept on the endpoint to verify that the password is in fact an enterprise password. This enables protection while preventing password exposure. Trusteer Apex: Advanced Malware Protection 9

10 Simplified Management with Minimal IT Overhead Trusteer Apex Stateful Application Control is designed to maximize security while minimizing IT overhead. It includes several features to enable this: Automated Solution Trusteer Apex Stateful Application Control Engine is easy to manage and maintain because it is based on legitimate application states which are few in number and stable. Trusteer s Stateful Application Control is focused on exploited applications, and maintains a list of legitimate states only for those applications. This makes the list shorter and easier to manage. In addition, research performed on a network of over 30 million protected endpoints has confirmed that these applications rarely change, even when an application is patched or upgraded. When a new legitimate state is detected, Trusteer has an automated process that adds it to the solution. Trusteer manages the Application State updates for all customers, eliminating the need to have specialized IT professionals supporting the creation of custom application states. Ad-Hoc Security Content Updates Trusteer provides automated security content updates based on threat research. Security content updates are special configuration instructions to the Trusteer Apex Stateful Application Control Engine that includes new legitimate application states (for example, when a protected application has a new legitimate way to execute a file in the file system). Content updates are completely transparent and do not cause end-user disruption. The update process requires minimal IT involvement, allowing IT staff to focus on supporting business needs. Web-Based Management Application Trusteer Management Application (TMA) is a secured, web-based reporting and configuration console for Trusteer Apex customers. The TMA allows configuration of multiple security policies that define protection layer settings for enterprise endpoints and applications. IT security staff use the TMA to manage all Trusteer Apex clients and gain insight into the threat landscape. The TMA enables organizations to monitor and manage actionable alerts on malware and phishing attacks as well as monitor endpoint security health. The TMA provides customizable out-of-the-box reports and trend analysis views. Trusteer Apex: Advanced Malware Protection 10

11 Flexible Deployment Options Enterprise Controlled Deployment for Managed Devices Trusteer Apex clients can be deployed on PC, Mac and Remote/Virtual Desktops (e.g. Citrix) using software delivery tools (e.g. Microsoft SMS/SCCM, HP CM). Code updates can be controlled by IT security. Enterprise Pre-deploy with software distribution tools On-demand Deployment for Unmanaged Devices The on-demand deployment option is offered to enforce Trusteer Apex clients on unmanaged devices (BYOC, roaming managed devices and home computers) accessing enterprise resources. When the user accesses a protected web site (such as SSL VPN web page), a code snippet placed on the page during deployment detects the presence of Trusteer Apex on the user s endpoint. If Trusteer Apex isn t present, a splash message offers the user a link to download the Trusteer Apex agent. Following a quick deployment process, the user can proceed to login to the enterprise resource in a secure fashion. BYOC Apex Detection Snippet Customer Web App/Gateway SSL VPN Page, Cloud App Corporate portal, Internal Apps Trusteer Apex: Advanced Malware Protection 11

12 Conclusion Exploitation of endpoint application vulnerabilities will continue to be the main vector for introducing advanced, information-stealing malware into enterprise environments. Compromising employees endpoints is the biggest enabler of APTs and targeted attacks. The steady increase in attack sophistication enables cybercriminals to exploit zero-day vulnerabilities and bypass blacklisting controls. The stealthy nature of the attacks results in successful infiltration into the organization and on-going information exfiltration without the hacked organization knowing the attack is taking place. By stopping exploitation of zero-day and unpatched vulnerabilities, Trusteer Apex prevents endpoint compromise and reduces the risk of APTs and targeted attacks. Stateful Application Control updates and management are Trusteer s way of eliminating the need for the customer to detect, analyze and approve changes to the solution. This addresses the primary inhibitor to application control deployment. Beyond automated management, organizations can easily deploy Trusteer Apex on both managed and unmanaged endpoints (BYOC, remote access) used for accessing enterprise networks and resources. About Trusteer Boston-based Trusteer, an IBM company, is the leading provider of endpoint cybercrime prevention solutions that protect organizations against financial fraud and data breaches. Hundreds of organizations and millions of end users rely on Trusteer to protect their managed and unmanaged endpoints from online threats and advanced information-stealing malware. For more information please visit: Trusteer Apex: Advanced Malware Protection 12

13 Appendix A: The RSA Breach: Anatomy of a Targeted Attack In 2011, a human resources department employee at RSA received an titled 2011 Recruitment Plan. Attached to the was an Excel spreadsheet with a Flash object embedded in it. When the employee opened the spreadsheet, the flash object exploited an Adobe Flash zero-day vulnerability (CVE ) and installed a commercial Remote Access Trojan (RAT) called Poison Ivy on the endpoint. The attackers then harvested credentials and obtained privileged access to the targeted system: an internal database that included the seeds to RSA s two-factor authentication system SecurID, used for strong authentication by many organizations. The stolen information was later used to create the one-time-passwords to gain access and attack defense contractor Lockheed-Martin. The RSA attack and virtually all highly publicized attacks that followed, demonstrate the primary vector for compromising employee endpoints: exploitation of application vulnerabilities. Today, the majority of malware infections are a direct result of known and zero-day vulnerability exploits. Cybercriminals continuously develop new exploits that take advantage of application vulnerabilities to introduce malware and compromise endpoints. Once compromised, cybercriminals gain full control over the endpoint, which enables them to get further access to enterprise data and network resources. Because application exploits are not visible to the endpoint user, it is a very popular method to infect endpoint machines with malware and gain a foothold in the network. Cybercriminals can also use other methods that do not require an application exploit to introduce malware to enterprise endpoints. They can manipulate the user to directly install malware on the endpoint by downloading an executable file from the Internet. It is very difficult to prevent the user from installing untrusted files without restricting all file installations. Solutions which have attempted to do that are hard to manage and maintain in a dynamic environment, and they have significant IT overhead. However, in order to gain control over the endpoint and exfiltrate data, the malware must first open a communication channel with a remote attacker or a command and control server (C&C). The battle against advanced targeted attacks should, therefore, focus on preventing zero-day exploits and data exfiltration. Trusteer Apex: Advanced Malware Protection 13

14 Appendix B: The Challenge of Stopping APTs, Targeted Attacks and Advanced Malware Application Vulnerabilities Persist Despite the growing awareness of the need to develop secure applications, we continuously discover new application vulnerabilities. Attackers are quickly exploiting these unpatched vulnerabilities. There are several challenges that complicate enterprise patch management and as a result, endpoint application patching is always behind. The big investment in education programs trying to teach users how to avoid clicking on untrusted links, or opening malicious attachments, has failed to prevent such incidents. Unmanaged Endpoints Enter the Enterprise The increase in unmanaged endpoint devices driven by BYOC and remote access initiatives has created additional challenges. Because IT can t control software installation on unmanaged endpoints, enforce configuration policies or ensure that the latest patches are deployed, these endpoints pose a significant risk to the enterprise. Blacklisting Technologies Can t Keep Up with New Malware Strains Endpoint controls based on blacklisting technologies that focus on detecting malicious files and behaviors, are by-design a step behind the latest threats. Network controls that try to detect the threat en route to the endpoint, by testing its execution in a virtual sandbox, look for known malicious behaviors and fail to prevent zero-day attacks. And, cybercriminals continue to develop sophisticated evasion techniques that allow malware to bypass security controls and evade detection. Application Control and Whitelisting is Difficult to Deploy and Manage Since blacklisting controls fall short, a new approach has emerged: Application Control, a.k.a. Application Whitelisting, does not rely on detecting known signatures or behaviors. Instead they restrict file execution by either allowing only good application files to execute, or by sandboxing untrusted applications in runtime. The Application Control approach is considered a strong proactive security measure. However, existing Application Control solutions have been operationally challenging. Managing the full list of all known good or trusted files has proven very difficult. Application sandboxing limits end user productivity because data has to eventually leave the sandbox. This requires IT security to define multiple exception policies which are error-prone and could lead to security exposure. As a result, Application Control is being applied to only a subset of endpoints that are relatively static. The deployment requirements have prevented deployment within dynamic, Internet-facing environments, exposing vulnerable endpoints to the risk of potential compromise. A better approach is clearly needed. A next-gen malware protection solution must combine effective security, zero management and simplified deployment that enables organizations to protect both managed and unmanaged devices. Trusteer Apex: Advanced Malware Protection 14