Cyber Advanced Warning System

Transcription

1 TECHNICAL WHITE PAPER Cyber Advanced Warning System The Current Approach to Cybersecurity is Not Working In the face of a growing attack surface and mounting global losses from cybercrime and cyberespionage incidents, companies wishing to remain operational in a digital world spend increasing amounts on security products as they seek answers to three key questions: Question 1: How Do I Block an Attack? Perimeter and endpoint security products are typically the first line of defense against the threat actor. Devices such as firewalls, next generation firewalls (NGFW), intrusion prevention systems (IPS), unified threat management (UTM) systems, secure web gateways (SWG), and endpoint protection products (EPP), including antivirus and host IPS, are deployed in most organizations. However, it has become clear that the objective of blocking 100 percent of attacks is unrealistic. Despite security vendors increasing the effectiveness of such products, they cannot keep up with the threat actor. The security vendor has to provide cover for hundreds of thousands of potential ways into a network while the threat actor only has to find one. Ultimately, it is not the 98 percent you catch that matters, it is the 2 percent you miss. Question 2: How Do I Know if I Have Been Compromised? Assuming that perimeter and endpoint defenses can never be 100 percent effective, it is inevitable that a breach will occur. A huge market exists for products that aid in the detection and remediation of breaches, including breach detection systems (BDS), threat intelligence (TI) solutions and security incident and event management (SIEM) systems. The language of all such products is the indicator of compromise (IOC). IOCs are individual pieces of data that point toward a threat actor (for attribution) or attack vector, and provide the means to further analyze a breach. Unfortunately, they all assume a reactive stance; by the time such IOCs become available, a breach has taken place, and significant losses may already have been incurred.

2 Question 3: What Happened Following the Compromise? Once a breach has been discovered, incident response and remediation take over. TI and SIEM solutions help here too, especially those that provide the means to associate and correlate incidents, and process workflow. For those companies with in-house expertise, malware analysis tools will also offer valuable insights into the behavior of the malware delivered by the threat actor, providing pointers to those systems affected by the breach and to the actions and intent of the malware. This last point is critical. Traditional threat feeds, TI solutions, and malware analysis tools require significant investment in skilled in-house resources to create a security operations center (SOC) capable of analyzing and understanding the huge amount of data generated by such products. A New Approach to Cybersecurity Clearly, a new approach is required to cybersecurity and risk management. While the preceding questions are undoubtedly important, and the products supporting them are necessary for a robust security strategy, there is a fourth question that is even more critical. Question 4: How Do I Avoid the Compromise? Predicting compromise is possible with the right data, and NSS Labs Cyber Advanced Warning System (CAWS) provides a unique data-driven approach that addresses the three critical components of every breach: Component 1: The Capabilities of the Adversary What exploits does the threat actor have in his toolkit? Malware is useless without the means to deliver it to a user s system. Unless the attacker can persuade the user to open an infected file or run an infected program (this is referred to as a socially engineered malware (SEM) attack), he will need to use an exploit to deliver and install the malware. This exploit is triggered when the user visits a web page (URL) that determines if the user is running vulnerable applications and then serves up the exploit best suited to the target environment without the user ever being aware. Thus, every exploit requires an attack vector: a vulnerable program residing on the user s computer. Whereas there are hundreds of thousands of piece of malware, there are far fewer weaponized exploits that can be used to deliver them. And of those weaponized exploits, even fewer make it into the exploit kits used by the threat actors. This is represented in Figure 1, which lists these security issues on the left side of the hourglass, and the tools that address them on the right side. Component 2: Security Product Failure In order for an exploit to succeed, it requires unfettered access to the user s computer. Companies spend millions of dollars every year on security products to prevent this from happening. Unfortunately, as NSS own testing and research shows, no product or group of products can ever provide 100 percent protection. 2

3 As noted earlier in this paper, it is not the 98 percent of exploits that are detected that is important, but the 2 percent that are missed. These 2 percent are the exploits in the center of the hourglass in Figure 1, and the number is small enough that it can be dealt with effectively providing advanced warning can be obtained. 10^5 known vulnerabilities 10^3 known weaponized exploits 10^2 weaponized exploits in active use 10^1 weaponized exploits in active use and bypassing your security products 10^8 malware samples 10^10 URLs on the Internet Vulnerability assessment / scanner Penetration testing tools Cyber Advanced Warning System Cyber Advanced Warning System Antivirus & threat intelligence Reputation systems & threat intelligence Component 3: A Vulnerable Target Figure 1 Security Issues and the Tools That Address Them As noted earlier, each exploit is effective against a single or limited number of applications and application versions. In fact, exploits are limited even further by the fact that some will fail to run when the target application is combined with a specific browser or operating system. It is vital that the exact target vector is determined for each attack launched by the threat actors. From that, the question becomes Am I running that specific version of that application with that specific version of operating system? If not, then you are not vulnerable, despite the failure of your security products. With this knowledge, you can approach your security vendor for an update to your security product to neutralize the threat, and/or you can patch or modify your attack surface to eliminate the vulnerable application(s). With Cyber Advanced Warning System, you are relieved of the responsibility of marrying all of the possible threats in the wild with all of the possible vulnerabilities in applications and operating systems in your environment and arriving at a manageable list of preventative measures. The Insurance Analogy Think of this in terms of household insurance. Blanket coverage is of no use if you have a significant number of high-value jewelry, art, and electrical items. For these, the insurance company will expect you to provide an exhaustive list of all the items you want covered over a certain value. The burden is on you to ensure this list is complete; woe betide you if you forget that one critical item that subsequently gets stolen. This is similar to the situation you are in regarding traditional solutions to security problems; the huge volume of data from threat feeds, threat intelligence solutions, vulnerability assessment tools, and so on leaves the burden on you to filter, normalize, and match those to determine the precise areas of risk. 3

4 Now imagine if, instead of providing that huge list to your insurance company, your insurance company came to you each day with a threat alert along the lines of: There is a burglar operating in your neighborhood; he has tools available to neutralize the Acme alarm system, and he is specifically interested in diamond necklaces. Do you have a diamond necklace? The burden is no longer on you to come up with that exhaustive list. You now have precise information at your fingertips to assess the risk. Do you have an Acme alarm system? Do you have a diamond necklace? If the answer to either of these questions is no, then you are not at risk. If the answer is yes, you now have time to strengthen your door and window locks, update or change your alarm system, or secure your diamonds in a safe. This is called situational awareness, and it is critical to an effective security posture. In the same way, Cyber Advanced Warning System provides situational awareness based on NSS deep DNA in security product testing: Cyber Advanced Warning System monitors the activities of the threat actors and determines which exploits are being served by which malicious campaigns Cyber Advanced Warning System tests the exploits against all of the leading security products to determine which ones will block the exploit, and which will miss. Cyber Advanced Warning System tests those exploits against a huge range of target systems to determine precisely all possible attack victims By correlating these test results with details of the security products deployed in your environment, Cyber Advanced Warning System will raise an alert whenever it sees an exploit that is being used in a current malicious campaign that is capable of bypassing all of your security products. It will also expose the precise attack vector, allowing you to determine whether you are running that combination of application version and operating system in your environment. Note that Cyber Advanced Warning System will only raise an alert if a current exploit is capable of bypassing all of your security products. Should one of your users fall prey to the attack, no evidence of it would appear in any of your logs. Your security products will not detect the attack, and they don t know what they don t know. Nor will the attack appear in your SIEM or threat intelligence product if evidence is missing from the device logs. You are flying blind. Risk avoidance requires we think differently. The focus must shift from the malware to its delivery mechanism: the exploit. Cyber Advanced Warning System focuses on the exploit to provide situational awareness. How Does Cyber Advanced Warning System Do It? At the heart of Cyber Advanced Warning System is patented technology called BaitNET. BaitNET is a huge cloudbased, instrumented sandbox environment, a unique live test harness used for security effectiveness testing on all leading endpoint and network security products. Originally designed in response to the need to test a new breed of security products against an increasingly sophisticated adversary, BaitNET has been at the core of NSS live testing initiative since

5 Live BaitNET test results are now available in real time, not only to NSS test engineers, but also to enterprise security professionals. The BaitNET process is divided into two parts: capture and replay. Cyber Advanced Warning System adds a third component: correlation. Capture Threat Sources Input to BaitNET comprises lists of hundreds of thousands of suspicious URLs per day gathered from: Open-source and commercial threat feeds NSS customer-generated threat data NSS-generated threat data These lists are correlated, deduplicated, normalized, and then pre-filtered by the BaitNET Threat Collector to increase the likelihood of URLs yielding exploits rather than malware. Accurate pre-filtering is vital since Cyber Advanced Warning System relies on finding and testing exploits as the delivery mechanism for malware, rather than the malware itself. The web sites serving malware as part of an organized campaign can disappear as quickly as they appear, making it imperative that those links are tested in a timely manner. Malware is an interesting byproduct of the BaitNET process and is retained purely as an IOC, and also for subsequent malware analysis or for use in testing EPP products outside BaitNET. Those URLs that yield only malware (and thus would require the user to knowingly download and run or open an infected file) are also retained as a separate threat feed for specific malware testing projects. The effect is to identify only those URLs that would cause infection of a user s machine with no interaction, or even awareness, on the part of the user. URL Validation The BaitNET Threat Collector passes the optimized list of suspicious URLs to the BaitNET Controller, which allocates resources, assigns URLs to virtual victim machines, and spins up those resources to visit the URL. Each virtual victim will have a unique combination of operating system (including service pack/patch level), browser, and end-user application. Each victim will also be running only one version of any given application; this is what enables BaitNET to identify with such accuracy the exact version(s) of application(s) and operating system(s) that is/are vulnerable to any given exploit. The Controller dispatches victim machines to their assigned URLs via thousands of proxies and virtual private network (VPN) connections; this ensures geographical variation in victim location and forces reinfection from the same URL. The basic operation of BaitNET is to mimic exactly the operation of a typical user when clicking on a URL within a browser, and then to analyze the results. 5

6 Three outcomes are possible: 1. Nothing happens. In this case, the URL is actually good, or the malicious content is no longer being served. The URL is discarded, and the virtual resources are recycled by the Controller. 2. Malware is detected. In this case, the URL is retained for possible further use as a malware feed, and the virtual resources are recycled by the Controller. 3. An exploit is detected. In this case, patented technology inserted into each browser process in the victim machine will permit full analysis of the exploit and its activities. Exploit If the exploit succeeds in taking advantage of a vulnerability in an application running on the victim machine, this typically results in a drop of malware to the target workstation. BaitNET monitors the download of the malware and its execution; records the network traffic (pcap); creates a copy of the malware; generates hashes of the dropped files; and catalogs all changes to the operating system made by the malware (including the download of additional malicious code). In addition, the Capture process will record any and all outbound communications from the newly compromised workstation. This outbound traffic will include any command and control (C&C) communications, often identifying the true threat actor, as well as any data being exfiltrated from the infected system. BaitNET utilizes sophisticated techniques to counter detection by the exploit served or by the malware delivered by the exploit, including: 1. Anti-endpoint profiling: BaitNET takes steps to ensure that the attacker is unable to detect that the victim machine is not a genuine user prior to delivering the exploit. This includes, but is not limited to, user activity emulation, and the use of variable language packs and keyboard layouts. 2. Anti-VM detection: Unlike many on-premises, sandbox-based security products running on limited hardware, BaitNET does not have to emulate multiple operating systems and applications in a single victim image; this is an approach that makes the image more open to detection and thus avoidance. Instead, BaitNET creates realistic end-user images running genuine OS, browser, and application combinations. It also employs sophisticated, patented techniques that prevent the exploit or malware from detecting the host VM. 3. Anti-one-click URL: More sophisticated attackers are using a technique that restricts any given URL to a single access before rendering it unusable; these are called one-click URLs. Patented technology within BaitNET renders the one-click aspect redundant, allowing VMs to visit each URL multiple times in order to test the exploit against multiple applications. 4. Anti-IP address profiling: Attackers typically will monitor IP addresses accessing their URLs to determine if they are being accessed by malware researchers; if such activity is detected, the researcher s IP addresses will be placed on a black list and no longer served with exploits or malware. BaitNET employs multiple VPNs and proxies located around the world with constantly rotating IP addresses for each, in order to avoid detection. BaitNET VMs also can appear as though they are emanating from the networks of NSS enterprise clients; this serves a dual purpose, since not only does it make detection by threat actors more difficult, but it also ensures that specific targeted attacks against those clients can be observed. It should be noted that this is an option only; BaitNET does not require any hardware or software on client premises. 6

7 Critically, even if the malware fails to drop, or the dropped malware fails to execute, BaitNET still has knowledge of the original exploit served up by the malicious URL, and a copy of the exploit itself (shellcode and/or binary) is stored when available. It is this emphasis on the exploit rather than the malware that makes BaitNET unique, and so valuable; by ensuring focus earlier in the kill chain, it allows security personnel to be much more proactive. All data collected as part of the Capture process is stored in the Cyber Advanced Warning System data warehouse: LiveIQ. This is made available via the Cyber Advanced Warning System web-based user interface (UI) as well as the application programming interface (API) to facilitate automated data retrieval and integration with other thirdparty threat intelligence and remediation systems. Replay Within a minute of the original compromise, the malicious session is packaged and passed to the BaitNET Replay Controller for replay across the test harness. During the Replay process, systems matching the configuration of the host that was infected during the Capture process are prepared for testing of the malicious code. Copies of the vulnerable workstation used during the Capture process are configured as replay hosts with the latest versions of all endpoint protection products being tested. Vulnerable replay hosts with no endpoint protection are also configured in victim networks behind in-line security products such as intrusion prevention systems and next generation firewalls. All replay hosts visit an internal URL that has been created by BaitNET as a perfect copy of the malicious URL that was validated during the Capture process, thus triggering the original exploit. The Replay process utilizes a custom proxy allowing BaitNET to perform continual testing against the malicious URL without access to the original, live website. The proxy uses the original source code of the malicious website as recorded by the Capture process, emulating exactly the remote server, source code of the website, and delivery of the exploit (and malware, if appropriate). This feature is critical for consistent testing against multiple products over time, due to the short lifespan of most malware campaigns and the use of transient IP addresses for delivery and C&C servers. Processes on the replay hosts monitor whether the exploit is successful, providing an accurate indication of whether or not the exploit was blocked by the security product. Tests are repeated at regular intervals against failed security products until protection is put in place, providing accurate and unique time to protection metrics for all products under test. The results (pass or fail) of tests against individual security products are stored in the LiveIQ data warehouse and made available via the API. All data collected as part of the Capture process, including malware samples, network traffic captures (PCAPs), and even the original exploit itself, are retained in the LiveIQ databases and can be reused by the Replay process at any time. All tested products can be retested to confirm that patches and updates supplied by the vendors are working as designed; and new victim machine configurations can be tested against these exploits to confirm the vulnerability of new target applications or platforms. 7

8 Correlation It is not necessary for Cyber Advanced Warning System to model the exact security stack in any given environment in order to be effective; indeed, attempting to replicate a complex security stack would be counterproductive. Consider the example of an organization that has deployed an NGFW, an IPS, and an endpoint protection product. In any case where an exploit is blocked by the NGFW, that exploit would not be tested against the IPS or the EPP product, and thus two potential failures would go unidentified. In the Replay process, every device is tested individually, which means that in the above example, the Cyber Advanced Warning System would know with 100 percent certainty whether or not this particular exploit bypasses the NGFW, the IPS, and the EPP. Within the Cyber Advanced Warning System UI, it is possible to define multiple profiles that group the security products deployed in any given location. Whenever a new exploit is detected by BaitNET and replayed against the security products, those results are extracted and correlated in real time to determine not only the failures of the individual products, but also whether the combination of products results in a failure. For example, NSS own testing and research has demonstrated clearly that multiple network security products will frequently miss the same exploit or group of exploits. By layering in endpoint security, however, the overall security effectiveness of the stack is improved, since endpoint products often block exploits missed by network products, and vice versa. Cyber Advanced Warning System might indicate that today the NGFW missed 20 exploits; the IPS missed 15; and the EPP missed 10; however, because the three products are complementary in terms of coverage, the count of Relevant Threats (i.e., those threats that bypass all security products in the stack) is zero. In this case, despite individual product failures that should still be addressed with the security vendors, the organization is not actually at risk. Only when one or more exploits bypasses all security products deployed in a given location does the organization need to begin planning for a breach. Cyber Advanced Warning System then provides precise details of the target applications, browsers, and operating systems that are vulnerable, as well as the exploit code, malware samples, network traffic, and outbound communications observed during the exploit. Note that if an alert is raised by Cyber Advanced Warning System, it is because an exploit is capable of bypassing all security products in an organization. If that exploit were to strike, by definition, it would not appear in any of the logs of any of those security products, nor would it be accessible via the SIEM. 8

9 Cyber Advanced Warning System Use Cases IT Governance, Risk Management, and Compliance Typical governance is about compliance and control processes, but maturity can be shown in these processes by having a record of review and adjustment to your environment and security products. Now you can present your overall/historical risk posture based upon the real-world efficacy of your security infrastructure. Situational Awareness Situational awareness lies at the heart of attack anticipation. Cyber Advanced Warning System focuses on the capabilities of the adversary, providing unique insight into the exploits being used by threat actors in current campaigns. In addition, it provides a highly accurate profile of the applications being targeted by those exploits, and the detection and protection failures of all major security products. By monitoring changes in threat actor targets and the ways in which those exploits map to failures in deployed security products, the enterprise security professional can prioritize security policy changes, patch cycles, and security product updates. For example, learning that threat actors are targeting Adobe Air in current campaigns can provide valuable information, even if you know that Adobe Air is not deployed on your endpoints. Indicators may exist within such an attack that point to a targeted attack against your organization. Just because you know that Adobe Air is not used in your organization does not mean the threat actor does. Today, the exploit is Adobe Air; tomorrow it could be Java, or another application that you do have deployed. Gaining advanced warning of an impending attack allows you time to prepare. Continuous Monitoring Every day, cybercriminals alter their attacks, find new vulnerabilities to target, and seek out new information on your network. Security vendors are aware of this, and try to protect against a large range of attacks. Unfortunately, the security vendor has to identify and plug every hole, whereas the threat actor needs only to find one. As the cybercriminal continues to test, modify, and redeploy exploits that are known to bypass security technologies, it is imperative that security organizations have the capability to monitor these new attack vectors continuously. Time to awareness is critical; we know that the average time between an exploit moving from unknown zeroday known-unknown CVE patch is 565 days. Understanding the real threat exploits that are capable of bypassing your complete security stack is vital in taking appropriate action to mitigate that threat. Time to Protection is a key metric that is simply not available without continuous testing of security products. Cyber Advanced Warning System tests devices continuously until protection is added for an exploit. Over time, the results of this testing provide organizations with the tools to make critical decisions; information can be provided on whether to patch an application, or whether to wait for a security vendor to add a signature for a particular exploit targeting that application. 9

10 Security Threat Response and Resolution What do I do next? The most frequently asked question and often the first one to be asked can have a complicated answer. If you are using technologies that supply threat resolution data, you are already on the right path. Cyber Advanced Warning System addresses threats earlier in the kill chain, focusing on the exploit as the delivery mechanism for malware rather than on the malware itself. This data augments your other security processes and procedures, feeding IOCs and malware samples to your existing threat intelligence products, and providing gap mitigation to the patch (update) processes within your security stack. Security Stack Validation Historical trending is critical in understanding if you are using the correct tools. If you are consistently missing exploits against a specific application within your environment, yet the product you are using is considered best in breed, then you are using the wrong product, or you have not configured it correctly. Understanding the deficiencies in your security products, or deficiencies in their configuration, allows you to augment your attack surface or security policy to minimize threats. For example, IPS, NGFW, UTM, and other network-based security products, use protocol decoders and applicationor vulnerability-specific signatures in order to provide protection. If you don t know exactly what your attack surface looks like, how can you configure network security products effectively? Cyber Advanced Warning System provides accurate information on the applications and operating systems being targeted by threat actors at any given point in time. This information can be used to determine which signatures and protocol decoders must be enabled in order to provide protection against current campaigns, regardless of the composition of the attack surface being protected. 10

11 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, ed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 11