Trends in Zero-Day Kernel Exploits and Protection 2015 Overview of Key Protection Technologies and Their Limitations in Dealing With Zero-Day Kernel Attacks
Executive Summary Legacy security solutions rely on outdated detection-based technologies which can only succeed in stopping known attacks, but ultimately fail at detecting true zero-day attacks. Zero-day kernel exploits are a threat, whether delivered via Internet connect, network share or USB removable media. In the first half of 2015, there were 26 Windows kernel vulnerabilities reported. Customers worried about the most advanced attacks that use OS kernel exploits, or physical ingress over USB removable media infections, must consider a containment solution like Bromium. Zero-Day Kernel Threats Despite all of the industry hype touting new and improved detection methods to protect against zero-day attacks and advanced persistent threats (APTs), enterprises continue to be compromised via the endpoint, resulting in the costly (and in some cases, irreparable) theft of sensitive data. This happens because legacy security solutions rely on outdated detection-based technologies (such as signatures, heuristics and behavior analytics), which can only succeed in stopping known attacks, but ultimately fail at detecting true zero-day attacks. Here is a brief overview of key protection technologies and their limitations in dealing with zero-day kernel attacks. 2
Legacy network and endpoint defenses have limitations dealing with zero-day kernel attacks. Network Protection SECURITY TECHNOLOGY WHAT IT DOES LIMITATIONS IN BLOCKING OR DETECTING ZERO-DAY EXPLOITS Intrusion prevention system (IPS) (IBM, McAfee Network Security Platform, Cisco, et. al.) Defends networks against known attacks that have signatures by detecting and blocking in the network Can t block without a signature Needs to be implemented at every ingress/egress access point Success depends on a high degree of detection accuracy Costly, complex and noisy, especially for geographically distributed networks Network sandboxing (Damballa, FireEye, McAfee, et. al.) Detects infiltrations from targeted attacks, after the attack is in the network Does not stop or remediate threats to endpoints Costly and noisy Requires expert-level security personnel constantly monitoring all network events Web content filtering (Websense, McAfee, BlueCoat, et. al.) Blocks access to known malicious websites to protect against Web exploits and Trojan attacks Only blocks known, malicious IP addresses Needs to be implemented at every ingress/egress access point Protection is diminished for mobile users and partners accessing retail network 3
Endpoint Protection SECURITY TECHNOLOGY Antivirus and other detection-based solutions (Symantec, McAfee, Kaspersky, Trend Micro, Sophos, et. al.) Behavioral blocking systems (HIPS) (Palo Alto Networks TRAPS, Symantec, McAfee, etc.) Hardware-enhanced detection (McAfee Deep Defender) Application whitelisting (Bit9, McAfee Application Control) Software sandboxing (Invincea (Dell Protected Workspace), Sandboxie, Trustware) Hardware-enabled isolation via micro VM (Bromium) WHAT IT DOES Detect known threats on endpoints Intercepts many zeroday attacks in real time by detecting common behaviors Loads as a boot driver and looks for rootkit behaviors Controls which applications are allowed to install and run by matching authorized programs (the whitelist) to a list of good applications. Can be an effective way to block malicious programs in locked-down terminals Creates a sandbox environment within the Windows OS to analyze execution of untrusted applications. Restricts the memory and file system resources of the untrusted application by intercepting system calls that could lead to access to sensitive areas of the system being protected Isolates every user task in a hardware-based micro-vm LIMITATIONS IN BLOCKING OR DETECTING ZERO-DAY EXPLOITS Cannot keep up with the rapid influx of new threats and variants Can t block without a signature Has a chance to catch a zero-day attack, but can still miss many advanced threats High operations overhead to configure and maintain Only detects/blocks some kernel mode rootkits. Does not block user-mode rootkits Blocks users from downloading and using new tools and programs without IT involvement Successful on servers, which don t change often, but is largely unusable on end-user systems Advanced malware can bypass any sandbox to take advantage of a kernel-mode vulnerability User-mode malware can escape from any sandbox, permitting it to elevate its privileges and disable or bypass other forms of endpoint protection and compromise endpoints, including data theft No known limitations in defeating zero-day kernel exploits 4
Bromium vsentry focuses on protection, and is able to defeat both known and unknown attacks using micro-virtualization combined with hardware-enforced, task-level isolation. As a result, untrusted content associated with each user task (whether it is infected with malware or not) is contained in its own secure micro- VM. If a micro-vm is penetrated by any advanced attack, it remains completely isolated. The threat is unable to attack the desktop, persist any malware, steal any data or penetrate the enterprise network. When malware strikes the entire attack is automatically recorded and delivered to Bromium s LAVA (Live Attack Visualization and Analysis) console. LAVA provides a depth and breadth of information that arms security operations centers with critical threat intelligence and a stronger defense-in-depth strategy. For more information To learn more about Bromium s game-changing security architecture, please visit www.bromium.com. ABOUT BROMIUM Bromium has transformed endpoint security with its revolutionary isolation technology to defeat cyber attacks. Unlike antivirus or other detection-based defenses, which can t stop modern attacks, Bromium uses micro-virtualization to keep users secure while delivering significant cost savings by reducing and even eliminating false alerts, urgent patching, and remediation transforming the traditional security life cycle. Bromium, Inc. 20813 Stevens Creek Blvd Cupertino, CA 95014 info@bromium.com +1.408.213.5668 Bromium UK Ltd. Lockton House 2nd Floor, Clarendon Road Cambridge CB2 8FH +44.1223.314914 For more information go to www.bromium.com or contact sales@bromium.com Copyright 2015 Bromium, Inc. All rights reserved. WP.Kernel-Exploit-Trends.US-EN.1510 5