Author: Anup Ghosh

Home/Articles Posted by Anup Ghosh

Moving “Left of Boom” – Combining User Protection and Threat Analytics

Detection | Prevention | Intelligence

For people paying attention to how the security market is evolving, we are witnessing some fairly dramatic shifts in technology and market. For far too long, enterprise network security meant three primary activities: patch management to close known vulnerabilities, firewalls/web proxies/VPNs to keep the bad guys out and the enterprise users in line, and updating signatures on end points to determine if users’ machines were infected with a known threat. What’s satisfying about these approaches is they can be incorporated into a process and compliance regime, put on daily and monthly checklists, and put on employees’ individual management-based objectives (MBOs). What’s fundamentally unsatisfying about these approaches is they don’t stop most of the attacks you see against enterprises today.

While patching the OS has become automated and highly efficient, patching enterprise apps such as Java, browsers and Adobe has become extremely challenging for backwards compatibility reasons. Most enterprises simply can’t or won’t upgrade their browsers, Java, and Adobe software because older enterprise apps and workflows break with patched and upgraded versions of these software. Unfortunately, these are the very same vulnerabilities exploited in the vast majority of all attacks.

Protecting the network by using a perimeter security model is rapidly becoming obsolete with a mobile workforce, distributed offices, and BYOD. In other words, as the perimeter has collapsed onto the user, enforcing security at corporate network perimeters has become increasingly challenging. Finally, signature-based approaches to detecting threats leaves security teams days and sometimes months behind the adversary’s moves.

The folks that recognize the failings of the historic approaches to enterprise security mentioned above are beginning to adopt a threat-based model for defending their network and users. A threat-based approach recognizes that not all vulnerabilities can be closed nor are material. Threat-based security focuses on the intersection between the threats your organization faces and its vulnerabilities exposed to that threat.

User Protection

The most significant security gap in terms of intersecting threat and vulnerability today is the user. The user is that fickle wetware on the business end of the keyboard that is prone to clicking on links and opening attachments sent from entities they don’t know. In security, we often focus our efforts on securing things like “the network” while ignoring our largest attack surface – the user – at our own peril. As a result, a single misguided click can compromise not only the user’s machine, but also the entire network. Ask an enterprise security professional what the biggest risk is to the enterprise, he or she will often say – “Stupid Users!”

In reality all of us are susceptible to a good spear-phish – one that is compelling to our job, interests, and desires. Falling for a spear-phish doesn’t make us stupid, just simply human.  The conclusion we draw from this is we need User Protection solutions that will protect the user from his or her own actions.

Ask the same security professional what they do about the “Stupid User” problem, they say “Education through posters and training…” while sighing at the ineffectiveness of these approaches. Bringing awareness of the threats users face makes good sense. Depending on users to make the right decision every time they open an email is folly. We know that strategy doesn’t work.

Integrating Threat Based Security with User Protection

We know that vulnerability-based defenses by themselves are ineffective, and that a threat-based model for defense leads to efficient and intelligent allocation of limited resources. We know that users are the largest and most attacked surface in the enterprise today, and that training, while important, doesn’t go far enough. To address these shortcomings, Invincea announced today that it is combining its User Protection solution, Invincea FreeSpace™, with Threat Analytics from Invincea Management Service (IMS) to give the security team the tools it needs to understand the adversary’s moves while protecting users from their own actions.

Invincea FreeSpace™ is designed to ensure that when your users click on the wrong link, browse to a compromised site, or open a poisoned document they are protected from these threats. Invincea FreeSpace™ allows users to interact with untrusted content from the web or email by implementing an invisible container around your web browser and document editors so that if a user does mistakenly click on a malicious link or open a poisoned document, he or she is protected from its harmful effects. Further, Invincea FreeSpace™ collects the forensics from each virtual infection and sends it to IMS for further analysis. The threat forensics, including the captured malware, its artifacts and network behavior, are then compared to threat intelligence databases to understand what is known about the threat – all in moments, not days, weeks or months. With this ever growing partnership in the threat intelligence community, we are now able to convert our biggest liability (as far as enterprise security goes) – our users – and turn them into assets that reveal the adversary and his methods in real time.

Left of Boom

The enterprise security teams that have freed themselves from antiquated security regimes mentioned earlier are creating adaptive processes to the threat and adopting proactive defense technologies – ones that do not require foreknowledge of the threat.

The stated goal for many enterprise security teams today is to reduce the time of unchecked network compromise from weeks and months to days and minutes. Many are now incorporating Mean Time To Intrusion Detection (MTT-ID) and Mean Time To Incident Resolution (MTT-IR) as metrics and goals for the security team. The general trend here is what the military (and intelligence community) calls going to left of boom, in terms of timeline. In military parlance, boom is when the bomb (typically an IED) detonates. Combat medicine is focused on keeping soldiers alive right of boom. Military intelligence — no jokes please — focuses on getting left of boom. Much like an ounce of prevention is worth a pound of cure, getting to left of boom means preventing irreparable damage and not making headlines for the wrong reasons.

As an industry, we need to shift our focus from right of boom and triaging damaged systems to left of boom with a threat-driven approach to countering the enemy’s moves before they cause damage. Turning our biggest weakness – users – into an asset to glean intelligence about the adversary in real-time puts on the path to left of boom.

Try Invincea today to relinquish antiquated technologies and obsolete processes and push the adversary back on his heels.

Detection is the New Prevention

Prequel to “Detection is the New Prevention…”

The blog below was originally penned in March of 2012…nearly 2 years later and the security industry is not only still consumed with the wrong way of thinking, it is doubling down on the failed idea of “Detection is the New Prevention” – the thoughts here are being shared again as they support the blog post we released just 10 days ago on the topic…

How many more breaches must we discover days, weeks, months or years too late? How many more millions of credit cards and identities stolen? How many more billions in lost Intellectual Property before we realize that rapidly discovering a breach isn’t security – it is crime scene investigation??


Rethinking Security: Moving from Post Facto Breach Analysis to Detection | Prevention | Pre-Breach Forensics

Thoughts from March 2012…

It’s more important than ever for a mentality shift in the security industry. We’ve allowed ourselves to fall victim to a lost decade in innovation and have become mired in what Invincea calls the security insanity cycle.  With each new disclosure of massive pwnage across corporate, government and even security industry networks, we collectively become more and more cynical about our potential for getting a leg up on our adversaries. With a shortage of innovative solutions to stop the breach, we’ve evolved – or devolved – our focus away from roles as sentries of the network and toward those of crime scene analysts. We’ve been taught by repeated assertion from those that benefit from remediation and network forensic professional services that the breach cannot be stopped… and that detection is the new prevention. We can’t blame our fellow security professionals for their cynicism. The truth is that the prevention security industry has utterly failed us; failed our governments, corporations, and citizens. Because reactive list-based approaches can no longer stop the threat, the logical conclusion drawn and promulgated is… at best you can only attempt to detect the intruder in your network. In other words, the white flag has been raised, the network has been ceded, and instead of keeping the intruder off your network – you must lower the drawbridge, close your eyes, count to ten, and then try and figure out where they are hiding.

The InfoSec “Humpty Dumpty” Syndrome

The dawn of the Advanced Persistent Threat (or at least the use of the moniker) has fueled our cynicism and brought about a defeatist mentality within our community – a sort of Humpty Dumpty syndrome, where we are the “Kings Men” and our networks the fabled egg. The calculus has gone something like this – if our users are the targets and we cannot train away natural human psychology; and our preventative technologies are dependent upon knowing the threat signature a priori to thwart attack; and our adversaries are using custom attacks, zero-days, and polymorphic techniques to make signatures obsolete, then prevention is not only a failed strategy, but must be abandoned.  Instead, focus your efforts and investments on training, people, and technologies to discover the intruder after the breach happens. Some have even blogged that the average intruder isn’t so smart, that it takes them six days to begin to mine the network for data. So in other words, with a six-day window, you can hope to find them in your network before they cause damage. We should all be so fortunate to get the C team breaching our network! While their intentions are well-meaning and their cynicism well-founded, what the post-breach security industry isn’t telling you is that the dollars you spend on post-breach forensics (detection of the intruder on your network and remediation) are the most expensive dollars you can spend.  Once you have discovered the threat is on your network, you now are in a very human-intensive operation to find and eradicate the threat, while ascertaining what intellectual property and corporate secrets may have already leaked. Once the secrets have leaked, or the email archive published, there is no bringing it back. Whether your window is six days or six minutes, the resulting cost to the business is staggering in terms of clean-up activities, and also in terms of damage to the business and long-term competitive threats.

The Rise of the Crime Scene Analyst

This mindset has given rise to a new set of technologies focused on deep dive forensic analysis – i.e., full packet capture, deep packet inspection, log analysis, and indicators of compromise on end points. While these technologies are critical for the core of our defense in-depth strategies, and help us meet requirements for continuous monitoring, the value they deliver is post-facto identification of breach. To be clear, everyone should have a post-facto breach strategy. Planning for failure of your defenses is a necessary activity for risk mitigation. One you hopefully never have to use. However, ceding the network to the adversary by failing to invest in modern prevention techniques plays into the adversary’s hands. Finding the adversary is a cat-and-mouse game of finding the latest backdoor or unusual protocol they are using to leak your data.

If we are willing to accept the assertion that we will never be able to keep our adversaries out of our networks, then a wholesale shift to forensic analysis is warranted. However, if we accept this assertion, we have done something that runs counter to our core fabric as Americans – we’ve admitted defeat. If we accept this defeatist mentality, we’re conceding our networks to our adversaries and may as well pack up and ship all of our industries overseas. Conceding the network is tantamount to giving up our economic future as our future innovations and jobs depend on the ability to keep our adversaries from stealing our intellectual property.

We aren’t trying to vilify a focus on forensics. Forensic information is a critical piece in network security, as it provides the necessary answers to understanding the threats we face. This deep dive information gives insight into “the who” — as much as it can be determined — what, when, where and how related to the motives and activities of our adversaries. However, an over emphasis on forensic investigation detracts us from our core mission – keeping the adversaries out of the network in the first place. Ask yourself — is our mission to be security guards who prevent the crime from occurring or eye-witnesses describing the actions of the perpetrators after the fact? Do you want to prevent the crime or report on what was taken and how?

Breaking Free from the Security Insanity Cycle

To break free from this security insanity cycle we must become serious about innovation in prevention. We know the adversary targets the user – the human layer of the network. Depending on users to make the correct decision every time on every email and URL is an untenable security protocol. Instead, we need to give users the tools they need to be online without the fear that they will infect the network by focusing on detection, prevention, and pre-breach forensics.

So what can we do to protect the network from the user and the user from himself?  As a highly respected security and risk analyst recently put it, “let’s focus on containing the contaminant.”  By segregating the untrusted content users come in contact with from the operating systems that run the untrusted content, we can protect the network while users interact with online content. The implementation is straight forward – anytime a user interacts with content from the Internet, be it in a browser, an email attachment, or application that renders content from the Internet, virtualize the application and content the user interacts with in a non-persistent virtual environment. If the content is malicious it infects a disposable environment, not the desktop. If the user makes a poor decision, the consequences of that decision are instantly reversed with no damage to the system or loss of data. By moving away from signature-based detection to a focus on behavioral and heuristics-based detection, we can stop zero-days in their tracks. In fact, the distinction between zero-days and known attacks goes away, making the term zero-day quaint. By putting our adversaries in a virtual fishbowl every time a user clicks on a malicious link or attachment, we can capture forensic detail related to the intent of the adversary – making pre-breach analysis possible and lessening the need for expensive post-breach response.

The new prevention reality is more than imaginable – it’s here now. Today your adversaries are collecting intel on you while you try and find them. Tomorrow you could be collecting intel on your adversaries as they show their exploits in virtual fishbowls with each user interaction. Today, your users are your liabilities as they infect your network by doing what users do – clicking on links and opening attachments. Tomorrow, your users could be your security deputies – providing you with pre-breach forensic details on every exploit that you can use to block the adversary at the network perimeter. You now have the power to look your adversaries in the face and let them know you mean business about fighting back. You have the power to prevent the breach, not just report on the crime.

The question is – will you?


Detection is the New Prevention

“Detection is the New Prevention…”

How the Psychology of Security Teams and Incentives Rewards Network Compromise…

And What to Do About It!

In security circles today, it is very popular to say “Detection is the New Prevention”. What they really mean is “I’ve given up on prevention as an effective means of stopping attacks, and now will rely on my security team’s ninja skills to find the adversary on my network.”

You can hardly blame them. The anti-virus tech they are running on endpoints has been so ineffective for so long that they dismiss anti-virus as a preventative solution out of hand.

Firewalls and Web proxies, the other main staple of a basic security architecture, limit access but do little to stop targeted attacks. This is true for Web proxies that scrub web requests – they need a list that needs constant updating on what’s bad or good. With most Web-based attacks originating from compromised legitimate websites, this approach is losing its battle with cybercrime and more advanced actors. And sadly, this too is true for Next Generation Firewalls (NGFWs) whose primary attribute is the ability to programmatically control who gets access to which sites and apps.

Traditional network intrusion detection technology (IDS/IPS) is predicated on knowing the threat ahead of time (with a signature or pattern of some sort) in order to detect it. In other words, targeted and current attacks evade these defenses.

In the space of Advanced Threat Protection technologies, you have RSA Netwitness, BlueCoat/Solera/Norman, Damballa, and FireEye, among others, on the network perimeter looking for either bad content flowing through the perimeter or for network command and control to known bad servers. These technologies are great for telling you about the breach you have – not so much about preventing them from being successful in the first place. The polite terminology for accepting compromise is Patient Zero (or Patient Zero to Patient N).

On the endpoint, the class of “endpoint visibility” type technologies including Crowdstrike, CarbonBlack, HB Gary, among others provide indicators of whether your endpoints are compromised, but in retrospect only – once the indicators are known by someone somewhere.  Don’t get me wrong – there is value in knowing your network is compromised, and more specifically, which endpoints are compromised. However, the point is these technologies are useful for post-compromise analysis. Useful information, but certainly not preventative if you are in the role of preventing compromise.

In other words, it is little surprise that the vendors above and the security professionals they influence would be proselytizing that “Detection is the New Prevention” because these techniques at best are designed to tell you about your compromised network, not actually prevent the breach.

Saying Detection is the New Prevention is simply a way for saying “Crap, we don’t know how to stop these threats, so the best we can do is tell you when we get compromised, then hope to get on top of it and hope the adversary is not very competent.”

So what’s wrong with this “Detection is the New Prevention” mentality? First, the reality is what 451 Research Wendy Nather said:

 I think the idea of switching from a prevention strategy to a detection one is a false dichotomy” and continued to say “First of all, because prevention tends to be more automated and therefore cheaper than detection. Second, because detection is just as imperfect as prevention. People may complain that antivirus misses a lot of malware, but so do intrusion detection systems. Firewalls and SIEMs are only as good as the experts who configure them, no matter which generation’ they purport to be.”

In other words, if you think your preventative anti-virus solution sucks, what gives you confidence that your new detection strategy is any better? And trust me – I’m not saying anti-virus is the solution. Only pointing out your other detection approaches will not have much better detection and at the inefficiency of human review and analysis.

Apply the Target Breach to the “Detection is the New Prevention” Strategy…

Detection in most of these “New Prevention” approaches requires indicators of compromise (IOCs) to find threats. That means by the time you have the indicators (a pattern on a list) and find them on your network, well, you’ve been compromised.  At best you’ll find the intrusion on your network after the compromise has occurred, but before a breach of sensitive data. At worst you’ll have a Target magnitude incident. I’m willing to bet Target has Advanced Threat Protection technology in place from one of the ATP vendors listed above, and a competent security and incident response team. From that perspective, the security team at Target succeeded — they detected the threat (The “New Prevention,” recall). How happy do you think the Target CEO, CIO, and Board is at their success in the New Prevention?

Even with a security ninja team on the job 24×7, in the “New Prevention” strategy, you are in a foot race against the adversary who has the advantage of choosing the attack at the time of his choosing (surprise) and in the place of his choosing (lots of targets). If your security ninja team can win this foot race (at network speeds) between the adversary on the network (since the “New Prevention” strategy has already conceded the network to the adversary) and the data to be protected against breach – then more power to you. You guys rock.

However, how scalable is this strategy? How do you find an A team that is constantly on the go 24×7, weekends and holidays in all the nooks and crannies of enterprise networks?

Quick Video Thoughts from Invincea Here:

Unfortunately, humans don’t scale with this problem space.

Oddly enough, there is still a driving need among security professionals to find the bad guys on the network. In other words, there are intrinsic and often extrinsic rewards to actually finding the adversary on the network. The psychology is similar to hunting game and coming home with a trophy. When that happens, the security team is awarded with kudos and more tangible things, such as a larger budget to grow a larger team. They are hailed as heroes for finding the bad guys. Almost every major security incident results in larger security budgets and often promotions and board level visibility for CISOs.

So, we really have two different opposing objectives: (1) the need for security teams to find adversaries on the network to be rewarded professionally (big game hunting), which in turn means the need to concede the network to the adversary, and (2) the need to protect against breach of IP and sensitive data that comes with network compromise from a motivated adversary. Point 1 speaks to the popularity of “Detection is the New Prevention” for security teams. If we whole scale adopt this approach (the “New Prevention”), then we are assured we will have compromised networks and big game hunting for security teams. On the other hand, we are also assured of data breaches and loss of sensitive data.

This leads us to the inescapable conclusion: until we change the incentives/rewards, Detection WILL Be the New Prevention AND networks and data breach will be the norm.

My solution: adopt architectures that compartmentalize breaches into small zones on networks and on endpoints. Invincea is an example – the compromise is limited by a virtual container that segregates the application being compromised from sensitive data.  Security teams get the best of both worlds. You get the data forensics from the compromise (though the virtual container and the malware it is containing is non-persistent) while stopping breach of data. Best of both worlds!

The DFIR (Data Forensics Incident Response) teams get to study the adversary in the virtual container (think of watching sharks in a shark tank) without risking key enterprise IP and assets. We should develop a reward system for rewarding security teams for every time they not only stop the adversary this way, but also save the breach of data. Finally, the fact they can now share this data with a larger community makes them good security community citizens.

So be a good corporate and community citizen: adopt innovative architectures that actually stop the breach. You still get the trophy plus you get to prevent data breach!

Credit Card Theft in Retail


What the Target Breach Reveals About the Security of Retail Transactions…

As we sit in the warm after glow of holiday shopping and prepare for the post-Christmas shopping sale binge, many of us are beginning to question whether our online and in-store purchase transactions are safe from compromise – or at least we should.

The breach of 40 million customers’ credit and debit card data from Target’s systems between Nov 27 and Dec 15, 2013, initially disclosed by Brian Krebs, highlights the risk of retail transactions in an all networked era. Two factors taken together make the Target breach an important wake-up call for the industry: (1) the credit card numbers were compromised from in-store transactions and (2) the sheer scale of the credit card heist.  Despite the wake up call, none of this should come as a major surprise as the details and the scope of this breach are on par with other major breaches over the past 9-10 years - TJX, BJs, Hannaford Brothers, Heartland Payments, 7-Eleven, Card Systems, etc, etc.

In this blog, we take a look at how this is possible in a generic sense without casting aspersions on Target, then follow with a discussion on how to secure retail networks from the threats retailers face. We have no knowledge of Target’s architecture or systems; only knowledge of generic retail systems architecture, industry standard security, and recent exploits against retail systems. From this, we can point to how it might be possible, even likely, to compromise large numbers of customer credit and debit card numbers, even with PCI compliant encryption of card numbers.

In other words, we see an industry-wide issue that unless addressed will quickly undermine consumer confidence in the ability for retailers and card issuers to protect their cards from compromise and fraud.

There appears to be little unique to the Target breach, other than the fact Target was… targeted. In other words, one can expect similar types of breaches to occur at other retail stores, large and small. In fact, this has been on-going as we’ll discuss here. The scale of the Target breach and the brand name, however, has captured the media and public interest and warrants public dialog on getting the industry to adapt its security to match the threats it faces.

The Mirage of In-Person Transaction Security

Even the most security aware people have felt relatively secure in doing in-person transactions versus online transactions. With an online transaction, you have many points of vulnerability starting with your own machine. If your machine is already compromised, it’s easy work for a cyber miscreant to grab your online credentials or simply re-direct online transactions to their own accounts. The network service provider provides another opportunity for compromise. Doing an online transaction from a coffee shop with a rogue wireless access point provides another opportunity for an attacker. Finally, the online merchant server provides the richest vantage to grab transactions or bulk data from transactions in databases. In other words, these risks together with general distrust of the Internet have long been rationales for the security conscious consumer to avoid online transactions.

In contrast, the familiarity of conducting in-person credit card transactions for decades on decades in commerce has created a sense of security. It turns out to be a false sense of security today.  What has changed is that the inter-networking of the point of sale (PoS) systems provides opportunities for organized cyber crime gangs to steal card data from brick-and-mortar retail stores for customer present transactions now. The figure below shows a typical architecture for a retail PoS system.


With the exception of card readers, the key point here is the devices and networking protocols are all standard IP based, much like you would find in any enterprise. The PoS registers are often WindowsXP or even older machines that run a PoS Register program. In other words, these are standard older Windows machines that run a PoS program. They come pre-installed with browsers, email clients, etc. It is up to company policy and IT administration to restrict employees from using the browser from Internet browsing, though in some cases this may be encouraged for social marketing programs. The card readers themselves read the magnetic stripe off your credit/debit card and send the card track information to the PoS terminals to send upstream for authorization. Adrian Sanabria provides a good description of the card data readable by card reader devices here, including the difference between the two types of security codes for “present” and “not present” transactions. 

Stealing customer credit card data from brick-and-mortar retail stores is as easy as compromising standard enterprise networks with older Windows  operating systems — old hat to run-of-the-mill cyber crime gangs.

The PCI mandated encryption of customer credit card data applies to persistent storage of credit card data after a transaction has been authorized. It also calls for the encryption of card data running over public networks. However, the opportunity still exists to grab card data anywhere from the card reader/PoS terminal to the PoS server — all of which reside on the retail enterprise network.  Merely sitting on the local area network with a promiscuous network listener may be sufficient to grab payment data in transit. The breach of TJX networks in 2007 was made possible by sitting on the retailer’s wireless network resulting in the loss of 45 million customer credit card numbers.

Compliance is a dual-edged sword in that it often mandates a minimum standard of protection, but also provides disincentives to go above and beyond these standards. The opportunity created by this gap in PCI is to capture card data from the moment it is swiped at the card reader to the PoS terminal to regional PoS branch servers to corporate administration servers for PoS transactions. Obviously the higher up the hierarchy in the network diagram above you go, the greater the opportunity for capturing more records at once. Compromising a single PoS terminal yields only credit card numbers processed by that terminal. Capturing the branch PoS server captures all the transactions at that branch; capturing a regional or corporate PoS server captures a far greater number and provides significant scale for minimal additional work.

What is not shown in the network diagram above are the corporate enterprise machines that likely sit on these same networks. In other words, the finance, accounting, marketing, sales, logistics, and corporate personnel machines may share the same network as the PoS network shown above unless explicitly firewalled or air-gapped. Spear-phishing, Web-based drive-by download attacks, watering hole, poisoned SEO attacks that form the standard toolbox of attacks by cyber crime elements can provide a point of presence on these enterprise networks, and in turn create a jumping off point to PoS networks. As anyone who knows enterprise network security will tell you, once you are inside, you typically have the run of the network. Likewise, any of the retail systems that are directly connected to the Internet have ample opportunity to get infected directly by web browsing.

Exploiting Retail Networks for Profit

We named this blog RetailWhyNot? Partly as a play on those “Retail Me Not” ads, but also because the opportunity for cyber crime on retail networks is fairly significant and compelling for cyber crime. As Willie Sutton is attributed to have said when asked “why rob banks?”, “because that’s where the money is”. Given the gaping holes in PCI mandates, magnetic stripe card reader security, standard enterprise networks, and large volumes of credit card data flowing over these networks, it makes sense that cyber crime gangs would target retail chains, not just ones with a bulls eye as a logo.

The potential fall out from large-scale credit card theft can be devastating to the retail industry and by extension to the nation’s economy.

Recent history bears this out. Last year, two Romanian men pled guilty to stealing data on more than 146,000 customer accounts at over 150 Subway restaurant franchises, racking up over $10 million in losses for Subway. The men compromised the Subway PoS systems and installed malware sniffers to capture PoS transaction data.

More troubling is that cyber crime gangs have begun to implement infrastructure to automate this in scale. As Arstechnica reports in early December 2013, a botnet of compromised PoS machines is actively capturing customer credit card data using a fairly sophisticated program called Stardust, which is a second generation of Dexter.

Researchers from IntelCrawler were able to identify command and control servers that the botnet is communicating to in order to determine infected PoS systems and indicators of compromise. What makes these programs sophisticated is they can read the card Track 1 or Track 2 data out from the PoS software’s memory (encryption would not help here) or by sniffing the network.  All that is required is a point of presence on the device. Arbor Networks also disclosed in early December a campaign against retail networks using Dexter and its recent variants of Stardust, Millenium and Revelation. A good summary of this recent campaign is provided by Mimoso here. The most important takeaway from these recent campaigns is that cyber crime has commercialized sophisticated malware while providing back-end infrastructure for large-scale compromise, command and control of PoS systems. The key to these campaigns is to compromise the PoS device, which is usually accomplished by standard techniques used against enterprise networks including spear-phishing and web-based drive by attacks.

Addressing the Threats to Retail Networks

In many ways, addressing the threat to retail networks from organized cyber crime is no different from securing Global 1000 corporate networks from targeted attacks. Here is what they have in common:

  • A motivated adversary
  • Data worth stealing
  • Standard IP based devices and networks
  • Older, unpatched systems

Standard enterprise security approaches dating back to the 1990s including anti-virus, IDS/IPS, and software patching have failed to protect enterprise networks from targeted attacks. List-based approaches from anti-virus, IDS/IPS, and firewalls have failed to keep pace with the adversary. Likewise, patching has proved infeasible for many systems for backward compatibility reasons. These realities are no different in the retail space. The opportunities to compromise retail networks are numerous:

  • Internet connected older PoS systems
  • Magnetic stripe card readers
  • Connected enterprise networks
  • PoS servers that aggregate PoS transactions
  • Back-end databases

Understanding what hasn’t worked is the first step to changing to an approach that will. Long term, the answer to these challenges isn’t more patches to a crumbling foundation of security. Rather, sound architecture is essential to security. Separation of concerns applies to architecture at all levels: network and devices. Retail PoS system networks should be separated from corporate network systems so compromise of one doesn’t provide an opportunity for compromise of the other.

In enterprise networks, the user is the weak link in security. Users fall prey to spear phishing as well as getting compromised by simply surfing the net. At a device level, the programs used to browse the Net and open emails should be virtually separated from the underlying system using Windows container based approaches. In other words, secure systems architecture involves separating untrusted content from mission-critical systems and data. Protecting the devices from compromise is the most robust defense against the types of threats retail networks are experiencing now. As long as these devices are connected to the Net either directly or indirectly, they will be susceptible to compromise. Good security architecture combined with modern approaches for segregating untrusted content from systems is the most reliable way to protect systems from the threats retailers now face.

The implications of not securing these networks are fairly significant at a gross national level. Repeated public compromise of major retail chains is likely to undermine consumer confidence in the ability of retailers to protect them from financial crime. In turn this will discourage shopping, both online and in person in brick-and-mortar establishments. Even a small decline in confidence can have significant downstream effects on the economy. The national retail chains need to lead by example to modernize their security architectures to reflect the current targeted threats they face in order to boost confidence in their customers to shop safely again. The payment card issuers need to address the gaps in enterprise security in PCI regulations while looking at adopting pin-and-chip cards. Until then, the safest course of action for consumers is to pay by cash.  



Invincea’s Expanding Global Community

A Note from Anup Ghosh – Founder and CEO of Invincea

Today, Invincea announced that we raised US $16M in equity financing from venture investors led by Aeris Capital and Dell Ventures with participation from existing investors Grotech Ventures, Harbert Ventures, and New Atlantic Ventures. In addition, we announced the acquisition of Sandboxie from an earlier transaction in 2013.

What this means for Invincea in a word is expansion.

The funding provides significant growth capital to expand our product offerings into mobile and other platforms beyond Windows.  The addition of Aeris and Dell as new investors is strategic to Invincea’s expansion in Global markets. Aeris Capital, based in Zurich Switzerland, brings a strong heritage of enterprise focus in Global 1000 companies. Dell’s investment in Invincea shows their level of commitment to making Invincea successful as a key partner in bringing state of the art security technology to its devices. Today Invincea software ships globally on all Dell end user client devices to commercial accounts. The OEM relationship with Dell has created the largest global footprint of any Advanced Threat Protection solution for Endpoint. This relationship will continue to expand with Dell’s investment and shows Dell’s commitment to innovation in technology and entrepreneurship.

Invincea and Sandboxie – Consolidating the Two Leading Brands in Windows Containment

In a market note from earlier in 2013 that preceded Dell’s announcement of the OEM agreement with Invincea, Gartner analyst Neil MacDonald predicted that 20% of enterprises around the globe will implement some form of Windows Containment mechanism by 2015, up from less than 1% in 2013. Today with Dell shipping over 20M devices per year with Invincea’s solution on board, it is easy to see how that prediction may be conservative.

The two pioneering brands in Windows Containment technology are Invincea and Sandboxie. Not coincidentally, they are also the leading brands by market share [footprint & sales] in Windows Containment globally. Invincea’s acquisition of Sandboxie consolidates these two market leading brands and provides a tremendous opportunity for advancement in endpoint security.

Sandboxie has been an early pioneer in Windows Containment with a global deployment of hundreds of thousands of users and over 1,000 firms trusting it to secure its endpoints. Adding Sandboxie to Invincea’s portfolio was a strategic move to expand our business globally, to address the small and individual market, and provide a pathway for Sandboxie fans to an enterprise ready solution – Invincea FreeSpace™. Sandboxie fans have no need to be concerned by its new ownership. You’ve been running under the Invincea umbrella for some time now and we  have been working with Sandboxie Founder, Ronen Tzur, to ensure a smooth transition to new ownership. We will grow Sandboxie’s user base and continue to support and enhance the Sandboxie solution.

The Sandboxie acquisition makes great sense for Invincea and for Sandboxie users. First, Sandboxie is a great product that individuals can download for free and get immediate protection on their own machines – it has been and will remain this way. Second, with Invincea FreeSpace™, the global Sandboxie “prosumer” community now has an easy upgrade pathway from a consumer-oriented containment only solution to an enterprise-grade advanced threat protection solution. In addition to containment, Invincea FreeSpace™ provides key capabilities that enterprises seek including real-time detection & prevention, malware forensics & threat intelligence, and enterprise management. To further underscore the commitment Invincea is making to the underserved Small and Medium-sized Enterprise space, Invincea recently released Invincea FreeSpace™ for Small Business – this solution provides a natural and easy upgrade path for Sandboxie users in small and medium sized enterprises with cloud-hosted management. In other words, the combination of the Sandboxie user community and Invincea FreeSpace™ for the enterprise provides virtually every type of entity with access to Advanced Threat Protection technology for the Endpoint.  The combination creates a significant and rapidly growing market footprint.

To Invincea and Sandboxie users, you have my gratitude for your loyalty and support. We are growing this market rapidly. For those considering either solution, we stand ready to serve!

See How Invincea FreeSpace™ Compares to Sandboxie  & “Follow Us For Latest Updates”



Securing Your Legacy Windows XP Footprint Post April 2014

April 2014 will mark the official end of the line for Windows XP (WinXP) support, though not for its life. Microsoft declared it will no longer support WindowsXP past April 8, 2014, a dozen years after it first released WinXP. WinXP is a great operating system, really the first from Microsoft that became stable for business use, which is why many organizations continue to stick with it even at 12 years old – beyond the lifetime for most operating systems. For obvious economic reasons, Microsoft wants everyone to move off of XP to a more current version of Windows, say Windows8 (or 8.1 or whatever flavor is current). Today many enterprises are hard at work migrating from WinXP to Windows7 (Win7) and in the process buying new hardware, which makes hardware vendors and users happy.

To security professionals, the end of support for WinXP from Microsoft means that any vulnerabilities discovered or disclosed after April 2014 will become effectively infinite 0-days, with no patch to be released. Since malware writers and cyber adversaries are well aware of this, you can be sure there will be a slew of new vulnerabilities being exploited against WinXP after April, with no patch available to stop them from being exploited. As a glimpse into what the future for WinXP holds, FireEye disclosed November 27th a 0day being exploited in the wild against a WinXP kernel vulnerability leveraging an Adobe Reader exploit as the choice vehicle for getting remote access via spear-phishing. A 0day that Invincea has proven to protect against, by the way.

If the solution to just upgrade to Win7 or Win8 was feasible for everyone before the looming April 2014 deadline, then the legacy WinXP footprint would not be an issue. For the enterprise space, particularly the large enterprise segment, upgrading to Win7 or Win8 is not feasible everywhere in the short term. Budget constraints for new hardware and software purchases makes a phased approach to Win7/8 over years the reality of the situation. This means a significant residual WinXP footprint will remain in many enterprises today. Outside of budget issues, migrating to Windows7/8 often requires extensive testing and upgrading of enterprise apps to work with Win7/8 to ensure business operations continue post migration. It is a massive undertaking for many large organizations and one that has been on-going at significant cost. The residual WinXP footprint means that these machines will continue to accumulate vulnerabilities, some of which will be exploited for which no continuing patch support will be provided by Microsoft.

The legacy WinXP footprint will be the beach head for gaining perch on your enterprise network in 2014 and beyond. The only viable option to protect your network from getting compromised from vulnerable WinXP machines is to do something different from the last 12 years on WinXP. We know patching hasn’t been particularly effective and now will no longer be an option for WinXP. We know anti-virus does not stop current threats and targeted attacks. We know as users are spear-phished, and as they click on links, the websites hosting malware can deploy specific exploits for WinXP or exploits that may be patched on Win7 but not WinXP.

Covering an Infinite Zero-day Attack Surface

At Invincea, we prefer talking about solutions rather than just describing the problems you have. If you are one of these enterprises stuck between a rock and a hard place with a legacy WinXP footprint to manage, your choices are: (a) throw up your hands in exasperation about the hand you’ve been dealt, (b) pray against all odds your anti-virus solution running on the WinXP machines will suddenly start working, or (c) deploy a solution that protects against exploits of unpatched software.

Since we are talking solutions here, the new class of advanced threat protection solutions for end points that Gartner Research calls “Windows containment” mechanisms is a viable solution to addressing the unpatched software problem that WinXP now presents. Invincea FreeSpace™ has been addressing this same problem in the enterprise space with Java. In many enterprises, similar to the looming WinXP issue, Java cannot be patched to current versions because of lack of backward compatibility with enterprise class apps written on older versions of Java5 and Java6. As a result, security teams have had to face the perilous challenge of continuing to fight against Java exploits because they are stuck on older versions of Java. Invincea FreeSpace™ has given these enterprises the ability to continue to run legacy Java for enterprise apps while not exposing the machines to the vulnerabilities of legacy Java.

The Java use case maps directly to WinXP. In the case of WinXP vulnerabilities, the attack surface for adversaries will be user applications that run on WinXP (including Java ones). The usual means for gaining access to the host will be employed including spear-phishing, Web-based drive-by downloads, poisoned SEO, and watering hole attacks. Once the user is lured into clicking on a link or opening a poisoned attachment, the malware will run, then exploit unpatched vulnerabilities in WinXP to elevate privileges to super user. Following privilege escalation, the adversary will scan other targets on the local network and use exposed network ports to get on to other machines, including Win7 machines.

As our most recent e-KIA blog shows, Invincea protects against the vulnerable WinXP attack surface by running vulnerable applications including the browser, plug-ins & browser extensions, Adobe, and Office suite in virtual containers. Invincea FreeSpace™ provides a unique solution to the legacy WinXP problem, by shielding the vulnerable attack surface from adversarial code.

If you are like many enterprise organizations, you have limited time to address this problem. Invincea FreeSpace™ runs on WinXP machines that have as little as 512MB of memory.  Try Invincea FreeSpace™ out today.


Changing the Game in EndPoint Security

Editors note: this blog is part of a new series of thought leadership pieces by Invincea Founder and CEO, Anup Ghosh

Disruption: Death and Rebirth of End Point Security

Disruption in technology segments is inevitable in some respects, but hard to predict. Mostly we can see disruption in a sector once it has already come to pass. One can point to key technology disruption moments: when the world discovered the World Wide Web, when Bill Gates sent out one of his famous memoranda about embracing the Internet, when Apple released the iPod, then the iPhone. And of course, who foresaw the death of print media to be replaced by 140 character “tweets”? Most of us only recognize disruption only after it has happened, not before, nor even during.

One space that has been ripe for disruption is endpoint security. Any and nearly every security professional today scoffs at the standard anti-virus clients that run on every machine in the enterprise. In fact, the failure of endpoint security over the last ten years gave rise to a new order of network security products including Netwitness, FireEye, Palo Alto Networks, among others. The premise behind most of these network security products is because endpoint security is fundamentally broken, you should assume your network will get compromised, and therefore look for the adversary already on your network! The same can be said for incident response companies like Mandiant and a new generation of “active forensics” type of products who’s job it is to produce as much data about what’s running on the network and turn security into a big data problem in the cloud. In other words, the security technology industry signaled the death of endpoint security in preventing compromise.

In death, there is re-birth, or what the market calls the opportunity for disruption. Invincea foresaw the opportunity for disruption on the endpoint in 2009 when we took a DARPA-funded prototype for virtualizing the browser and prepared to bring it to market. What we learned from those “early” days of developing a new product for the endpoint was that disruption is hard.

First, educating the market about the need for a new approach to endpoint security was hard work – though it no longer is. Second, no one had the courage to throw out the safety blanket of their existing endpoint security suite, even though they know it isn’t solving their problem. Finally, we learned performance on the endpoint is everything — if it isn’t lightweight and seamless, then don’t bother. Users won’t adopt a solution that disrupts their workflow or creates slight performance degradation even for the trade-off of better security. Creating the most secure product in the world means nothing if it never gets deployed.

The market rewards those that listen to the market and adapt accordingly. We adapted and went to market with a lightweight product (~50MB in memory total, 100MB on disk) that will run on legacy 32-bit Windows Pentium XP machines with 512MB of memory (yes they still exist!) as easily as current 64-bit Windows7 machines with 6GB of memory. We did this without sacrificing our core security strengths – protecting the enterprise from targeted, unknown, and opportunistic attacks against users without requiring signature updates.  We addressed a core need in market to be able to run unpatched software (IE7, Java6, Adobe8 – yes these still exist!) for enterprise applications, while closing the attack surface they present without requiring prior knowledge of the threat (i.e., signatures). In other words, we solved real enterprise problems in security.

Market Success

The market rewards innovation for those who figure out how to solve real problems. In June 2013, Dell announced a strategic OEM agreement with Invincea that ships Invincea technology (re-branded as Dell Data Protection | Protected Workspace) on every commercial device its ships. Dell no longer ships a standard anti-virus solution on these machines. With Invincea technology packaged together with TPM-based authentication and strong file encryption, the Dell machines can rightfully boast their “Most Secure” line moniker in market.  The agreement ships Invincea pre-loaded on over 60 million machines over the next three years. Nearly 10,000 firms now run Invincea in production and this number is growing rapidly. This is truly market disruption in the endpoint space. Invincea now has the largest footprint in market in the Advanced Threat Protection endpoint space.

Today, we are pleased to report impressive results from our third quarter, including 200% quarter over quarter, and year over year growth. Leading brands from the Energy, High Tech, Financial Services, Healthcare, Retail, Defense Industrial, Federal, and State sectors are now putting Invincea in production to protect their networks from targeted attacks. These enterprises took the step of protecting themselves from targeted attacks with Invincea and no longer depend on users to make the right decisions every time their users click on a link.  In the process, we stopped 0day exploits in the wild, watering hole attacks, shocking massive dragnet drive-bys, and multi-stage chained exploits to gain a beachhead on the network and escalate privilege.


For so long, security has been imposing limits on users for the “good” of enterprise security. We think security got it wrong – rather than being a friction on the fly wheel of business production, security needs to be grease – in other words, good security is a technology enabler for businesses where online is the way business is done.

Invincea’s vision is to create “Security without limits”. What this means is to provide a safe environment to free users to do their jobs online while protecting them from the threats they will face while online.  In every other industry, when we put our employees in harm’s way, we provide them proper equipment to mitigate risk (think hazmat suits, helmets, or Kevlar jackets), while just as importantly enabling them to do their job effectively. We believe the security industry needs to adopt the same approach. This is exactly what Invincea does: we provide a safe place from which users can interact with online content, whether it is browsing the Web or clicking on links and attachments in email.

Invincea defeats unknown and targeted malware, freeing users to be productive online, while exposing the adversaries businesses face. In other words, Invincea represents Freedom and Security for users.

Invincea FreeSpaceTM

With this backdrop, we are pleased to announce re-branding of Invincea’s flagship product to Invincea FreeSpaceTM. We think FreeSpaceTM as a brand better represents the value Invincea brings to the user. FreeSpaceTM allows users to go online without fear of being compromised. With Invincea FreeSpaceTM, users can now click on links in email knowing they will be secure. Users will open PDF and MS Office attachments knowing that even if they are malicious, the threat is contained.

For security teams, FreeSpaceTM aligns your function with business needs. FreeSpaceTM not only frees your users to go online, but also provides intelligence on adversaries when they are targeting your users. Even better, you no longer have to count on users to make the right decision every time they get an email, whether to click on that link or open that attachment. They do anyway. Now when they do you will have the assurance, the network won’t get compromised. Further, if the link or attachment is poisoned/weaponized, you will receive detailed forensics of the virtual infection. These forensics in combination with Invincea Management Server’s in-product integrations with Threat Intel services reveal the methods, motives, and sometimes identity of your adversaries. In other words, instead of speculating about the generic threat scape from news, you will actually learn about the threats your organization faces.


Be a Change Agent

Every revolution needs change agents. This one on endpoint is no different. Disruption on the endpoint is already here. The firms we named in our press release are part of the vanguard of change agents across multiple industry segments bringing fundamental change to endpoint security. The nearly 10,000 firms now running Invincea are freeing their users go online without limits, securing them against the threats they face while online, while exposing their adversaries.

Join the vanguard of change agents in this journey to re-make security for end points.





Drawing Lessons from the Adobe Breach

Following Brian Kreb’s blog published October 3rd on the Adobe source code and customer data breach, a number of news outlets have picked up on the story and are trying to grapple with the consequences of the breach.

What is known about the breach is what Adobe has disclosed - source code for Adobe Acrobat, ColdFusion, and other Adobe products were illegally accessed (and stolen) by an unknown outside party. In addition, Adobe acknowledges that nearly 3 million customer records including credit card data were also stolen during the data breach. However, Adobe believes there is little risk to customers with regard to the credit card data since they believe it was stored encrypted per PCI regulations. In addition to the credit card information, Adobe customer user names and passwords for Adobe accounts were also stolen. As a result, they are resetting customer account passwords and recommending that customers change their passwords if they re-use them elsewhere.

Several news organizations have reached out for commentary on the impact of these breaches and what can be done to address these attacks. Instead of providing “sound bites” to these organizations, I thought I’d provide my thoughts here on what lessons we can draw from the Adobe breach.

Media Interest

My first reaction to the media interest around this was, “Why?”. This breach is another day in the life of the enterprise– corporate and Government. Just this week, we wrote about why Operation DeputyDog campaign (named by FireEye) against Japan and Taiwan firms are able to evade detection (in two blogs - here and here). There is little doubt that the companies that were breached in DeputyDog (and its successor campaigns) suffered losses through network compromise, though they didn’t warrant much media attention. The short answer to the question appears to be that while losing intellectual property can create long-term damage to the enterprise and the region’s economy, losing customer data is the “third rail” of corporate data breaches. In this case, losing approximately 3 million customer records reaches the bar of intense media interest. Adobe has stated unequivocally that these credit card numbers were encrypted per PCI and little risk is present to customer credit.

The second main interest of the story arc is the theft of Adobe source code. Based on evidence written about by Brian Krebs and acknowledged by Adobe, the source code for several Adobe products including Reader and Cold Fusion was stolen. Most companies consider the source code of their software key Intellectual Property – the loss of which (to a capable competitor’s hands) can undermine years of invested research and development, while jump-starting a competitor in market. However, the subtext in security circles is a different concern. Given the source code for Adobe products, a capable adversary can do source code analysis to find yet undiscovered, undisclosed, and unpatched vulnerabilities, i.e., the dreaded zero-day.

However, under Brad Arkin’s leadership, Adobe has been a leader in adopting secure software development lifecycle processes. In other words, analyzing software for vulnerabilities has been a core competency of Adobe for some years now. Mr Arkin used to run the Adobe Secure Software Engineering Team (ASSET) whose mission it was to implement secure software design processes. My guess is if the source code fell into the hands of someone else outside of Adobe, they would have as difficult a time if not more than Adobe’s best at finding vulnerabilities in their software.

To a certain extent, Adobe may welcome the unpaid outside scrutiny of the code. If exploitable bugs are found, no doubt they will be weaponized and Adobe will learn of them. However, exploitable bugs are nothing new to Adobe or Adobe customers. From a reputational point of view there probably is not much more to lose here. This whole concept of outsiders or crowds analyzing software for vulnerabilities is now becoming a business practice being commercialized by companies like BugCrowd and SynAck. In other words, it is not all downside here, particularly if it results in more secure software. Of course that isn’t great news for Adobe customers. Roughly 99% of enterprises run one Adobe product or another on their network. If more exploits are developed for Adobe software, they are likely to experience the pain firsthand.

Customer Quandary

So what are Adobe customers to do? Wait and see if more exploits are developed? Then wait for patches to be released? Does this sound familiar? It’s the old penetrate-and-patch cycle we have been living for the better part of 20 years. We know this doesn’t work well. Operation DeputyDog highlights the vulnerability exposure from zero-days in Internet Explorer. Enterprises are still waiting for a patch from Microsoft for IE, while DeputyDog and its successor campaigns are exploiting the vulnerability. The right approach to this problem is not to expect software perfection from your software vendor in the first place. With virtual container/segregation technology you can continue to run Adobe Reader and Internet Explorer, even with known and unknown (zero-day) vulnerabilities, while not inheriting that attack surface. The video we show on our DeputyDog blog demonstrates not only how these attacks work, but also how even unpatched vulnerable software run in a virtual container can protect the desktop and network from exploitation.

On Useful Disclosure

If there is one thing I’d like to see come from the Adobe reporting, it is *how* they were breached. While many companies will often acknowledge they are breached (particularly when discovered by a third party), most will not go into the details of how the breach actually happened. Disclosure of breach is one thing; disseminating the methods of the breach is far more helpful to the community of security practitioners and other companies that face similar threats.

We all can learn from corporate breaches how to protect ourselves.

The Krebs article mentions it is *possible* that Adobe may have been breached by browsing to a vulnerable version of their own Cold Fusion web app. Note that it appears likely at least two different networks were breached: one with customer account data, and another with access to the source code repository. While we do not know how Adobe is internally architected, it would surprising if these two networks were not segregated. Chances are both networks were breached.

As the breach of the Tax Revenue Division of the Commonwealth of South Carolina showed, many of these breaches start with a simple spear-phish. In the case of South Carolina, they actually released the Mandiant after-action report that showed a user that sat on a customer data network clicked on a spear-phish. That initial compromise was used to gain access to a database of approximately 3.6 million South Carolina citizens’ Social Security numbers and some number of credit card records as well. The Mandiant report provided a detailed breakdown of how the adversary gained access via a spear-phish as an entry point, ultimately to the point where the data was breached and exfiltrated. The disclosure by South Carolina and work by Mandiant set a great example for useful disclosure from which everyone could benefit.

Spear-phishing and NCSAM

Is it possible that Adobe employees got compromised by a spear-phish, an infected Cold Fusion server, a weaponized PDF resume, or a variation of Operation DeputyDog watering hole that exploited the browser? Absolutely. Adobe said they were breached by “sophisticated attacks”. We don’t have enough information to know what the attack vector is, but we can’t dismiss spear-phishing as unsophisticated. The most sophisticated threat actors today use spear-phishing in 95% of the attacks against enterprises simply because it works.

Can these attacks be deterred, deflected, and turned into adversarial intelligence?

Yes. The technology is available, and currently shipping on all Dell commercial machines.

Finally, this is October, which is National Cyber Security Awareness Month. Looks like this breach of Adobe will help with the awareness program of NCSAM. If you search on the hashtag #NCSAM, you’ll find a lot of good advice on how to avoid falling for a spear-phish. While I haven’t walked the halls of Adobe, I’m willing to bet they have posters up educating their employees about the dangers of spear-phishing. While awareness of the threat is good, it doesn’t deter adversaries, nor stop the exploits from happening, simply because given a link or attachment, there is a user that will click it or open it.

For thoughts on why we need to re-think NCSAM, please see my blog here.


Operation DeputyDog Revisited – a.k.a CVE-2013-3893 Just Keeps on Giving

In our last blog on FireEye’s Operation DeputyDog, we discussed how the techniques employed by Operation DeputyDog evade network defenses even, ironically, FireEye. In short, attackers exploit vulnerabilities in the browser and use this Stage 1 exploit to download a Stage 2 payload with an innocuous file type (e.g., .jpg) that is in fact a disguised (encoded) executable. On the victim machine, the Stage 1 exploit decodes the stage 2 payload with a key and outputs an executable file locally that it runs.

Network evasion is accomplished in Stage 1 and Stage 2 because the initial exploit is viewed simply as a string of bits the user requests from a legitimate Web site. In this case the Stage 1 exploit was a zero-day but there is no requirement for a zero-day, only uniqueness. The Stage 2 payload appears as a .jpg file to any network device (again a string of bits). Attempting to render the .jpg file (even though it isn’t an actual image file) will not trigger any detections because it isn’t executable in its downloaded form.

To prove the point that Operation DeputyDog was but one instantiation out of an effectively infinite attack space of CVE-2013-3893 exploits, we created our own attack by pairing a reverse VNC metasploit Stage 2 payload with CVE-2013-3893 as the Stage 1 exploit specifically to show how an attacker can seize control of the victim’s machine.

See the video below.

Not surprisingly, FireEye has discovered other attacks in the wild franchising this vulnerability in different forms with different payloads such as PoisonIvy (a familiar old RAT). FireEye published its “Hand me downs” blog detailing subsequent campaigns they are discovering utilizing CVE-2013-3893.

The tie that binds these different campaigns is the root vulnerability – CVE-2013-3893. Microsoft still hasn’t patched the vulnerability, and even when it does release a patch on the next Patch Tuesday, there will still be a considerable window for attackers of all forms to run campaigns against enterprises and users.

When you can’t address the root vulnerability and instead can only see network traffic, the best you can do is post facto analysis of the exploit and continue to publish new indicators to be on the lookout for. That’s exactly what FireEye has done with “Hand me downs”. There are now a new set of indicators for the latest campaigns being run exploiting this vulnerability. This means you have new signatures to update in your IDS/IPS/HIPS/AV system and new indicators, command and control domains/IPs, to look for in your log analysis system, to determine if you’ve been compromised.

Does anyone believe this is the last campaign we’ll see using this exploit?

Does anyone believe that this approach to continuing to chase the adversary several steps behind is a feasible approach to addressing the threat?

We at Invincea certainly don’t and hope you don’t subscribe to the defeatist messaging coming out of the security industry today that you should simply succumb to being breached and then do your best to try to find the adversary on your breached network. We didn’t believe in conceding Pearl Harbor to the Axis powers in WWII. We don’t think it’s time to concede the network to the Chinese or anyone else for that matter.

The message here is not that these indicators are useless. In fact they are quite useful – just not for protecting you from getting compromised.

What indicators are useful for is to follow tracks left behind by a particular adversary and campaign that lead us back to the perpetrator. It is important to collect and share these indicators so that you can tie an attack or attempted attack back to a known campaign and/or adversary.

Just don’t believe that collecting evidence serves as a defense against breach of your network and data. We need to position defenses that both prevent the breach while collecting the evidence that points back to the adversary for prosecution.

We think we offer a leg up in that regard – a silver bullet promise? No, but we do think we can help turn the tide.

Request a free demo from Invincea and see how we make prevention possible once again.


Cyber-Security Awareness Month – a.k.a. Time to Re-think This Thing

Smokey the BearOctober is National Cyber Security Awareness month. I’ve often wondered how these designations come about. Why October for instance? I’m sure there must be a national forest fire awareness week or month as well, but should people be any less vigilant about starting forest fires outside of that week or month?As far as I know October isn’t prime-time for cyber exploits. Some will say, “The point isn’t that there is one month or that it is October. It’s the ability to do programming around cyber security awareness that’s important — even it if is confined to October. ”


We can all toot our horns this month that there are cyber security threats all around that we need to be aware of. Truth is, I see this sort of horn tooting year round. In fact, the number of news stories around cyber security exploits grows every month, every year it seems. In other words, if you aren’t aware of the cyber exploits all around, then I doubt one month of more programming around cyber will change that much.

Many see cyber security as a human education issue and Cyber Security Month as an opportunity to educate the masses about what they can do to defend themselves against security exploits. This part really is like a Smokey the Bear campaign. I think the idea behind these campaigns is that if only humans were more aware of cyber threats, then they could take actions to stop machines and data from being breached by these malevolent hackers. And, if we focus on these awareness campaigns in October, then maybe the training will stick with them until next October and the Net would be a safer place.

Does anyone believe this?

So the truth is users do actually infect their desktops and by extension the networks they run on. Why? By and large users don’t intend to infect their machines. Users become the instrument of compromise for an adversary because they are human. Adversaries use human curiosity to lure users into clicking on links, dialog boxes, and opening attachments. So, if we can only un-train thousands of years of human psychological development to get humans to stop being curious, to stop doing their job to open attachments, then we might be able to get humans to act as secure automatons. Right.

This isn’t happening.

I think the folks that came up with Cyber Security Awareness month had good intentions. Just like the folks that came up with Stop, Think, Connect. The idea is to get people to Stop, Think, and then Connect… to malicious content. In other words, asking users to solve security problems, while well intentioned, doesn’t actually address the security problem. Users will connect because that’s the point of the Internet.

We gave users the Internet because we wanted to connect them to interesting content (e.g. cats) and themselves (e.g., Facebook). Along the way, we came up with indispensable business uses for the Internet. Users are no better at deciding whether a particular link or attachment is malicious than most of your anti-virus products (1 in 5 infections detected). Asking users to know which links are malicious, which documents are poisoned, and then chastising them when they didn’t make the right decision is folly. Repeating this folly year after year is the definition of insanity. We can continue to educate them about the risks through October and the rest of the year for that matter, but it won’t change the security landscape.

It takes only a single user in an enterprise to make the wrong decision. It takes 17 emails to guarantee a single user will click on a link. As a black hat, I would like those odds and the return on investment to send additional emails (spear-phishing). I’ll take those odds all day long no matter how much education you do. Once I have a compromised machine on the network, I can quickly pivot to the rest of the network. See this video here on how black hats assume control of a victim machine that simply browsed to a malicious site. For giggles we made the domain name **. Now you can train users to recognize “” is likely bad. However, training them that the Dept of Labor or is infecting users is much harder! The Operation DeputyDog campaign we discuss in this blog exploited users that visited legitimate Taiwanese government sites.

So what to do? Instead of educating users about cyber security, let me propose, we simply free users to do what they want to do (cats/Facebook/business) online, while giving them the right equipment to do that job. In other words, instead of hoping they make the right decisions with email links/attachments, and don’t stumble into a watering hole attack, let’s give them the right tools so that when they do, they are protected from infecting the desktop and network, while providing intelligence back to the security apparatus. That’s win-win. Users are free to go where they want, security teams get the threat intelligence they want.

We don’t need to be educating users about cyber security. Instead we need to be giving them the right tools. Don’t let your users go online without protection — without Invincea as one solid option.

October should be “educate your executive” month about cyber security. This means the CIO, the CISO, the CFO, and the CEO. All of these folks have responsibility for the business and for providing freedom of access for employees to do their job and safety against the threats they will face while doing it.

Your role: be a change agent to get people to re-think how we do security. October is as good a month as any to educate your executives that you need access and you want a safe means for going online, like Invincea.

Click here for a free demo.