Invincea is on record that the year 2011 will go down as the year the fundamental underpinnings of Internet security fell. In fact, it is the bloodiest year on record for Internet security. Not only did we witness compromises of Certificate Authorities to forge digital certificates, the compromise of the market-leading two-factor authentication product, and SSL, but also the rise of the Hacktivist in taking down major corporations publicly.

Once again, it’s that time of year where we not only reflect on the year behind us, but also contemplate what the future holds. 

The 2011 List
In thinking about 2012, it’s worth a look-back to what we predicted for 2011:

1. Malware: The explosive growth trend of Malware will continue on an exponential growth trend from 2010 levels. Current signature-based approaches will continue to encourage the production of massive amounts of new malware variants. Web-based exploits will continue to be the primary attack vector, focusing on trust-based exploits to get users to infect themselves on the one hand, while drive-by exploits on the other will focus on Java and plug-ins/extensions.

Ok, admittedly this was a lay-up. McAfee reports over 80,000 new variants of malware generated each day – a 400% increase in the rate of malware production since 2007. While the number of Java-based browser exploits did rise significantly, one interesting trend we saw was an increase in thread-injection attacks from browser exploits against operating system services. This tactic evades most anti-virus and application white-listing techniques by never hitting disk on the one hand and compromising existing white-listed programs on the other.

2. Blame the User: The “blame the user” mentality will continue to grip the Security industry as users continue to be infected by trust-exploiting malware that leverage social networks. Many will call for enhanced user training; many will draw the conclusion that the endpoint cannot be protected. These parties will find themselves the victims of continuous intrusions. A new breed of security company will emerge as the answer to the malware scourge.

Security Ops teams continue to blame the user for infections. Users are the target of cyber adversaries because they are improperly put in the position of making security decisions – decisions they are not equipped to make. As long as we continue to design systems that depend on users to make correct security decisions, we will continue to blame users and wonder why our networks get compromised. Making matters worse, these companies tend to adopt a victim mentality, refusing to disclose breaches publicly unless forced to do so, and then refusing to disclose the methods of the attacks. The truth is we’re all victims of cyber exploits. It’s time to remove the stigma and disclose what’s going on if we are to ever going to force change in the industry.

 3. Reactive Approaches to Security Will Continue to Fail:  Complaints about the ineffectiveness of anti-virus solutions will continue…yet organizations will continue to renew their subscriptions and anti-virus companies will continue to report how the problem is getting worse without mentioning how ineffective they are against addressing the threat.

 No doubt – reactive approaches still dominate security technology. The security industry won’t change as long as customers still re-up their security subscription even when it isn’t working for them.

 4. Major Breaches in Sectors with Intellectual Property:  Another large scale Google-esque breach will occur – millions more will occur but never be disclosed or publicized. Nation state actors will continue to evolve their focus towards America’s corporations and the intellectual property that drives their success. Pharmaceutical will be a big target for Nation state attacks.

Operation ShadyRAT, Nitro, NASDAQ…need we say more?

5. Hacktivists Will Bask in Their New Found Glory: More hacktivist attacks and counter-attacks in 2011 – including DDoS and website defacing against corporations and government agencies as a response to globalization, political unrest, and perceived unfair corporate practices.

Anon, LulzSec, Anti-Sec found their sea legs – buoyed by a perceived greater cause the ease with which large corporations could be brought to their knees. Meanwhile, the industry trembled before them.

6. Critical Infrastructure Attacks: Critical infrastructures have been given adequate notice. Attacks against critical infrastructure systems will become more common since the methods of StuxNet have become publicly available. Expect electric grid outages, chemical, gas, oil and energy plant infections to be on the rise.

Duqu, public utility hacks, SCADA control systems…it is fashionable to go after an easy target – and preps the battlefield for cyberwarfare.

7. Hello Android: The emergence of Android-based attacks will become bigger news as Android begins to take larger market share from iPhone and users rush to download new apps that are not vetted by Google – some of which will be malicious, others just vulnerable to attack. Attacks against the Google browser on Android will become more common.

DroidDream compromised over 250,000 phones with a rootkit. With no vetting of the apps published to the Android marketplace, users are forced to decide on their own which apps are malicious or may infringe on their privacy.

8. Windows Kernel Exploits: More attacks against the Windows operating system kernel will emerge to exploit application sandboxes in desktop software applications running Firefox, Chrome, IE or Adobe Reader X.

While numerous critical vulnerabilities were discovered in browsers in 2011, significantly enough, Duqu leveraged a previously unknown Windows kernel exploit.

9. Organized Crime Rises: The glory days of hacking for fun are over. Organized cyber crime will grow in strength and sophistication, especially in recruiting human mules to pull money out of the system from illegal bank transfers from banking malware. Banks will begin to take serious losses to make consumers whole and as business win court cases against banks for negligence in banking system security – including the business systems of customers.

Organized crime dominates most cyber exploits today because of the sheer economics of cyber crime. In Operation Ghost Click, the FBI disclosed that over 4 million users were compromised and the Estonian crime ring, which consisted of six individuals, netted over $14m.

10. Congress Will Rear Its Head: Major Cyber legislation will be passed by Congress that increases security costs substantially for regulated industries (e.g. public companies. govt contractors, critical infrastructure providers, ISPs, etc.) without a commensurate reduction in security breaches.

Fortunately, this hasn’t come to pass yet – but it hasn’t stopped Congress from threating cyber security legislation to be imposed on industry or the White House from putting out policy positions on cyberwarfare.

The 2012 List
Our predictions for 2011 weren’t too far off the mark and with 20/20 hindsight, it all seems obvious. In thinking about 2012, there isn’t much we’d take off the list – largely because there isn’t much we changed as an industry. We are stuck in a cycle of penetrate, remediate, patch – or as we call it – wash, rinse, repeat security. We should expect to see more of the same. However, repeating 2011′s list is not interesting. So here is our list of predictions for the coming year. We believe that 2012 will be the year that hackers grow bored of tilling the same old fields that are largely compromised anyway.  As a result, they will go in search of interesting targets and high-value/high-consequence targets.

1. Toxic Clouds: Perhaps the most significant move in 2011 was the adoption of cloud computing in a meaningful scale. The adversarial side of security is as much of a business (and perhaps more profitable) than the defense side of security. As corporations and government migrate their data from their desktops and internal servers to the cloud, the adversary will follow suit. How perfect is that? Now all of the data is gathered in one place – ready to hack – and not scattered across various machines on a network that requires time and effort to find and more machines to compromise along the way. Much as corporations have moved to the cloud, we should expect hackers/Hacktivists to use the cloud for their own take-down efforts and command and control networks.

2. Critical Infrastructure Attacks: Up until now, attacks against critical infrastructures have been both few and far between and hard to confirm. The lesson learned from StuxNet by the adversarial community is critical infrastructures are now in play – fair game if you will. The bad news for critical infrastructure providers is they can no longer hide from the threat and pretend they aren’t aware of what’s happening. 2012 will see concerted attacks against power and utility plants, among other critical infrastructures.

3. Cyber Physical Systems Compromise: In the search of more interesting devices to hack, the adversary is going to transition from traditional IT networks to embedded systems – which we normally think of as physical systems. Things like your car, TVs, your house, your office building and mass transit systems. In other words, systems that are networked and run a lot of software will be fertile ground for hackers. Give a hacker a network interface with software listening behind it and he’ll own it.

4. Smartphones, Tablets…Hand-held Exploits: Exploit development for handhelds is still in its nascent stages. Even hackers have to learn skills when it comes to Android and Objective C. However, cyber crime and exploit development are driven by economics. The growth of Android and other handhelds will create a surge in demand for exploits against Android and the Apple iOS operating systems. The device manufacturers, operating system vendors, and the mobile-device management industry segments are not prepared to address vulnerabilities in software on these platforms, nor the malicious apps written to compromise them.

5. Cyberwarfare: For a long time, the use of the term “cyberwarfare” was verboten among the cyber literati as it was playing into the war machine hyperbole. With StuxNet breaking previously unwritten rules in targeting critical infrastructures and Duqu – “The Son of StuxNet” – collecting information from SCADA vendor systems, the groundwork is being laid for cyberwarfare operations. Expect more sabre rattling from the major cyber powers and non-attributable offensive operations against strategic targets.

If 2011 was a watershed year in cyber security, how will 2012 be remembered?

Perhaps as the year the Digital Pearl Harbor comes to pass? We hope not, but let’s not wait for it. The equivalent of death by a thousand cuts is what we face every week. One side effect of the dramatic headlines in cyber nearly every week is desensitization. At what point will we become numb to what is going on in the network?

One of the risks that may become apparent in 2012 is that dramatic attacks like compromising 4 million users will be passé – another day in the life on the network. Hacking a power company, an act which results in brown-outs, will become part of the routine. Let’s hope that instead, 2012 is the year we commit to changing the way we approach security. We must adopt security architectures that proactively prevent intrusions rather than reacting to the breach after the fact, spending time, effort and countless dollars to assess how bad the damage is.

Let’s break the security insanity cycle in 2012.

Researchers from Invincea Labs and ThreatGrid dissected a sophisticated spear-phish aimed at a high profile target within America’s Defense and Intelligence community July 20th. Based on our analysis, we believe a new active and sustained campaign directed against the US defense industrial base was started within the past two weeks. The campaign demonstrates hallmarks of a persistent adversary as multiple attack methods have been utilized, including spear-phish emails in what we believe is an attempt to gain a beach head on defense contractor networks. 

It is well known that these communities represent one of the most desired targets for motivated nation state actors. While we cannot determine with certainty the country of origin, our analysis suggests nation state involvement. The fact that this campaign is underway is not surprising – these communities face a relentless onslaught and recent public disclosures highlight this fact. Also not surprising is the fact that the adversary is utilizing spear-phishing as an entry point. A large percentage of the high profile breaches disclosed over the past 18-24 months include spear-phishing elements (i.e. Night Dragon, Google, RSA, Oak Ridge National Labs, etc.). Spear-phishing attacks are on the rise as adversaries look for the path of least resistance – i.e. prey on human curiosity to make the user an unwitting accomplice in the breach of the network.

The information presented by Invincea Labs and ThreatGrid provides a look into an active campaign – we present this information in the interest of transparency for the security community and as a warning notice to the Defense Industrial Base. Prior to releasing this information, both organizations have contacted the appropriate authorities and are working to contact the potential targets of this attack at this time. Because of sensitivities with an active on-going campaign against Defense and Intelligence contractors, we are not publicly disclosing identifying information such as IP addresses, domains, and URLs that are signatures of this attack.

 Summary of Attack

The attack starts as an in-bound spear-phish to individuals in the Defense Industrial Base purporting to come from the US Intelligence Advanced Research Projects Activity (IARPA). The spear-phish contains a URL to a zip archive file with a roster of Defense Industrial Base attendees to an IARPA Program conference. The roster is an active list of 163 senior level executives participating in a recent IARPA Project Day, including Directors and Presidents, and CEOs of premier defense and intelligence companies.

• Once the attachment is opened, it presents the promised roster while running another program it extracted — a custom http client beacons a server then signals how long it will go to sleep. It places itself on the list of programs that runs at system startup.
• After a re-boot the custom http client initiates a GET request to a command & control server. The returned page has an encoding in the HTML. It decodes the encoding in memory to produce a new program that it writes to the user’s disk. This program is a remote command & control Trojan. Since the encoded program is hosted on a website, this can be updated over time with more sophistication.
• The new Trojan app gives complete control of the victim machine to the adversary. It will also change Internet Settings in the registry to bypass any local proxy settings that may be in place (e.g., for security). It also has built in capability to update the Root Certificates list that can aid in Man-in-the-Middle attacks against SSL based sessions the user may engage in.
• There are other indicators this attack is part of a larger campaign where multiple organizations are targeted. A file with similar characteristics but different type was uploaded to an online analysis platform and the outbound URLs follow the same format as the beaconing URLs presented here.

Detailed Analysis of Attack

• A targeted email is sent and appears to come from an attendee of a recent meeting.

Targeted spear phishing email - active Defense Industrial attack

• The URL appears to be subdomain of a domain that has a permanent redirect to a legitimate research project website.
• Once the user opens the attachment, a dropper program runs that extracts and presents the promised roster (Figure 2), while running a custom http client it also extracted.
• The custom http client then initiates a beacon using http protocol to one of two URLs that resolve to the same server IP address. The beacon includes a timestamp, hostname, and IP address of the compromised host in the GET request. The http client also forges the user agent in the GET request with a false user agent name and uses it to post information about the host.

 

• The server is also used to host a number of manufactured domains that look legitimate so monitored outbound traffic will not attract attention.
  • Past history in APT campaigns (e.g., NightDragon) indicate these organizations may be direct targets of this campaign as well.
• The custom http client beacons out on regular intervals.
• On reboot, the dropper initiates a GET request to one of two domains. An encoded string is returned from an HTML page.
  • A memory analysis of the dropper executable showed the string was decoded to create a new executable, which is then written to disk. This new executable is the payload of the original attack that provides remote command and control for the adversary. The meta data associated with the file shows this is an attempt to disguise the file as a legitimate driver.
• From the executable dump we were able to obtain a URL that appears to be the Command & Control server for the new malicious command and control executable that is created.
• On execution remote Trojan modifies the Internet Settings in the registry in order to bypass any local proxy settings that maybe in place. It also has the ability to update the Root Certificates list on the host. Analysis has not been performed to determine if the file is signed with an authorized certificate.
• The Trojan initiates outbound communications over SSL to a new URL.
• The Trojan has the following capabilities:
  • File transfer/downloa
  • Remote Command Shell acces
  • Start or stop service
  • Start a downloaded file as a servic
    Query for system information, file attributes, etc…

   

A quick blog post that demonstrates yet again that the adversaries we face are quick to pounce on user curiosity for their own gain. We all know that yesterday the White House released the POTUS’ birth certificate…and before Donald Trump could even finish congratulating himself and plugging the next episode of “The Apprentice,” the malware writers were all over this news.

As we’ve seen time and time again over the past year, the bad guys are using poisoned SEO techniques to feed malicious links to our users. We saw it with Kate Middleton and with Charlie Sheen…now the POTUS’ birth certificate. The user is directed in this case (as is so often the case) to a Fake A/V exploit. Not just the “give me your credit card number” type – no, the type that actually pops the machine, sets up C&C, gets ready to do the real dirty work. Have to come to grips with the fact that the user is the primary target for our adversaries nowadays – RSA = spear phish…Oak Ridge National = spear phish…etc, etc. They are now the unwitting accomplices to the breach of our networks – and training alone isn’t going to solve the problem.

Nothing is sacred out their folks – keep fighting the good fight. Oh – and you might want to consider protecting the network from the user and the user from him or herself. You can separate their interaction with all untrusted content from impacting the security of your network. You can arm your browsers – putting the user in a bubble while interacting with untrusted content, etc. That’s what we do – and not only do you keep the infections from reaching the desktop and then on to the network – but you get a whole bunch of really cool forensic detail that can be used to feed your larger infrastructure.

Click below for the video…

Late last week, one of our Executives was the target of a spear phishing attempt. Luckily, we did not fall victim to the attack as the target was using our Invincea BrowserProtection product (shameless plug, yes – but the solution worked). The attack used some clever social engineering tactics in an attempt to bait our Executive into becoming an Unwitting Accomplice

• It was directed to his personal email account – lowered guard in the home environment, less security controls on the home network…ahhh, but the PC at home is often the PC at work – so pop it and you just might get an easy in for future lateral movement.
• It was localized – referencing DC in the note
• It was spoofed to look like it was coming from a trusted source – to protect the innocent we’ll call him “Joe” – “Hmmm…sure took “Joe” a long time to get those pictures across from that birthday party, but I was at that birthday party and that is “Joe’s” daughter’s name in that link…curiosity not only kills the cat…click, click…boom!” (Gotta love the power of Facebook, Twitter, Linkedin for research purposes)
• It directed our Executive to a malicious site – quick drive-by download – user never suspects a thing…by the time the user realizes that none of these pictures look familiar, the dastardly deed is already done.

The good news here is that we didn’t get caught in this trap – our solution is designed specifically to keep the user safe from untrusted content and thus to prevent intrusions into the network. We segregate the user’s desktop from the browsing experience, outfit the solution with behavioral based detection which triggered immediately when the drive-by took place, we throw away infected environments, capture forensic detail that can be shared with the security team, restore the user to a pristine environment and get them back to work in under a minute.

The bad news is that if we had been running a native browsing session, the results would have been much, much less ideal. Not calling this the scariest kid on the block but it was definitely designed to do some real work inside our network. Most likely isolated but wouldn’t hurt to be on the lookout. Interesting but not surprising at all to note that this piece of malicious code had no known signature at the time of attack. Take a look at a screen grab of the actual inbound email and a video that walks through our quick dissection of what this was designed to do.

Screen grab of the email:

Quick Video:

Give us a call or drop us a line if you want to learn more about how you can Protect Your Execs!

This is an excerpt of an op-ed submitted to the fine folks at InfoSecurity US: 

My head hurts – I’ve been banging it against the wall for a decade. And at an accelerated pace over the past two years – and pretty much every day since the start of 2011. Why?

Like many of you, I’ve watched as we slip further behind our adversaries, as the gap widens between offense and defense, and as they infiltrate our networks while siphoning off the keys to our future competitiveness. This is not FUD, it’s real.

Another day, another story – NASDAQ, London Stock Exchange, Night Dragon, Morgan Stanley. These stories are becoming more commonplace and barely warrant a blink of an eye from anyone in the know. Although these events are big, it’s not quite salacious enough to compete with the likes of Charlie Sheen in mainstream media cycles, that is, unless it involves him…

For the full blog, take a jump over to their site:
http://www.infosecurity-us.com/view/16930/comment-time-to-change-the-security-game-/

I’ve heard it discussed by security pundits, some of those within the mainstream press, former White House and Intelligence Community officials, and even certain folks on the Hill on many an occasion – the notion that a seminal event likened to a “Digital Pearl Harbor” or “Digital Katrina” is needed before any significant sweeping changes will occur in InfoSec. The unfortunate reality is that while the Hill and Big Business wait for a “Digital Pearl Harbor” to take InfoSec seriously, we are suffering under “Digital Chinese Water Torture” or perhaps “Death by A Thousand Cuts.” Every day that passes without sweeping change in how we engineer our systems to be secure vs. servicing the problem, means another drip here, another cut there and irreparable losses occurring across industry and government as our networks are pillaged and looted. 

We all know the old adage with respect to news – if it bleeds, it leads. Ten years ago, it was hard to get people to wake up to the InfoSec threat. Ironically, we’ve now become so accustomed to security breaches, zero day malware in popular desktop apps, and white knuckle inducing research statistics reported in mainstream news literally every day, we are hardly moved to action by it. For example, just the other day, Meredith Viera reported on the Today Show, about “unwitting accomplices” being used to distribute illicit content because they failed to secure their network. Last week, a research group published a study that concluded an average Internet user has a 95% likelihood of encountering a malicious web site in a 3-month period. And not to be outdone, the Ponemon Institute reported the average cost of a data breach of customer records is $7.2M in 2010 for businesses.

Caught within the deluge of daily news of how InfoSec is not working, it can be hard at times to think strategically about the problem and solution space for InfoSec. Instead, as an industry we react to today’s threats with yesterday’s solutions, or as they are fond of saying in the military, we are fond of fighting the last war (with the implication of using the tactics and tools of the last war) rather than the current one. And please do not mistake the analogy as a declaration we are in a cyber-war…not going there with this post.

So are we caught in analysis paralysis, are we desensitized to the bleeding that’s going on, or do we have a helpless feeling this is just a phenomena that happens to us and we have no control over it? I suspect it is some of all of these, but it’s helpful to take a step back and look at the big picture and think strategically about InfoSec.

The Big Picture: Frankly, we’re getting our collective asses kicked and there is a system wide issue we have to address to turn the tide back in our favor. Nobody is immune to the scourge InfoSec experiences…not across the Intel, Defense or Civilian sectors of government and if this statement from Steven Chabinsky – Senior Advisor to the Director of National Intelligence is to be believed “It appears that every industry is being victimized by intrusions”…not across any of our private sector verticals either.  

We’ve talked about the Security Insanity Cycle previously and the drain on business dollars and resources to support the cycle and service the problem rather than addressing it head on. So we’ll spare you the soap-box on that issue in this post and invite you to read at your leisure.

We were recently asked by a mainstream reporter to tell us what we thought about the “Web annoyances” that users encounter day-to-day…and after knocking another couple of head-sized holes in the walls of Invincea HQ, we realized we still have much work in front of us.  Isn’t it obvious that what the average user encounters is much more than an annoyance factor?  

By virtue of writing a piece on the state of InfoSec, we are bound to be criticized by others in the industry or propagating FUD – or fear, uncertainty and doubt. So rather than respond to the FUD accusations in the comments section, let’s take it head on with a game of Fact or FUD.

Fact or FUD #1: The user is encountering a potential man-in-the-browser banking Trojan that will surreptitiously transfer funds from their personal accounts

Fact or FUD #2: The user is encountering a potential nation state intent on stealing national secrets

Fact or FUD #3: The user is encountering the potential for criminal gangs or nation states to steal corporate Intellectual Property

Fact or FUD #4: The user is encountering potential for a massive financial risk to the organization

Fact or FUD #5: The risk we face today is a systemic risk to competitiveness on the global scale – and as such a national security concern.

We’ve also documented our core belief in recent byline articles – that the user is the unwitting accomplice, the primary target for our adversaries, and security teams are complicit by their inaction. Gone are the days of trying to brute force into corporate and government network infrastructure through corporate firewalls…all one must do now is prey on human psychology, use social networking to join the victim’s social network, bank on the fact that our security defenses are based on the last threat not the current one, and ask the user to lower the bridge and invite the adversary in.

Believing all of the above to be Fact not FUD, we believe the security industry needs to put the user in a protective disposable bubble whenever he or she comes in contact with untrusted content from the InterWebs…and EVERYTHING on or coming through the InterWebs should be viewed as untrusted content.

To maintain a trusted environment – desktop and network — the user’s interaction with the untrusted content needs to separated or compartmented from his or her physical machine. The goal of malicious content is to change the trusted environment.  Using advances in virtualization and today’s commodity hardware we can create on-demand a separate disposable operating system for the applications that run untrusted content. This way when the untrusted content turns out to be harmful, it will change our disposable operating system rather than the user’s trusted operating system. Better yet, instrument that disposable operating system with sensors that detect when the environment changes, e.g., when a user clicks on a malicious link unsuspectingly, is hit by drive-by attacks, or opens a document that contains malicious software.  When something causes a change in the environment, whether it is through user mistakes or malware intentions, the sensors trigger, the environment is disposed, actionable forensic intelligence on malware is captured, and the user is back up and running in a matter of seconds.

Now turn the thousands or tens of thousands of vulnerabilities in the network (i.e. users) into an asset – turn them into part of a real-time, zero-day, enterprise malware protection network – and you get real actionable intel you can use to block attacks as well as detect where else in your network you may already be compromised. Don’t throw away any of the signature based cyber security solutions you’ve already invested in – these become the reference libraries for this newly found forensic intelligence. Feed the infrastructure and expand its usefulness – narrow the gaps.  

The user – whether at home or at the office – is the target. We now need to change the game from blaming users…and instead focus on protecting the network from the user the user from himself or herself.

It is more than just an issue of preventing annoyances, it isn’t just FUD, it’s a matter protecting our assets from people who don’t have a right to them and having assurance we are operating on a machine and through a network that has not been compromised. We need to stop waiting for a “Digital Pearl Harbor” as we die by a thousand cuts.

Our time is NOW. Let’s get moving. What the hell are we waiting for?

Working for a security product company, Patch Tuesday is supposed to be something that we look forward to – at least according to the Marketing and PR teams and Tech Media writ large. Patch Tuesday is not just the day that IT managers find out what they are supposed to patch in their infrastructure. No it’s much more than that. Patch Tuesday is the day that security companies and security gurus line up to present their commentary and brilliant insight on the meaning of the plethora of vulnerabilities Microsoft and other software vendors will announce. The day we get to talk to the dozens of reporters writing the myriad and sundry articles highlighting the latest gaps in software security.

Security gurus will speak to the implications of the latest wave of potentially fatal flaws left in the millions of lines of code for the world’s most ubiquitously deployed software. While for network managers, it becomes a race to close the window of exposure in their networks before cyber foes exploit these holes.

For Invincea, Patch Tuesday takes on different meaning. To us, Patch Tuesday and all the hullabulloo that surrounds it is symptomatic of the penetrate-and-patch broken security model that has been in place for over 15 years. It’s also an opportunity for us to get the word out on why we created this company, point out how we can negate the impact of these flaws by preventing malware writers from exploiting them, and pound the desk as to why this whole penetrate-and-patch model is broken. In other words, we believe that every Patch Tuesday should be the clarion call to IT Managers, CISOs, CIOs, and CFOs that it is time to fix the problem through better security architectures rather than servicing the problem as so many have come to do.

We don’t fault the reporters that report the news as the word has to get out and these critical patches have to be applied. We don’t fault the security practioners that have no choice but to include patching in their normal workflows. And perhaps surprisingly, we don’t even fault the software vendors themselves that are patching their flawed software. To err is human. However, the reality is, any model of security that counts on the correctness of millions of lines of code that form the attack surface area of Internet-connected software is a fundamentally flawed model and untenable for security.

A Fragile System and Broken Model of Security

As you review the vulnerabilities disclosed on Patch Tuesday, and as the expert commentary is reported, you’ll realize that these flaws were already present on your system for quite awhile and quite possibly, if not certainly, exploited. While you’ll patch these flaws today (or as soon as IT can determine they can patch them without breaking network and desktop software and services), you’ll realize that there are lots of yet unannounced flaws in the same software either yet to be discovered, or discovered, but not yet disclosed. Finally, you’ll realize that all the advantages go to the cyber adversaries. They need to find only a single flaw in the millions of lines of code, or get a single user in the thousands of employees in your organization to make an incorrect security decision, in order to run exploits that only take 20 lines of code or less to own your machine. We know that building perfect software and perfect users is unattainable. So the question is – why do we persist with this model of security? We should expect better from the security and computer industries. And we should provide  better for our nation’s commercial and government enterprises and critical infrastructures that continue to perpetuate the wash-rinse-repeat model of security.

The Security Insanity Cycle

You see, what Patch Tuesday represents is evidence that we are hopelessly chasing our tails… that in place of strategic thinking we are consumed by tactical firefighting… and the security industry perpetuates this by continuing to service it rather than engineer solutions to the problem. We are in fact caught in a self-perpetuating Security Insanity Cycle – where we keep repeating the same processes – patch/update, detect, remediate – with the same results, but somehow expecting a different outcome. The security industry today has largely accepted that the standard in network defense is a wash-rinse-repeat cycle in a never-ending game of whack-a-mole where all industry interests are aligned in perpetuating the cycle and servicing the problem, rather than breaking it.

The Security Insanity Cycle

We should not be fine with being told on Tuesday that we were screwed on Monday and everyone accepting that as a norm.  We should not accept the contention that there is no such thing as secure – that prevention is a failed strategy – that the best we can hope for is to detect our adversaries once they are in our networks. We should not cede our networks to our adversaries “as long as they can’t exfiltrate the data.” We are capable of better but we’ve lost our way – we’ve fallen down the rabbit hole and seem to be fine with not knowing where the bottle is that makes us big again. Call us shameless purists but we were trained as engineers to solve problems not service them. We got into the security business to make a difference and we created Invincea to try and change the game fundamentally – to change the playing field so traditional attacks no longer work and to break the security insanity cycle.

Changing the Game

This blog isn’t meant to be an indictment of the entire security industry – there are several examples of innovative technology beginning to emerge – but this is meant to be a wake-up call both to the industry and to the buyers of its products. It’s time to signal to the security industry that you won’t stand for the wash-rinse-repeat security model anymore and to vote with your wallets. Instead of perpetuating the security insanity cycle, it’s time to start deploying secure network, operating system and application architectures.

We don’t pretend to have all of the solutions and by no means are we suggesting that we are the only solution to the problem. But we do suggest that it’s time to re-think patching/updating, detection, and remediation as a security strategy. Fire protection engineers don’t just put in smoke alarms and fire extinguishers – they engineer buildings with real firewalls and flame retardant materials. It’s time to renew our focus on preventing exploits in the first place by engineering secure architectures. A dollar spent on prevention is worth $10,000 spent on remediation. Contrary to popular opinion, preventing security exploits is not a dead art or science. Focusing resources on designing systems to be resilient to exploits is an important step to breaking the insanity cycle.

Our adversaries have been innovating while we have lost ground in security for the last 10 years, all the while creating tremendous economic value for the security industry and high incomes for security professionals. It is time to innovate in security again to change the game to return the advantages to the defender rather than the attacker.

It could just as easily be the first of April as it is the first of January…that’s what I thought when I read the news this week of the latest successful holiday eCard exploit. This one was spoofed to look as if it was sent by the White House and was targeted at a select group of folks across government with access to sensitive information. Seriously, an eCard campaign targeted at what should be a fairly sophisticated user group still works? I guess none of them read the dozens of holiday security predictions calling for a resurgence of eCard malware campaigns?? I guess none of the signature based solutions had a signature for this one handy? None of the defensive layers caught the exploit in its tracks?

C’mon man…

Not at all shocked that the effort was cooked up – the bad guys are incredibly well attuned to the notion that preying on user psychology is the easiest way through the door. And they know all too well that signature based solutions just can’t keep pace with new virus variants. It definitely wasn’t shocking to learn that the group involved was the same that launched the successful “Kneber” Zbot early last year. That campaign, which looks to have originated in Belarus, infected more than 75,000 servers and 2,500 organizations and pilfered untold quantities of sensitive corporate information. No one was ever brought to justice for it, so why wouldn’t they go back for another round with a campaign targeted at government employees with sensitive documents on their desktop?  What was somewhat shocking was the change in focus in this instance to government secrets.  (Hat tip to Alex Cox, Gary Golomb and Shawn Carpenter from NetWitness for their work on the “Kneber” discovery in 2010 and Alex Cox for his analysis of the eCard here)

Blame the user…

It’s tempting to blame the user in this case, since after all, doesn’t everyone know eCards are pretty much malware vehicles? But, before we jump on the user, consider that the reason these attacks work is because they have figured out how to stoke the user’s curiosity, desires, or fears – basic human psychology. The eCard is quite plausible – it was the holiday season after all and even if they didn’t know anyone at the White House, it’s plausible to believe someone at the White House may have sent the note to a government employee and for them to be complimented by it. The fact that one of the victims had a recently issued top secret clearance shows that people with extensive training around protecting sensitive documents still fall victim to online lures.

Security technology has failed us…

In fact, the whole blame the user mentality is one of the most significant factors that has impeded progress in security for many years now. Security professionals have an easy scape goat when an infection happens – the user – even when it is apparent they were a targeted victim. The security industry has punted on solving security problems by asking the user to make security decisions, for instance, “Are you sure you want to run this file from an unknown publisher?” Who hasn’t seen that dialog box from Microsoft? Does anyone really think users know which files are benign and which are malicious? Or that users are going to make the right decision every time? Many users also don’t care because the machine is owned by someone else – their employer – so they aren’t adequately motivated to do the research necessary to figure out if they should click OK or Cancel. Users aren’t security professionals – and despite our annual or semi-annual attempts at training them – they never will be. Given the sophistication, sheer volume and rapid evolution of malware, user training is not a realistic solution to keeping malware at bay. And given that many of the users targeted here should have already been hyper sensitive to the malware threat, this point is hard to debate.

What this goes to show is that you cannot train away human instinct…and it reemphasizes that the tools we are relying upon in our corporate government andhome environments to protect us from the malware scourge aren’t accounting for user error. If you have a 1000 people in your organization and each day they have to make one security decision correctly, what do you think the odds are that in a year you are not going to have any infections? How about zero?

Time to embrace change…

The security guy is also sometimes called Mr. No. His job is pretty much to put restrictions on users. However, as technology evolves, the security guy becomes the impediment to embracing new technology that can be game changing for a business. Why shouldn’t an employee be allowed to participate in social media (hint – it’s not just about socializing)? If the eCard legitimately was from the Executive Office of the President, it sure would be nice to open it. We believe it’s important to embrace new technology and the wonder that new technology brings to the office. Users will make poor security decisions – it’s not their job to know about the latest attacks, just like it may not be your job to create an income statement for your organization.  So rather than developing policies and technologies to inhibit users, we need to embrace technology that provides freedom to explore new technologies without fear of your network getting pwned.

Advances in virtualization and behavioral based malware detection offer the solution.  Using full, hardware virtualization it is now possible to completely isolate vulnerable software applications like the Web browser or Adobe reader from the desktop so that when a user gets infected from either of these apps, they are infecting a disposable operating system.  Technology is available today that uses behavioral based detection to identify new malware strains on day zero-– terminate the threat, capture forensic data that can be fed to the larger infrastructure, completely dispose of the tainted environment and never let the malware touch the user’s system.

Is virtualization the security panacea? No…but it is a heck of step forward.  Will the bad guys eventually turn their sights to breaking out of the virtualized environment? Sure…but we need to recognize that cyber security is going to be an endless game of back and forth. Right now, our adversaries have us beat…let’s show them we are still in the fight and introduce real preventative controls to put them back on the weaker footing. If we focus the bad guys on breaking virtualization software rather than getting users to click through boxes, that’s a win by itself.

So how well does it work? Take a look and see for yourself, we’ve recreated the exploit in the video below.

Invincea eCard Video

Wishing everybody a safe browsing New Year…

Everybody is putting out their Top 10 lists of predictions for 2011. Not to be left out of the party, below is a list of what we expect to see in 2011 in Cyber Security.

1. Malware: The explosive growth trend of Malware will continue on an exponential growth trend from 2010 levels. Current signature-based approaches will continue to encourage the production of massive amounts of new malware variants.  Web-based exploits will continue to be the primary attack vector, focusing on trust-based exploits to get users to infect themselves on one hand, while driveby exploits on the other will focus on Java and plug-ins/extensions.
 
2. Blame the User: The “blame the user” mentality will continue to grip the Security industry as users continue to be infected by trust-exploiting malware that leverage social networks. Many will call for enhanced user training; many will draw the conclusion that the endpoint cannot be protected. These parties will find themselves the victims of continuous intrusions. A new breed of security companies will emerge as the answer to the malware scourge.
 
3. Reactive approaches to security will continue to fail. Complaints about the ineffectiveness of anti-virus solutions will continue…yet organizations will continue to renew their subscriptions and anti-virus companies will continue to report how the problem is getting worse without mentioning how ineffective they are against addressing the threat.
 
4. Major Breaches in Sectors with Intellectual Property. Another large scale Google-esque breach will occur – millions more will occur but never be disclosed or publicized. Nation state actors will continue to evolve their focus towards America’s corporations and the intellectual property that drives their success. Pharmaceutical will be a big target for nation-state attacks.
 
5. Hackivists will bask in their new-found glory. More hacktivist attacks and counter-attacks in 2011 including DDoS and website defacing against corporations and government agencies as a response to globalization, political unrest, and perceived unfair corporate practices. 
 
 6. Critical Infracture Attacks. Critical infrastructures have been given adequate notice. Attacks against critical infrastructure systems will become more common since the methods of StuxNet have become publicly available. Expect electric grid outages, chemical, gas, oil, and energy plant infections to be on the rise. 
 
 7. Hello Android. The emergence of Android-based attacks will become bigger news as Android begins to take larger market share from iPhone and users rush to download new apps that are not vetted by Google — some of which will be malicious, others just vulnerable to attack. Attacks against the Google browser on Android will become more common.  
 
8. Windows Kernel Exploits. More attacks against the Windows operating system kernel will emerge to exploit application sandboxes in desktop software applications including Firefox, Chrome, Internet Explorer, and Adobe Reader X.
 
9. Organized Crime rises. The glory days of hacking for fun are over. Organized cyber crime will grow in strength and sophistication, especially in recruiting human mules to pull money out of the system from illegal bank transfers from banking malware. Banks will begin to take serious losses to make consumers whole and as businesses win court cases against banks for negligence in banking system security — including the business systems of customers.
 
10. Congress will rear its head. Major Cyber legislation will be passed by Congress that increases security costs substantially for regulated industries (e.g., public companies, govt contractors, critical infrastructure providers, ISPs, etc) without a commensurate reduction in security breaches.

Royal Weddings and Porous Security in the Age of Headline Malware and Poisoned SEO

To quote the brilliant comedian Peter Cook, “Mawwiage…mawwiage is what bwings us togetha today.”

Unfortunately, for the security of your network, this particular wedding is not a joyous event. As you’ve likely been hard at work trying to secure your enterprise, you might not be aware that Prince William has announced plans to wed his long-time girlfriend, Kate Middleton. However, your users are in the know and many have likely been searching for the latest Kate news or pictures. Some have probably tried to get an early glimpse of her wedding dress, others might be more interested in her swimsuit preferences…either way, they are putting your network at risk. As was the case with another famous fairytale wedding, this one involves getting your users to take a bite from the poisoned apple…

The video below demonstrates how Poisoned SEO can be used to push Fake A/V exploits…and how Invincea Browser Protection can stop those exploits in their tracks. Click here -  http://zd.net/ihVOSB – to track back to the full ZDNet blog posting.

Kate Middleton Google Search Video