Living in a Hostile Cyber World
“These are the times that try men’s souls…” – Thomas Paine
You are the product manager for a new offering and you just clicked on a link that your boss sent you in an email. Your laptop seems to take longer than usual to reach the link but you are finally presented with a logon screen where you enter your credentials. You don’t realize it but you have just been phished.
Endpoints are the new perimeter and special focus needs to be placed on securing them. Poorly secured endpoints can lead to backdoors to the enterprise for hackers – especially with the prevalence of phishing attacks where malicious actors use stolen credentials to impersonate legitimate users and bypass enterprise defenses. These hackers leave behind polymorphic and metamorphic malware which pose major challenges in detection and eradication. There are other avenues for attacks that can bypass or overwhelm traditional endpoint defenses, such as difficult-to-detect reflective memory injection and BIOS attacks. These issues are prevalent across all industry verticals as, for example, the rash of retailers’ data breaches reflects the insecurity of POS endpoints and merchant back-end systems.
New trends such as BYOD and the Internet of Things (IoT) also raise questions about the ability to secure and manage these new generations of endpoints. As the number of IP endpoints explodes with the rapid adoption of mobility and IoT devices, there is an ever-increasing chance of security incidents that exploit them as well. For example, a recent HP Report (July 2014) says that 70% of the most popular IoT devices on the market contain major vulnerabilities. There are increasing numbers of wireless exploits that affect mobile users as well. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and the hackers’ ability to capture credentials at a wireless network level has long been established.
Active Cyber Defenses to the Rescue
“I have not yet begun to fight…” – John Paul Jones
The cyber defense community has not retreated from this onslaught of threats. These challenges are beginning to be addressed through a variety of multi-layer adaptive security approaches. These approaches include:
- Data-centric protection techniques including self-protecting data
- Behavioral and probability-based methods for detecting polymorphic malware
- Malware dismantling capabilities through kill chain disruption
- Built-in hardware and kernel level protections to combat Advanced Persistent Threats (APTs), such as address space and instruction set randomization techniques, stack guards, and in-line double encryption engines
- Trusted computing techniques, such as measured boot and remote attestation to lock out third-party loaders and bootkits while reliably reporting the security state of the endpoint as part of a network access control capability
- Strongly asserted device identity and device-centric authorization which can make abuse detection easier because of the server’s ability to distinguish between your multiple devices and to observe their behavior individually.
These proactive defenses can begin to address many of the critical issues at the endpoint if mixed and matched in the right way.
If You Don’t Know Your Security Context, Then You Don’t Know Security
“Give Me Context or Give Me Death…” – Patrick Henry – (Please pardon my substitution)
If you can’t grasp the context of a security situation quickly, then you are probably toast or on your way to getting burned. Active cyber defenses are all about leveraging context-aware adaptations – that is, the protections or detections can morph based on an awareness of the security state of the endpoint and / or an assessment of the threat environment to which the endpoint is exposed. For example, at a research level, there is Shield – an innovative control architecture able to assure E2E security potentially in any application, by dynamically adapting to the underlying systems and using its resources to build the security. The main highlights of this research are:
- The possibility of dynamically discovering and composing the available functionalities offered by the environment to satisfy the security needs
- The possibility of modeling and measuring the security through innovative technology-independent metrics.
Shield leverages a virtual overlay to provide this composability functionality.
From a data-centric perspective, researchers and vendors are developing autonomous security-aware objects (SAOs), which encapsulate sensitive resources and assure their protection. Access to these objects is enforced according to contextual criteria to ensure compliance with location-specific regulations and service level agreements. SAOs can either use locally pre-loaded policies or securely accept new policies from trusted authorities. Access structures are in accordance with the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schema. CP-ABE supports the notion of attribute-based policies as criteria for encryption. The access structures are embedded as part of the encrypted content. Which user is entitled to decrypt the content, and under which context, are addressed by means of the CP-ABE boolean access structure.
One example of an SAO, being developed by a company called Azos AI, is called CogDat which stands for cognitive data capability. CogDat can sense its situation and autonomously take actions for self-protection — including self-destruction. This method embeds self-protection and intelligence inside the data itself. For example, if CogDat data detects it has been stolen, it can autonomously harvest information about its current environment and send it back to a designated authority and then self-destruct. It also offers protection to data in-use. It dynamically controls computer processes while sensitive data is exposed.
Researchers at Princeton are also developing a capability called DataSafe. DataSafe provides dynamic instantiation of secure data compartments (SDCs), with hardware monitoring of the information flows from the compartment using hardware policy tags associated with the data at runtime. Nonbypassable hardware output control prevents confidential information from being leaked out. DataSafe’s software architecture supports flexible, high-level software policies for the data, seamlessly translating these policies to efficient hardware tags at runtime. Applications need not be modified to interface to these software-hardware mechanisms. DataSafe’s architecture is designed to prevent illegitimate secondary dissemination of protected data by authorized recipients, to track and protect data derived from sensitive data, and to provide lifetime enforcement of the confidentiality policies associated with the sensitive data.
Fighting the Cyber Threat Through Kill Chain Disruption
“Sir, we are not weak, if we make a proper use of those means which the God of nature has placed in our power…” – Patrick Henry
Endpoint protections against malware are also advancing through the use of probabilistic / behavioral analysis and kill chain disruption. For example, researchers have developed a state machine that attempts to model a Markov process. The Markov process is hidden, in the sense that it cannot be directly observed. In the context of metamorphic viruses, the hidden process is trained to detect a specific metamorphic family. The training data consists of a sequence of opcodes derived from viruses, all of which were produced by a single metamorphic engine. Once the model is trained, it can be used to score an unknown file, using an extracted opcode sequence, to determine its similarity to the metamorphic family. Some malware endpoint detection and mitigation vendors are also approaching this challenge through kill chain disruption. Since an exploit is always based on a chain of techniques, blocking any technique in the chain will block the exploitation attempt entirely. By developing an agent that addresses all the exploit techniques required to execute an attack, the agent can prevent both known and unknown attacks, regardless of security patches or updates on the system. Of course, this agent needs to be updated as new exploit techniques are discovered, however, the frequency of updates needed for new exploit techniques is much lower than signature-based methods.
Use Hardware Roots of Trust To Create Adaptable Defenses
“Experience teaches us that it is much easier to prevent an enemy from posting themselves than it is to dislodge them after they have obtained possession…” – George Washington
Hardware-based protections are beginning to provide useful remedies for memory injection and rollback/replay attacks, as well as BIOS attacks, while supporting secure storage of key material, trusted path, and measured boot. Some examples of these capabilities include Intel’s Trusted Synchronization Technology (TST), Intel’s Trusted Execution Technology (TXT), Intel’s binary instrumentation tool called Pin, AMD Secure Technology, ARM TrustZone, and Global Platform, to name just a few.
At its root, memory injection is a problem because processors permit code and data to share the same memory address space. As a result, an attacker can inject his payload as data and later execute it as code using return-oriented programming (ROP) chains. Using a ROP chain to bypass operating system defenses is commonplace and detecting this technique while executing is still difficult. In addition, it has come to light that state actors install implants in the BIOS. However, in practice attackers can install such implants without ever having physical access to the box. Exploits against the BIOS can allow an attacker to inject arbitrary code into the platform firmware. To protect against these sophisticated memory and BIOS exploits, you need to be able to validate all new processes, even those initiated by approved running applications.
Modern CPUs support the detection and resolution of memory conflicts between multiple threads that access the same data: This is called the Transactional Synchronization Extension (TSX) in modern Intel CPUs. Hardware-supported TSX can also be used for security. A special security thread reads protected RAM cells (data or code) in TSX mode; any other (potentially malicious) thread writing to the same cells will cause the CPU to abort the transaction. Changes to memory can also be rolled back. Detecting memory changes with TSX, but without the rollback capability, could also be highly useful for kernel and hypervisor self-protection (such as Microsoft PatchGuard).
The Intel TXT is designed to combat BIOS threats. TXT is a set of extensions designed to provide a measured and controlled launch of system software that will then establish a protected environment for itself and any additional software that it may execute. TXT helps to create a Measured Launch Environment (MLE) by taking a cryptographic hash of each process that is launched. One measurement is made when the platform boots, using techniques defined by the Trusted Computing Group (TCG). The TCG defines a Root of Trust for Measurement (RTM) that executes on each platform reset; it creates a chain of trust from reset to the measured environment. Maintaining a chain of trust for a length of time may be challenging for an MLE because an MLE may operate in an environment that is constantly exposed to unknown software entities. To address this issue, the enhanced platform provides another RTM with Intel TXT instructions called a Dynamic Root of Trust for Measurement (DRTM). The advantage of a DRTM is that the launch of the measured environment can occur at any time without resorting to a platform reset.
TST and TXT therefore provide a hardware foundation that assures not only that unauthorized / unwanted applications cannot launch or execute, but also that trusted applications are not modified when launched or while running in memory to compromise the endpoint.
Active Cyber Defenses for Hard-To-Protect Endpoints
“I intend to go in harm’s way…” – John Paul Jones
The concept of having a dedicated microprocessor, with embedded IP to handle the security function at the hardware level is becoming more and more appealing because many, if not most, of future generation IoT devices will function autonomously, therby being left to its own devices to protect itself. Having one chip that integrates the job of both security guard and controller could be just what the doctor ordered. I remember one example of such a processor that appeared on the market several years ago from IBM called SecureBlue. SecureBlue was a type of crypto processor referred to as a double encryption device. The IBM rendition offered the ability to protect both the running programs and the data by encrypting both the data and address locations. It put encryptors and decryptors between the processing elements, data storage, and I/O subsystems. All information was decrypted within the secure blocks of the processor and then encrypted before it was stored in memory or sent to an I/O operation. It also had tamper-resistance key storage so the keys could zero-ize and become virtually invisible to the outside world. It also contained both secure and unsecure I/O channels. The unsecure channels are used for routine I/O operations and maintenance while the secure channels are used for transaction and sensitive data routing. SecureBlue required a few circuits to be added to a microprocessor, taking up a small percentage of the overall silicon real estate, according to IBM. The encryption and decryption happened on-the-fly, without any processor overhead. Although SecureBlue would probably be best suited for use as a cockpit controller for a fighter jet, or at the heart of game console to keep cloners at bay, it generally would be considered overkill for many IoT devices. However, maybe that ultra secure game console could also be used as the hub for my smarthome? Just a thought.
I hope this article got you thinking that it is important to look under the covers of your endpoints and see what hardware protections are offered. Taking advantage of these protections can give you a firm foundation to create more adaptable defenses for your most at-risk elements of your enterprise – your endpoints and your users. Thanks for reading and keep adapting.