Hacking Team, Ransomware, and Virtualization-Enhanced Security
By Clinton Karr, Sr. Security Strategist, Bromium
The largest organizations in the world are facing thousands of attacks a day across multiple attack vectors with the target of breaching sensitive and valuable data. Many of these attacks begin on the endpoint, through phishing emails, watering hole attacks, drive by downloads and zero-day attacks. However, even the most general organizations in the world still need to worry about these same endpoint attacks because cyber criminals are indiscriminate. Two of the most recent and most urgent security threats are malvertising and ransomware.
"Malvertising is highly effective because cyber criminals can target their attacks to specific demographics and deliver them with tremendous volume"
Malvertising is highly effective because cyber criminals can target their attacks to specific demographics and deliver them with tremendous volume. The online advertising model is such that ad networks simply cannot verify the validity of each and every advertisement it serves, which ultimately passes the cost of security onto security teams.
Ransomware is a highly pernicious attack; the initial compromise may occur through any number of exploits, but the end result is the encryption of all files on a system. These attacks demand payment for the key to unencrypt these locked files. Depending on the value of the encrypted data, organizations may feel compelled to pay the ransom, but making a payment only encourages these attacks to continue.
In order to prevent malvertisements, ransomware and other endpoint attacks, organizations should deploy strong endpoint protection. Most traditional endpoint protection solutions are failing because they rely on detection, which allow many attacks to succeed. Instead, organizations should investigate proactive protection, such as endpoint threat isolation or virtualization enhanced security. Additionally, ad-blocking browser extensions can be a highly effective way of mitigating malvertising attacks. Ransomware is much more difficult to mitigate, but frequent back-ups of valuable data can make remediation much easier.
Vulnerable software remains one of the greatest threats that organizations must face, which is compounded by the naivety of the end user. Vulnerable software can be patched, but the end user cannot be patched. Unfortunately, many security teams are unable to patch vulnerable software as quickly as they would like because of cross-functional politics with operations teams that are tasked with uptime.For example, a recent Bromium survey conducted at Black Hat determined that 90 percent of security professionals believe that disabling Flash would make their organization more secure, yet 41 percent believe that disabling Flash would make their organization more secure, yet 41 percent believe that disabling Flash would break critical applications.
This illustrates the natural tension between security teams and operations, which is why one-in-five organizations take more than a month to deploy patches. When organizations take a month to deploy patches, but cyber criminals create exploits in the first day, an organization is left very vulnerable. The vulnerability of unpatched endpoint systems is exacerbated by end users with a propensity to click on anything. Cyber criminals may not even need to rely on zero day attacks if an unaware user with an unpatched machine visits a malicious website or opens a malicious attachment.
It may seem mundane, but the biggest threats are also the most common. Cyber criminals will continue to attack the endpoint because organizations are slow to patch vulnerable software and end user behaviour is unpredictable. Traditional endpoint protection systems will fail to prevent these threats because they are enhanced on detection. The best way to prevent these attacks is through proactive protection, such as threat isolation or virtualization based security, which can enable a user to click on anything, even on an unpatched endpoint, without compromise.
One of the biggest stories of 2015 was the Hacking Team breach, which revealed the market of offensive malware and exploit kits. An analysis of one Hacking Team exploit kit revealed very sophisticated capabilities of a remote access Trojan (RAT), which could surreptitiously record Skype calls, log cookie sessions and even key strokes.
These Hacking Team revelations also identified one of many Flash zero-days in 2015, which resulted Mozilla temporarily disabling Flash in the Firefox browser. Flash has become so problematic (in part because it is so ubiquitous) that Amazon and Google have decided to intelligently pause or disable some Flash advertisements, while Facebook has called for (but not yet implemented) an outright block of all Flash.
The Hacking Team story of 2015 warns us of weaponized malware; it makes real the dark underbelly of information security. There are malicious actors in this world that create and disseminate the tools to penetrate security solutions, a trend that will certainly continue until software becomes less vulnerable, organizations shift to more proactive protection, or both.
Many organizations are quite serious about cyber security and this is not a new trend. Cyber security spending has been increasing year over year for more than a decade. New solutions are constantly being introduced to the market, yet new attacks are constantly developed to circumvent them. However, there certainly is inertia with many organizations that continue to invest in traditional security solutions. This is the psychology of insecurity: no one ever gets fired for investing in traditional solutions, that is, until they get breached.
Unfortunately, there is a fatalistic mantra with-in the security industry that “you will be breached” or “you have already been compromised,” which is ultimately a self-fulfilling and selfdefeating prophecy. Security vendors are trading on fear, uncertainty and doubt (FUD) to sell yet another solution that will fail to prevent an attack, only detecting it after it succeeds.
The greatest roadblock to change is the fear of change itself. There are solutions that have shifted the security paradigm from detect and respond to prevent and protect. Many organizations are already beginning to migrate to these solutions. As these organizations see success with these solutions, more and more organizations will follow their lead. In 2016, we will likely see the status quo continue to prevail (unfortunately), but more organizations will begin to make the change to a new genesis of security (fortunately!).
The emergence of endpoint threat isolation has been a breakthrough for information security. Virtualization based security enables the ability to segregate sensitive system fills from unknown and untrusted web sites, documents and processes. Earlier this year, Microsoft and Bromium announced a partnership to deliver the world’s most secure endpoint by enhancing the virtualization based security of Windows 10, which Microsoft is adopting as a fundamental security technology. Expect to see more widespread deployments of virtualization based security to enable endpoint threat isolation in 2016.
The beauty of virtualization-based security is that information security teams can still protect vulnerable systems that are out of their control. Once an endpoint is protected with a threat isolation solution that is enabled by virtualization-based security, it does not matter if a system is unpatched or vulnerable because all user processes, Web sites and documents are quite literally separated from the host system all the way down to the chipset. By using virtualization, potential threats run in parallel to the host and can never intersect to compromise the system. Virtualization-based security enables any user to click on anything on any network, without compromise.