Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9
About Me Chief Security Officer @ Bit9 Former Director of Technical Operations and Information Security @ Center for American Progress Former Director of Global Systems and Tools @ NASDAQ:IAWK Practicing professionally since 1997 Certified Information Systems Security Professional Educational background in Communications Areas of focus: Information Warfare Cyber Counterintelligence Security Operations Development Operations Social Media / Social Network Analysis NJ TN Silicon Valley Asia * DC MA * Frequent movement between aforementioned locations
the assumption of breach the inevitability of compromise
In 2020, enterprises will be in a state of continuous compromise. -- Gartner more like 2010
Rethink Your Security Strategy prevention is no longer enough invest in detection and response consider your technologies move from reactive to proactive security is not a solution it is a process
The attacker has the advantage. The attacker does not have the advantage, unless we cede it to them.
Enterprise Network as a Battlespace
Situational awareness enables real-time, accurate decisions in tactical situations. Most enterprises have no internal or endpoint situational awareness.
prepare the battlefield win the battle
Prepare for breach. Avoid forensics & expensive consultants.
Defense-in-depth / Layered Controls Network security controls Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation Service security controls Authentication, permissions, naming lookup, lots of logging Endpoint security controls Anti-virus, application control, endpoint threat detection and response If you are depending on one control to stop an attack, you are doing it wrong.
The Attacker s Process & Enterprise Capabilities The often misunderstood meaning of empathy The Cyber Kill Chain model Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at Lockheed Martin Useful for Breaking down stages of an attacker s process Formulating strategy for deploying security controls Facilitating iterative intelligence gathering Effective intelligence use Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI DETECT DENY DISRUPT DEGRADE DECEIVE
The Endpoint in the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Preventing Exploitation Patching matters! (Most basic way to minimize threat surface) Enforce ASLR/DEP (Microsoft EMET) Inter-process memory controls Unfortunately, there s little you can do at this stage Preventing Installation Dropping of binaries, touching other processes, et cetera Blacklist approaches Default-Allow Sandbox approaches Default-Allow + Deny-over-there Trust based approaches Default-Deny (Application Whitelisting) Hybrid approaches Detonate-and-Deny, Detect-and-Deny
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Allow Blacklisting Blocking known bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful
Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time
Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Deny Whitelisting Trust Based Known Good Most effective protection Easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can t prevent/detect lateral movement
Challenges stopping attacks at Delivery Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Network detonation solutions often not in-line Known Bad point comes after delivery, becomes detection only Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Removable media (USB stick, DVD/CDs, et cetera)
Actionable intelligence passing Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Incoming files on network Detonate files for analysis Transfer alerts Correlate endpoint/server and network data Prioritize network alerts Investigate scope of the threat Remediate endpoints and servers Submit files automatically Submit files on-demand Endpoint and server files Automatic analysis of all suspicious files On-demand analysis of suspicious files
Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI IP Addresses Hostnames File Hashes Et cetera Leveraging Indicators to Facilitate Detection
Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI Reputation levels for files Thresholds can drive approvals Firefox == 10 Keylogger == 0 Software Reputation Service (SRS) Leveraging Intelligence to Determine Trust
Complete Forensic Record of Endpoint Activity Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI All file modifications All registry modifications All file executions All network connections Copy of every executed binary All the information you need to respond
telemetry
telemetry
detection focus
detection focus seconds to minutes wee k s t o yea r s
detection focus seconds to minutes wee k s t o yea r s
seconds to minutes w e e k s t o y e a r s detection focus?
Establishing a Continuous Security Process Attacks happen on the endpoint Visibility Know what s running on every computer right now How can you protect your assets if you don t know what s running on them? Traditional security tools provide no visibility Visibility needs to be live, not poll or scan-based
Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Reducing your attack surface Symantec saw 240 million unique threats in 2009 we ve crossed the billion mark cumulatively Apply trust-based policies to allow only known good software to run
Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures See and record everything You can t always know what s bad ahead of time Apply advanced indicators to detect unknown threats in real-time
Establishing a Continuous Security Process Respond See the full evolution of a threat; contain and control Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures Traditional incident response is expensive and time consuming With historical recording, you can identify scope and impact in minutes, not weeks Use that information to contain, remediate and further reduce attack surface
Endpoint and Server Telemetry/Control Monitor & Record: File executions File modifications Registry modifications Network connections Retain: Telemetry from periods when system is offline Copies of all executed binaries Control: File executions Inter-process memory access Registry modifications
Conclusions Compromise is inevitable; You must plan for response Proactive defense starts with visibility You ve got to collect telemetry from EVERYTHING You can leverage the home-field advantage against adversaries Defense tactics are changing Shift from Default-Allow to Default-Deny Not all assets are protected the same way Your endpoints and network must work together There are no silver bullets THERE ARE TWO THINGS YOU NEED TO DO: Decrease your threat surface Increase your response capabilities
Discussion All questions welcome Share experiences Keep it short & leave room for others
Thank You!