"In the end if white listing replaced anti-virus then attackers would simply raise the bar and make sure that their vulnerability exploits did not simply download and directly execute executable code. They would do behaviors in memory to simply defeat and bypass white listing technology."
This is the point I've been trying (with mixed success) to make. My suggestion has been to also add blacklisting to look for malicious signatures within the pdf, jpg, etc. It seems to me that any given application vulnerability will be exploitable through a relatively easy to identify signature. Obviously, the payload could be any number of things, but the actual exploitation should be much easier to identify than the plethora of AV signatures that continually mutate. One could further reduce the number of signatures to keep on hand by only looking for exploits in recent versions of applications. From: Marc Maiffret [mailto:[email protected]] Sent: Wednesday, November 16, 2011 11:01 PM To: NT System Admin Issues Subject: RE: Whitelisting Pros & Cons? Thoughts on AV, white listing, and endpoint security futures... and yes in my classic terrible grammar, stream of conscious, style of writing... sorry NTSYSADMIN'ers! :) Anti-virus does an amazing job for what it was originally created for: The prevention of known bad files. The problem is that most malware these days is highly dynamic and as such we are increasingly living in a world of unknown malware and AV was not made to prevent unknown malware. Anti-virus vendors are trying to Band-Aid their signature problem by having new systems that hopefully generate signatures faster. This is all the stuff the AV companies advertise around their cloud information sharing systems etc... AV still requires some level of companies to be compromised to know there is a new piece of malware that needs a signature. The "cloud stuff" (I forget everyone's marketing terms) helps to make it so that AV can create a signature but hopefully with less companies compromised and in a shorter amount of time. White listing can help prevent unknown malware because it can prevent unknown executable code from executing. This is of course not without time to manage, configure, and make sure all your legitimate apps at first deployment, and over the course of time, are properly white listed. But we will skip the management aspect for now and focus on what works prevention wise and what the limitations are. Stepping back from a solution perspective let's look at the problem: Systems being compromised and infected with malware. The majority of malware infections happen from one of two ways: 1. User exploitation - User simply runs a piece of malicious code (web/usb/email/etc) and no exploit is involved, only trickery. 2. Vulnerability exploitation - User is either targeted or through normal web browsing, and is infected with malware via an exploit leveraging an unknown or unpatched software vulnerability. User Exploitation - This is a very common reason that malware ends up on systems. Think of all of the times you have had to clean up systems with fake anti-virus type of software etc... This is an area where anti-virus is simply failing because when the malware is delivered to one of your users it is being handed off by a server that is doing automated morphing of the executable in a way as to evade anti-virus signatures. I.E. The malicious executable has the exact same behavior on every system but the signature of that executable is different for every system it is delivered to. White listing is very helpful in preventing this type of malware because essentially it is a user running an unknown program and by virtue of white listing your blocking all unknown programs. This is why you will hear people talk about having installed these solutions and their level of malware has simply gone down. Vulnerability Exploitation - The other way systems are compromised is not by users just clicking on things but by attackers actively leveraging unknown or unpatched software vulnerabilities. In this case what ends up happening is a user will receive something like a PDF document via email or will be served malicious javascript/html/etc via a website and in either case there will be an exploit that leverages a vulnerability within some software you have installed on the system. When the exploit takes place it will start to leverage a software vulnerability typically to run malicious code within the memory space of the vulnerable software. I.E. A user is browsing a website, embedded javascript spawns a window with an Adobe PDF files, the PDF file automatically loads, exploit code leverages a vulnerability within the PDF, exploit code starts running malicious "shellcode" within that Adobe program, that exploit shellcode then delivers its payload. The payload is typically the exploit downloading a malicious executable from another website and then running that malicious executable which then Trojans a system etc... The problem is that the exploit code does not have to download another executable and rather it could keep performing malicious operations within the vulnerable application (Adobe) and since no new executable code is created, the whitelisting security software does not come into play. The point being that white listing is helpful against a lot of today's vulnerability exploitation because the payload delivered by most vulnerability exploits is to download an unknown executable and run it, which white listing will obviously stop. In the end if white listing replaced anti-virus then attackers would simply raise the bar and make sure that their vulnerability exploits did not simply download and directly execute executable code. They would do behaviors in memory to simply defeat and bypass white listing technology. Vulnerability/exploit prevention is critical and is always missed in discussions because everyone gets caught up in chasing the symptom (malware) and not the cause (vulnerability). In essence you should have a combination of signatures, application control, and vulnerability/exploit prevention to make sure you are properly protecting from user exploitation and vulnerability exploitation. I know some of you have heard me preach the importance of vulnerability/exploit prevention before as that is something we do in our Blink product line and something Cisco Security Agent use to do also. It really does take a combination of things to be successful and anyone trying to sell the idea that you only need signatures or only need white listing, is simply selling you smoke and mirrors. -Marc BTW, If you want to run a scan of your environment to understand how many vulnerabilities you have that have existing exploits (attack tools) for them you should check out our free community edition of Retina CS (eEye's vulnerability management platform). Retina CS has mapping of vulnerabilities to exploits for Metasploit, Core Impact, and in the wild exploits that myself and my research team track. And more than just knowing where you are vulnerable it also includes free third party application patching for things like Microsoft, Adobe and Mozilla. This is all free for up to 128 assets. http://go.eeye.com/LP=68 Signed, Marc Maiffret Founder/CTO eEye Digital Security TWITTER: www.twitter.com/marcmaiffret<http://www.twitter.com/marcmaiffret> BLOG: http://blog.eeye.com WEB: www.eEye.com<http://www.eEye.com> From: Stu Sjouwerman [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Monday, November 14, 2011 8:15 AM To: NT System Admin Issues Subject: Whitelisting Pros & Cons? Guys, I am writing an article for WServerNews, and would like your public input. What is your experience with Whitelisting, which products you tried/use, and what experience you are having with this, likes and hates are all welcome !! Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
