Every software application has vulnerabilities. Many are addressed immediately, but some even the developers themselves are not aware of. Cyber criminals, however, are incented to discover these vulnerabilities – and exploit them. In fact it’s a growing business – according to the Symantec Internet Security Threat Report zero-day vulnerabilities grew 125% in 2015.
Source: Symantec Internet Threat Report April 2016
If you thought the most common and often used applications were the least likely to have vulnerabilities you’d be wrong. Common operating systems, end-user browsers, and enterprise applications are all at risk - that’s all layers of your software stack in your organization. We’ve seen in the recent past vendors releasing patches for 200 or 300 vulnerabilities in their software suites, many remotely exploitable, and of the highest severity – or a common operating system that had a 20 year old vulnerability sitting in plain sight.
From an attackers standpoint exploiting a browser vulnerability means they have a large foot in the door of an organization. Gaining access through the operating system means they can infect one machine and use that as a watering hole to infect other machines, moving laterally within an organization. And finally, by compromising an enterprise application there is the possibility of gaining access to mission critical information, an ERP system, or customer data.
What’s really scary is the rapid weaponization of zero-day vulnerabilities. From the Symantec Internet Security Threat Report we know that within hours exploits go from being disclosed underground, to being available in very sophisticated exploit kits. For example, the Angler Exploit kit, which has launched hundreds of thousands of attacks provides exploits that are able to download and execute malware from memory without writing any files to disk – avoiding detection by many traditional protection methods and next-gen methods that rely on files. In the not too distant past, these exploits would show up in a localized fashion. Today, they are very quickly being rolled out at scale around the world.
Criminals know that even after an exploit has launched it takes weeks in some cases for a vendor to release a patch – then it could be months before you can update your endpoints. That’s a large window of opportunity to continue to exploit the vulnerability, steal your sensitive data, and disrupt your organization.
You may be asking yourself about now, what’s the best way to handle these types of exploits. Memory exploits cannot be blocked by signatures or identified by machine learning, the new silver bullet of endpoint protection. What’s needed is a unique technology – Exploit Prevention. Symantec Endpoint Protection (SEP) exploit prevention is called Memory Exploit Mitigation. It is signature-less, instead using an understanding of exploit behavior to pre-emptively block zero-day exploits. Once installed it will protect your endpoints from memory exploits regardless of the behavior or technique used to exploit the flaw, bug, or vulnerability.
Let’s take a look at a couple of different types of behaviors:
Heap Spray, for example, fills the memory of an application with a specific pattern. This pattern not only induces the application to return control to the malware controlled memory, but also can be executed. The Symantec mitigates a heap spray by identifying the locations in memory these patterns point to, then inserting code to generate an exception and return control to our endpoint protection product.
Java exploits work using logic flaws. The malware causes the interpreter to mistake one call for another that can provide the opportunity to disable the Security Manager, after that the attacker can do anything the user would normally do on the machine. In this cause the best mitigation is to make sure the Security Manager cannot be turned off.
As you can see each exploit is unique and requires a well thought out strategy to mitigate it. It should be noted that a behavior can be addressed using different strategies and some are more effective than others.
Exploit prevention is targeted for a very specific use, but plays an important role in helping to provide comprehensive next generation endpoint protection in a layered solution.
It compliments other technologies such as Intrusion Prevention Systems, antimalware, and reputation analysis that protect against high volume attacks based on monitoring network packets, signatures, and reputation.
It is essential even if you have Application Control that allows you to identify a whitelist of applications.As we have discussed, it is many of these “legitimate” applications that contain vulnerabilities.
It can provide protection that other next-gen technologies cannot because they rely on having a file written to disk or executing to identify a threat.Always ensure your endpoint protection solution has both machine learning and exploit prevention.
It protects you regardless of how the attack originates (ex. maldvertisement, an infected file off a USB stick, etc.).
Once available on your device, exploit prevention will mitigate memory attacks wherever you roam – don’t leave home without it.
Find out more about Symantec Endpoint Protection here