1 / 27

Defeating the APT with Isolation

Defeating the APT with Isolation. One Ring to Rule them All Matt Bianco, CISSP, EnCE , CCNA, CCNA Security SE - Great Lakes. What’s going on?. Users WILL click on that link No matter h ow much you train them not to! Two fundamental issues. Problem #1: The Attack Surface.

lainey
Download Presentation

Defeating the APT with Isolation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defeating the APT with Isolation One Ring to Rule them All Matt Bianco, CISSP, EnCE, CCNA, CCNA Security SE - Great Lakes

  2. What’s going on? Users WILL click on that link No matter how much you train them not to! Two fundamental issues

  3. Problem #1: The Attack Surface On average, 1 vulnerability is found in every 1,000 lines of software code* Consists of all software running on a system that could be exploited by an attacker Today’s average corporate computer contains more than 50,000 software vulnerabilities Typical modern systems have more than 50 million lines of software code * TechRepublic magazine Feb 2, 2010

  4. 4

  5. Isolate the User Detection

  6. Security has been based on detection • Existing security solutions today rely on detection • A threat must be detected before it can be blocked (black list) • A program or document must be deemed benign (white list)

  7. Detection is fundamentally flawed It is mathematically impossible* to detect all polymorphic or zero day malware in advance *Limits of Static Analysis for Malware Detection Andreas Moser, Christopher Kruegel, and EnginKirda Secure Systems Lab Technical University Vienna *On the Infeasibility of Modeling Polymorphic Shellcode.pdf Yingbo Song, Michael E. Locasto, AngelosStavrou Dept. of Computer Science Columbia University

  8. Layers On Layers (LOL) • Protocol obfuscation • Bypass rules • P4wn • Protocol obfuscation for NIPS • Kernel or hook bypass exploits for HIPS • P4wn Network Malware Analysis • Obfuscate • Recompile • P4wn IPS Firewall • Sleep (2000) • P4wn

  9. “signature–based detection is untenable. To detect a 30 byte polymorphic worm requires O(2240) signatures; for comparison there exist an estimated 280atoms in the universe.” Song et al., 2010

  10. To summarize so far… “60% of the time it works every time...” Anchorman Visionary

  11. Micro-virtualization: Isolating Tasks with the CPU

  12. Hardware-isolate the threat Protect. Inform. Empower.

  13. Micro-virtualization Lightweight, fast, hidden, with an unchanged native UX Virtualizes vulnerable tasks within a single Windows desktop The Microvisor Tiny code base formaximum security I/O Virtualization (VT-d) TXT & TPM based hardware root of trust Hardware Virtualization (VT-x and EPT) Bromium Confidential

  14. eg: Fusion, Workstation, Player, W8 Hyper-V, Moka5, XenClient, [RDS, View, XenDesktop] VM VM Hypervisor Personal & corporate desktops eg: MED-V, Invincea [RDS, XenApp VM hosted apps, gmail] VM VM Hypervisor (Seamless) Single app per VM

  15. Enterprise Desktop Kernel OS Libs / Utils Hardware Applications

  16. Kernel Untrusted Application OS Libs / Utils Applications

  17. Sandbox* Kernel Untrusted Application OS Libs / Utils Applications [*eg: IE10, Chrome, Acrobat XI, Invincea, TrustwareBufferzone…]

  18. Traditional EPS Exploit: MS12-042 EMET ASLR Sandbox* • 25 kernel CVEs in 2012 • 30+ CVEs in 1Q 2013 Untrusted Application Master / Slave Deprivileged http://abadsite.com [*eg: IE10, Chrome, Acrobat XI, Invincea, TrustwareBufferzone…] 2013

  19. What’s the difference? Isolation vs Detection Task Isolation vs App or OS isolation Hardware Isolation vs Software Sandboxing VM Introspection

  20. Enforcing Dynamic Least Privilege

  21. Dynamic access to system resources is enforced by Intel VT. Network, File and Desktop services implement per-app MAC policies File System Network Access Clipboard Devices Printing

  22. Micro-VMs execute “Copy on Write”

  23. Malware is automatically discarded

  24. 2. One task per micro-VM 3. Full attack execution 1. Micro-VM Introspection

  25. Example Identify polymorphic attacks, root and boot-kits Automatically derive malware signatures for use in other security systems Identify C&C centers, bot-nets and origins of persisted attacks Identify all forms of persistence and capture payload(s) Profile zero-day attacksin real-time without false alarms

  26. Today’s Reality

  27. A Better Future

More Related