Tips for an Information Security Analyst/Pentester career - Ep. 83 -Endpoint Security
Organizations spend millions of dollars on cybersecurity solutions, yet breaches keep increasing. More alarmingly, headline breaches are only the ones that are public and reported, but there are many more that are neither detected, nor reported.
For these reasons, different cybersecurity solutions, each one with their own twist, have been created and implemented. How do we know they work? How do they withstand against non-sophisticated and sophisticated attack techniques? Who asks these questions before implementation and who conducts testing of these solutions?
One of the last frontiers in information security is Endpoint Detection and Response (EDR).
"Endpoint detection and response solutions record system activities and events taking place on endpoints and provide security teams with the visibility they need to uncover incidents that would otherwise remain invisible" (Source: CrowdStrike).
Such solutions are inspired to famous ancient Chinese general Sun Tzu's saying:
Common Industry Solutions
Whitelisting
Whitelisting is based on the concept, "let's allow only what's known to be good and block anything else". Only programs included in an allowed list (whitelist) can be installed and executed, while all the other ones will be blocked.
Though this may be a good solution in some cases, it hides a serious flaw, as whitelisting is based on trust. Even though a well-known program (e.g. Adobe Reader) can be considered as a legit application for some specific users, it might have bugs and vulnerabilities that can be exploited.
Whitelisting requires constant care and maintenance and implies a trade-off between users continuously requesting additional programs, and regular administrative monitoring for new and updated programs to allow or disallow.
Blacklisting
This is the exact opposite approach to whitelisting, based on so-called known bad, that is blocking specific applications known to be malicious or to behave like malware. This concept would appear very promising but it fails to deliver in the long run. In fact, in specific environments, applications that would be normally considered as malware or have a malware-like behavior are indeed beneficial to an organization and are intended to work a certain way.
If so, a blacklisting approach would be damaging to an organization, because it would block applications needed for its own functioning.
An example of this scenario can be the Metasploit Framework.
When run in a Windows environment, antivirus programs normally flag Metasploit as malicious and block it, unless specific exception rules are added. Now, if a company has an internal pentesting team, for example, a pure blacklisting approach would prevent testers from doing their job because it would block an application that, in the specific scenario, is legitimately used to benefit the organization.
Another important limitation of the blacklisting approach is that it might not rise to the occasion when the malicious code is obfuscated through AV evasion tools, such as XEncrypt and Veil-Evasion. For a more thorough analysis of this specific topic, check out the latest Polito Inc. corporate blog post: Automated Obfuscation of Windows Malware and Exploits Using O-LLVM.
Endpoint Protection, Detection, and Response
Endpoint protection platforms (EPP) try to prevent malware from reaching the endpoint or executing on the endpoint. Endpoint detection and response (EDR) solutions detect attacks after the fact and then try to remediate the damage as quickly as possible. Both approaches can become part of the overall attack surface, as these tools might get disabled by an attack. They might also cause high rates of false positives, and a high missed detection rate.
Layered Defenses Get Compromised by Exploiting Users
Layered defenses—based on various cloud, network, and endpoint components— are only effective when the "full stack" is accessible to the device being protected. Sadly, many tools require forced-VPN solutions to function and provide limited or no defense for roaming laptops or remote workers, connecting to the corporate network from potentially insecure locations, such as hotels, airports, coffee shops and restaurants.
Failure of Common Cybersecurity Strategies
Detection-based defenses have repeatedly failed over the years due to multiple factors. These include improperly tuned tools and increasing number of kernel exploits, which have led to insufficient detection rates of attacks, successful attacks, and breaches. Additionally, malware has become more sophisticated and capable of evading a number of layered defenses proposed over the years (signatures, heuristics, sandboxing, artificial intelligence, predictive analytics, machine learning, neural networks) by implementing techniques like obfuscation, encoding, encryption, anti-forensics, etc. and making its code much less recognizable by detection-based solutions.
All the above solutions have not addressed the main issues with detection: it is not very scalable at an enterprise level and malware only has to slip through defenses once for it to spread in a corporate network. The most important issues that remain unsolved by using detection-based solutions are:
- There will always be software vulnerabilities, both known and unknown (0-days).
- Malicious code and threats will always exist.
- Attacker moves cannot always be predicted.
The real problem isn't whether but rather when an organization will get hacked. Preparedness to this regard is critical.
Application as Endpoint
Applications are often the attack vector used to hack a network, so an organization can harden its systems by preventing a compromised application from exploiting its hosts. Based on all the above considerations, it seems clear that endpoint security is best achieved by securing applications. The application-as-endpoint concept may provide a more effective solution. This concept is validated by the observation of the way bad actors operate. In fact, they don't target the operating system directly, but rather installed applications and browsers, by leveraging their vulnerabilities.
Examples of application attack vectors include:
- Malicious Office documents
- Weaponized PDFs
- Steganographic malware in image files
- Fileless malware in web browsers
Polito Inc. pentesters have personally tested multiple EDR applications against different types of payloads and found AppGuard to stand out.
AppGuard is a host-based software solution developed on the concepts of zero trust and application-as-endpoint, and functioning as a kernel driver on Windows platforms.
AppGuard intercepts write access both to the computer's permanent storage (local hard disk, network shares, etc.) and to removable storage devices, such as USB drives and external disks. AppGuard also prevents Drive-By attacks by blocking suspicious programs run on user space.
AppGuard enforces system and file integrity without complex management overheads, through a solid access control over the writing of executable files and user-defined files (protected files) to a computer. It protects against unauthorized modification and denies unauthorized write operations and block suspicious processes. The system administrator can tweak these settings and can add customized exclusions.
AppGuard was tested independently by Polito Inc. on behalf of the company and the product did good when faced up with multiple attack vectors (PowerShell Empire, Magic Unicorn and Veil-Evasion payloads, obfuscated PowerShell payloads, fileless payloads, etc.), always preventing suspicious applications from writing to the registry altogether.
Figure 1- VirusTotal report on obfuscated payload
AppGuard should be deployed on a newly installed 'clean' operating system. From this secure initial state (baseline), it'll be easier to look at unauthorized and unwanted activities on the system. Upon installation, AppGuard activates Insider-Threat defense mode by default, which is primarily a defense against reverse shell access to the endpoint. In this mode, only Browsers are allowed to have access to the Internet.
This behavior can be customized with the Enterprise version, where companies have the option to apply their specific security policies inside AppGuard.
The post can't provide more scenario-specific details, in compliance with the NDA existing with the client. However, over their testing, Polito Inc. penetration testers observed AppGuard stopped most attacks that are normally a go-to with other endpoint security solutions (obfuscated PowerShell payloads, batch files, Magic Unicorn payloads and custom ransomware, etc.), by preventing registry writes.
The only times when testers could get a shell was when Threat Hunter Mode, which constantly blocked the reverse shell payload, was disabled. Of course, AppGuard can't be regarded as a panacea but its approach seems to provide better results than a merely detection-based approach. AppGuard can very efficiently supplement a detection-based solution, for a marriage made in heaven.
Wrap-up
Detection-based endpoint security solutions have not always risen to the occasion, as they include a lot of complexities and blind spots, potentially allowing for unknown or obfuscated malware to slip through.
Both whitelisting and backlisting approaches have their pros and cons and are very complex to handle. Specifically defining what applications to allow or block can be challenging in today's complex work environments, where each employee holds multiple roles and sometimes conflicting responsibilities, requiring multiple access levels to corporate assets.
Application hardening-based solutions, such as AppGuard, seem to have a higher potential, as they don't rely on signatures but block an application from writing to the registry, unless specifically allowed, based on a zero-trust concept.
Detection-based solution such as CrowdStrike and CarbonBlack rely on "indicators of compromise" (IoCs) while AppGuard just simply blocks specific actions, such as registry writes.
This brings simplicity, allowing companies to reduce the complexities underlying endpoint security implementation and efficiently cut their overall attack surface. AppGuard allows yet more flexibility with its Enterprise version, allowing companies to use their custom security policies and more easily adjust the protection level provided to their specific needs.
Comments
Post a Comment