Over the last decade, Microsoft and other software vendors have continually raised the bar for security with the addition of address space layout randomization and data execution prevention (ASLR and DEP) and other controls. Apple Inc. also has locked down its iOS devices so that multiple vulnerabilities need to be exploited for legitimate users to jailbreak their iPhones and iPads, while highlighting the security benefits of a contained ecosystem with its app store model. That's before one considers the large investments in security technology many companies are making to protect sensitive data and users. Despite those efforts, attackers are having as much success now as they ever did, and are costing enterprises worldwide billions of dollars every year. What gives?
According to Chester Wisniewski, senior security advisor at Abingdon, U.K.-based antivirus vendor Sophos Ltd., attackers are evolving along with the defense mechanisms trying to fend them off, and they now often exploit multiple vulnerabilities as part of a single attack.
"There was a zero day in Flash that, in order to actually make that vulnerability work in this watering hole attack that it was used in, also relied on a flaw from either Microsoft Office that was fixed three months ago, or a flaw in Java 6 that was fixed three years ago," Wisniewski said. "So, strangely, even when we have a zero day … it still relied on other things."
In this interview, recorded at the 2014 RSA Conference, Wisniewski explained how the most sophisticated attackers are taking inspiration from such targeted incidents as the high-profile Target Corp. breach and nation-state-sponsored malware to craft their own exploits. For instance, Wisniewski said that antivirus vendors found certain vulnerabilities taken directly from Stuxnet in everyday exploit kits within 24 hours of it being publicized.
The speed with which attackers adopt the latest exploit techniques, said Wisniewski, means companies should adopt such information security basics as regular patching, which is vital for maintaining any organization's security posture.
"The Flash zero day needed an ASLR bypass for it to work [the outdated Office and Java vulnerabilities]. So, that meant that you had the opportunity to be patched against it, because in order to force you to do the ASLR bypass, they used two old vulnerabilities that arguably you should have already fixed," Wisniewski said. "These mitigations are never bulletproof. What they do is buy you time and they increase complexity, and if you can increase the complexity for the attackers, you're buying yourself more opportunities to stop the attack chain."
Brandan Blevins: Hi, there. I'm Brandan Blevins with searchsecurity.com. Thanks for watching this video. Joining me today is Chester Wisniewski. Chester is a senior security advisor with Sophos. Chester, it's great to have you with us today.
Chester Wisniewski: Thanks for having me.
Brandan Blevins: Chester, what are some of the latest trends or shifts you've seen take place in the threat landscape?
Chester Wisniewski: Sure. We're seeing basically as computer technology is getting more secure and we're starting to actually follow advice, practices, compliance, et cetera, that we're kind of tracking the advance of malware right along with that.
This morning I was talking about point of sale memory scraping and how the current way criminals are succeeding at stealing card data from retailers and merchants, and it's really kind of tracking with their compliance with standards like PCI. As they're encrypting files on disk, then the criminals are starting to look to things like memory where they can get access to the card information. A couple of years ago these guys were just trolling LimeWire and P2P networks and grabbing Excel spreadsheets full of card numbers. Obviously, PCI dictates you can't do that anymore, and so they've moved on.
Brandan Blevins: One of the attack trends I wanted to note was a recent number of high profile watering hole attacks. Why do you think such attacks are so effective, and how can enterprises mitigate that particular threat?
Chester Wisniewski: Well, strangely, they're effective for the same reasons all the other attacks have been effective, which is things like patching is still not happening in an expedient manner. There was a zero day in the Flash that was just patched a couple of days ago, and we started looking at it. In order to actually make that vulnerability work in this watering hole attack that it was used in, it also relied on either a flaw in Microsoft Office from three months ago that was fixed or a flaw in Java 6 which was discontinued three years ago. Strangely, even when we have a zero day that supposedly what could you do to possibly defend yourself when there's no fix yet, it still relied on other things. Some of these attacks can be mitigated simply through patching and these types of things.
The other thing, I think, is just education. Some organizations seem to have a negative attitude toward employees that make a mistake in these types of situations, so people cover it up and they're not disclosing it. We're finding that with our customers a lot of them are really encouraging their staff to say, "Look, if you succumb to that temptation and you click that link or you open that attachment in that email that came in, tell us now. Let us know. You're not going to be in trouble. We're not going to be angry, that kind of thing. If something was fishy, come and tell us. We want to know so that they can respond more quickly."
You can't always prevent, and if you can't prevent what you want to be able to do is react as quickly as possible, contain, and protect yourself. I think both approaches are necessary.
Brandan Blevins: You mentioned the recent IE Zero Day and its complex delivery mechanism. Do you think we'll see more of that delivery for malware in the future, or is it going to be a little bit more simple?
Chester Wisniewski: More often than not in the more advanced attacks, you've got the generic what I guess you might call spray and pray. You infect a couple of websites, and you just want to infect as many people as possible and steal their banking credentials. Those are still pretty much a small set of old vulnerabilities that they're just hoping to hit a bunch of victims.
In these watering hole attacks or in more targeted attacks, it is getting a lot more advanced because the victims are advancing as well. I mean, perhaps as individuals our PCs aren't that much better protected today than maybe they were five years ago. In the enterprise they really are.
I think an analogy to that might be looking at, say, the iPhone. When it was first launched there was a vulnerability and that allowed a jailbreak. Then, Apple changed some things, added some mitigations as each version of iOS came out. Now when you look at jailbreaking an iPhone it's a chain of, like, seven vulnerabilities they've got to find to get past all the different mitigations - the address space layout randomization, and data execution prevention, and signed bootloaders. All these things Apple's done to protect the device has made it require this really complex attack chain.
To a degree you're getting the same thing as Windows. As you're seeing XP go out the door on April 8th most organizations have chosen Windows 7 as their preferred platform, and immediately you've got these mitigations now. You have things like ASLR and DEP which make it harder for attackers, so they are having to combine things in order to more successfully exploit targeted victims.
Brandan Blevins: It's funny you mentioned address space layout randomization. That was one of the things that was bypassed in some of the recent zero day attacks. Do you think that's still an effective defense method for enterprises to rely on, or is that starting to show some weaknesses?
Chester Wisniewski: Well, I think that's what bought us the time. Going back, the Flash Zero Day needed an ASLR bypass for it to work, which was the Office vulnerability I mentioned, and the Java vulnerability I mentioned. Both were ASLR bypasses. That meant that you had the opportunity to actually be patched against it, because in order to force you to do the ASLR bypass they used two old vulnerabilities that, arguably, you should've already fixed.
I mean, all of these mitigations are never bulletproof. What they do is they buy you time and they increase complexity. If you can increase the complexity for the attackers, you're buying yourself one more opportunity to stop the attack chain, because there are more steps and every one of those steps you've got an opportunity to stop it. Making that attack chain longer is always helpful.
Brandan Blevins: With the recent leak of the Zeus malware source code along with nation state malware such as Stuxnet, I'm curious where you see attackers taking thoughts, ideas, implementations from. Is it both of those sources, neither, one or the other?
Chester Wisniewski: Shortest answer, yes. I mean, they're taking their ideas from everywhere, and unfortunately we have seen a lot of recycling of alleged government malware. It's pretty clear, I think we can all agree Stuxnet was government malware. There are a lot of other things that there are accusations. We're not sure. We look at it and we go this is pretty sophisticated stuff that clearly probably had multiple programmers involved, and usually that kind of points the arrow to potentially state sponsored design.
Once those ideas are out there it really depends on the sophistication of the attack you're talking about. Stuxnet is a great example, because one of the vulnerabilities used in Stuxnet, once the antivirus community discovered Stuxnet and it became a big press item, within 24 hours that vulnerability was being used in everyday random exploit kits deploying fake antivirus and all kinds of other everyday junk. We've seen specific bits of code reused like that, but often it is kind of a blueprint thing as well. The concepts at a higher level, you're not reusing the code from Stuxnet but the idea of how do you jump the air gap, and how do you get it on machines.
Stolen digital certificates, that wasn't happening that much before Stuxnet. We see that much more commonly now where there are actually malware that looks for unsecured certificates on your machine and steals them in the hopes that they're code signing certificates they might be able to use to sign future malware and have it pretend to be you. Yeah.
Brandan Blevins: Chester, thanks for joining us today.
Chester Wisniewski: Thanks for having me.
Brandan Blevins: And thank you for watching this video. For more of our videos please be sure to visit searchsecurity.com\videos.