New Approaches for Blocking Zero-Day Exploits to Prevent APTs

Tuesday, April 16, 2013

George Tubin


Cybercriminals continue to develop new methods to bypass security controls in order to install malware on corporate endpoints. Trojan.APT.BaneChant, an advanced persistent threat (APT) malware discovered last week, uses multiple evasion techniques to bypass some of the newer detection approaches. First, the malware evades virtual machines by only executing the second stage of the attack after mouse activity is detected. This allows the malware to bypass several common detection mechanisms, including sandboxing, virtual machine execution and automated malware analysis systems. The malware then downloads a malicious .JPG file and opens up communication with the command and control center to steal sensitive data.    

Blocking ExploitsThis is another example of a targeted attack that exploits the biggest enterprise weakness – vulnerable endpoint applications. The attack exploits vulnerabilities and introduces malware, which then enables the attack progression. By blocking the exploit, the entire attack can be stopped. But that can't be done with blacklisting solutions, as we have seen with the recent targeted attacks on several major media outlets. Since most targeted attacks exploit zero-day vulnerabilities, an effective solution must be able to block the attack without knowing anything about the vulnerability targeted or the malware used.


A New Endpoint Malware Protection Paradigm

An endpoint protection approach that provides both effectiveness and manageability must begin with an understanding of the attack vectors that require mitigation. Malware can compromise end-user devices in several ways. For example, malware can silently install through the exploitation of an application or operating system vulnerability, it can be downloaded by the end-user via social engineering or it can be pre-installed on the device. Therefore, enterprises must take preventative steps to avoid information-stealing malware from reaching the endpoint device and also  implement protection techniques if the malware does end up on the endpoint through other methods.

Two New Layers of Security

Stateful Application Control is a new approach to protect endpoint devices from advanced data-stealing malware that combines two important components. The first is designed to prevent malware from installing on the device and the second is designed to prevent malware from stealing sensitive data.

The first layer, application exploit prevention, applies whitelisting to application states. This method prevents application exploits from leveraging vulnerabilities and introducing malware onto the computer file system. By analyzing application memory states during normal operations, this approach maps the legitimate states of the targeted applications, such as browsers, Adobe, Flash and Java, when these applications write to the file system. Application exploit prevention allows for more stable and manageable endpoint security than the traditional application control approaches because there are far fewer and more static application states to analyze and maintain as compared to the multitude of application files.

In the event that malware is  somehow installed on an endpoint device, a second and different layer of protection should be implemented to prevent any information stealing. This mechanism uses the concept of whitelisting and applies it to data exfiltration states; only allowing legitimate external communication to be transmitted from the endpoint device.

When malware enters the endpoint, it uses data exfiltration techniques to communicate stolen data and credentials to the Internet. With this second layer of security, communication with the Internet or other processes is restricted, but other, more benign operations are permitted. Restricted applications are then further analyzed and either whitelisted or removed if found malicious.

Automated Management

The key to implementing Stateful Application Control is making it highly manageable, with no end user intervention and minimal IT staff involvement. This can only be accomplished through a sizeable network of endpoints that enables new, legitimate application and data exfiltration states to be detected, whitelisted then immediately pushed out to all protected endpoints via the cloud. Additionally, corporations should be able to whitelist specific tools that would otherwise be restricted due to the nature of their operation.

About the author: George Tubin is senior security strategist for Trusteer, a provider of endpoint cybercrime prevention solutions that protect millions of customers and employees against advanced malware and phishing attacks on their computers and mobile devices. 

Possibly Related Articles:
IDS/IDP Enterprise Security CVE
Information Security
malware Vulnerabilities Exploits Security Threats Trusteer Zero-Day Trojan.APT.BaneChant APTs George Tubin
Post Rating I Like this!
Gregory MacPherson This is old news - ever heard of Marimba? Ever heard of "deny everything that is not explicitly permitted"? Not arguing the strategy, but companies DO NOT WANT TO PAY FOR SOLUTIONS and COMPANIES DO NOT UNDERSTAND THEIR NETWORKS. You can't protect without tools, and you can't protect without knowing what is supposed to come in and what is not supposed to come in.

It's not impossible, but it is resource and time consuming, and companies want to sell widgets, not secure expensive networks with expensive people.

Find a cheap and automated way to do it and MAYBE they will buy it.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.