BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

Sadly this scenario is now playing itself out more than ever. This is especially true with a loosely managed group of hactivists that call themselves ‘Anonymous’. The list of companies affected by Anonymous is large enough to raise national media attention—which is not exactly where your company wants to have its name mentioned.

The Problem:
Despite significant improvements to website server security, major companies continue to be the victimized by this type of vandalism. The motivation behind such attacks range from citizen protestors (“hacktivists”), to good old fashion revenge. Regardless of the motivation, you now have a very embarrassing problem on your hand.

Despite best practices of ‘locking down’ your website data files to prevent changes to them, it does no good if someone is able to gain root level access to the server; the attacker can simply open up the privileges for the data files with a single command. You need to be able to lock down these files at a lower level than standard operating system controls provides.

A Solution:
What can be done to prevent these defacements? The fundamental problem boils down to the fact that unauthorized changes are being made to the website files. The affected files could be simple html, cgi, or php, etc., but even a simple change to a .htaccess file can ruin your day. Regardless of how someone gains access to these files (there are many, many techniques that can be used to gain access such as sql injection, javascript vulnerabilities, etc), wouldn’t it be nice to know that they would not be able to modify or delete these files in any way? If you can tell your management team that the website is secure from defacement, then everyone would rest a lot easier at night.

As readers of our blog know, CoreTrace Bouncer is an application whitelisting product. The main benefit of this technology is that only programs that are explicitly defined on the whitelist are allowed to execute. Any programs not on the whitelist are considered to be ‘unauthorized’ so Bouncer prevents these unauthorized programs from executing. Bouncer takes the firewall paradigm of ‘default deny’ for network ports and applies it to program execution within the operating system.

Not only does Bouncer enforce the whitelist but Bouncer must also protect the integrity of the whitelisted applications as well. How effective would a whitelisting product be if someone could simply delete an authorized application such as notepad.exe, and replace it with a tainted program that has been renamed to notepad.exe? Bouncer blocks (from the kernel) all modifications to program files that are on the whitelist by default. Bouncer Administrators are able to define vectors of authorized change which enables transparent changes to these files so that upgrades and patches can easily be applied without difficulty.

CoreTrace has extended this kernel level ‘file integrity protection’ capability to any file which you wish to protect. While the html files will never execute, you can rest much more easily knowing that any file you wish to add to the list has this low level extra measure of protection available. This can also be applied to any file that you wish such as c:\boot.ini or the hosts file.

By the way, here are some examples that clearly show what you don’t want to deal with:

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

Also earlier this week, McAfee released a report that just about everyone in the security industry has likely now read, “Revealed: Operation Shady RAT”. The report, written by Dmitri Alperovitch, VP Threat Research at McAfee, is an eye opening read covering targeted intrusions into over 70 global companies, governments and non-profit organizations over the last 5 years. The report covers the types of organizations hit the hardest (not shockingly, defense contractors led the list with 13 of the intrusions detected), the ramifications of the breaches, estimated times each were compromised (shortest being 1 month, an honor shared by 9 victims) and even outlines the generic attack approaches utilized:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

(Side note: Not to be outdone, Symantec did their own analysis of the attacks, which adds even more details. You can find that analysis here.)

In short, the McAfee report does an excellent job of driving home Dmitri’s (and most security professionals’) key message:

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Which finally brings me to the objective of this post. This is an Open Letter to McAfee, Symantec and the Australian DoD. Let’s find a way of making the “Operation Shady RAT” project truly useful. Please combine the known attacks from “Operation Shady RAT” with the best practice mitigation methodology utilized by the DoD in creating their 35 mitigation recommendations. Truly analyze the security processes and procedures that were in place at each victim, perhaps categorized by their effectiveness in shortening or avoiding the breach (I have to believe that the 9 entities that had the shortest compromises were doing something different than the ones that remained compromised for years), and create a modified (if necessary) version of the DoD’s mitigation recommendations. That would be truly useful… beyond the BFO (blinding flash of the obvious) from the original report: That all entities with any valuable infrastructure or information fit “into two categories: those that know they’ve been compromised and those that don’t yet know.

Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

DoD’s cybersecurity plan creates more questions than answers

In July, the Department of Defense released its new strategy for operating in cyberspace, and how it plans to protect our nation’s computer systems and networks from cyber attacks. The plan includes a number of initiatives such as treating cyberspace as a domain it defends (with land, air, sea and space), introducing new network defenses to detect and stop malicious code, coordinating with the private sector, and working with other countries. However, in the article, “Critics: U.S. cyber security plan has holes, few new items,” the document has many analysts like Rich Mogull of Securosis wondering if the DoD can pull it off.

“Some of these things have been written about for years. The real challenge is, are they going to actually execute this?”

While Mogull is glad to see the government is finally getting serious about improving cyber defenses, he doesn’t see anything in the new plan that the DoD isn’t already working on. For example, the government has been talking about establishing partnerships with the private industry and international community for years now. Why hasn’t this already been done? But while critics may agree developing a strategy is a good first step, achieving the initiatives is paramount to securing our nation and critical infrastructure from more dangerous, harmful cyber attacks.

Shift to virtualized environments shaking up security practices

As more and more businesses move to virtualized computing environments, they’re quickly learning that the shift to server virtualization is creating a number of new security challenges. For companies that are beyond the halfway mark of operating a 100% virtualized environment, some of the top security concerns include access control, data encryption, monitoring virtual network traffic, and improving threat detection and rogue-device identification.

Along with a heightened security awareness, many organizations agree they need to re-evaluate their existing strategies and look at new security approaches that will adequately protect their virtualized environments without impacting the availability and performance of their systems. Either way you look at it, today’s infrastructures are changing fast. Organizations moving to virtualized environments need to adapt their security programs and policies to accommodate virtualization.

Will virtualization mark the end of host-based antivirus software?

In a related story, organizations are finding that traditional host-based anti-malware is not as effective as it was in the pre-virtualized era because the main problems they face are coming from Web-based malware. According to the article, “Is hosted-based antivirus software losing luster?” companies are choosing not to run antivirus software in their virtualized environments because it’s no longer useful in detecting malware and can disrupt application performance, said Johnny Hernandez, VP of information security at PrimeLending.

“Today, we don’t run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization.”

More telling is the fact that IT folks like Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C., doubt that most desktop antivirus software can even stop malicious code that is being unintentionally passed from employees to contractors to partners and others over the Web.

Hackers target intelligence contractors

The recent cyber attacks against Lockheed Martin and Booz Allen have shown that hackers are actively trying to steal classified government data by way of the computer networks of U.S. defense contractors.

In the article, “Hackers target intelligence agency contractors,” cyber criminals send emails with malicious software to employees of contractors that work for U.S. government agencies. Spear phishing attacks contained person information designed to deceive the highly targeted victims to click on infected links within the corrupt email. Once the software was installed on a computer, it downloaded payloads that enabled criminals to control a victim’s computer, access sensitive data and communicate with hackers.

Because the attacks target specific government contractors, experts say they are likely distributed and carried out by foreign actors, who persistently target multiple individuals to penetrate the network. To counter such attacks, government agencies and contractors need to push security standards across all endpoints within their networks and beyond the walls of their own defenses. Otherwise, their sensitive and proprietary information is only as safe as their partners’ vulnerabilities.

FBI arrests 14 alleged Anonymous members

As part of an international effort to crack down on cybercrime, the FBI conducted more than a dozen raids across the U.S. in July that resulted in the arrests of 14 members of the notorious hacker group, Anonymous, which has claimed responsibility for multiple high-profiled online attacks including the Internal Affairs and PayPal websites.

This is the latest in a number of international arrests that have shaken up the cybercrime underworld. A handful of others have been arrested in the UK and the Netherlands for alleged related cyber attacks, including an individual connected to attacks carried out by the theoretically disbanded hacktivist organization, LulzSec.

The ongoing cybercrime investigations are part of a concerted effort by multiple international, federal and domestic law enforcement agencies who are working together to stop coordinated cyber attacks targeting major companies and organizations.

I appreciate your interest in reading our blog and encourage you to provide comments and your unique perspective on the biggest stories in the security industry.