Hackers move quickly to evade the latest security updates

In June, we saw two examples of how quickly cyber criminals can adopt to change. Security updates to both Macs and Windows held hackers back only long enough for them to create new variants that allowed them to resume active attacks on the same fixed vulnerabilities a few hours later.

According to the article, “Apple’s malware detection update circumvented in 8 hours,” malware developers were able to rewrite code overnight to evade the latest Mac updates. In another incident, “Hackers move fast to exploit just-patched IE bug,” just three days after Microsoft patched 11 bugs in Internet Explorer, cyber criminals were exploiting one of the patched vulnerabilities.

With hackers working non-stop to develop new malware and malware variants that can bypass even the most recent updates and signatures, organizations need a solution that doesn’t place a band-aid on known vulnerabilities that criminals can peel off hours later. Security tools like application whitelisting do this by simply preventing the execution of all unauthorized applications.

Poor user updating practices creating unclosed security holes

While security patches have their own challenges keeping cyber criminals from returning to exploit known vulnerabilities (see above), a recent study by G Data SecurityLabs found that users certainly aren’t helping (which is not a surprise to any InfoSec pro).

In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals are taking advantage of users’ negligence around installing the latest security updates. As a result, hackers are targeting both current and older unclosed security holes, said Ralf Benzmüller, head of G Data SecurityLabs.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC.”

Whitelisting a top strategy for combating modern malware attacks

As cyber criminals exploit any vulnerability they can to infect corporate networks, implementing security strategies that stop targeted attacks that quietly stealing sensitive data is critical for combating modern day cyber threats.

The article, “Top five strategies for combating modern computer security threats,” outlines some techniques for protecting computer systems from unauthorized and malicious software from exploiting a user’s laptop or computer. One of the recommended solutions is application whitelisting.

While there are valid concerns around preventing attacks like memory exploits and handling dynamic environments without impacting user and IT productivity, advancements in leading whitelisting solutions have resolved these issues to provide Total Application Control (TAC) that allows organizations to proactively defend their network endpoints from modern malware attacks.

A key goal of today’s cyber attacks: Establishing a “persistent point of presence”

Today’s cyber criminal is not your stereotypical crook who breaks in, steals the loot, and gets out as fast as he can. According to Gartner analyst John Pescatore, the goal behind many of today’s attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on and steal information.

“A common thread through many damaging incidents is targeted executables getting installed on critical servers or high value employee PCs.”

In the article, “Attacks on IMF, Lockheed and others highlight need for defenses against targeted attacks,” a recent rash of successful cyber attacks against supposedly secure organizations has prompted the need for enterprises to deploy stronger defenses to protect their networks against highly targeted and persistent threats. Using whitelisting products alongside other AV tools to automatically block any unapproved applications from running on a system is one way to defend endpoints against custom Trojans that have been seen in many recent attacks.

Thanks for reading this month’s recap on some of the security industry’s biggest stories. I encourage you to regularly stop by to read our blog. Your thoughts on these important stories are always welcome.

On one hand, whitelisting stops all unauthorized applications from running, essentially blocking any malicious/unauthorized software from executing on all network endpoints–regardless of whether it was a previously known application/attack or a new, unknown one. But as Richard Stiennon observes, simple whitelisting can be too restrictive and potentially require too much administrative overhead to maintain. On the other hand, blacklisting stops known bad applications from exploiting a system, but lets programs execute on a system by default if they are not on the blacklist. This reactive approach means users can execute software, including malicious attachments, thereby leaving networks and data vulnerable until after a threat is identified. Blacklisting also forces a steady stream of patching requirements and fire-drill reactions that become a black hole of IT time and money (e.g., trouble shooting poorly functioning machines, reimaging and even purchasing new systems prematurely).

As the whitelisting versus blacklisting debate rages on, instead of focusing on the limitations or weak points of each technology, what we should really be discussing are the strengths that these two fraud detection super powers bring to the table — and when used together — can help organizations gain complete control over all applications across their enterprise. CoreTrace calls this Total Application Control (TAC). (Basically, we need to create the “Blue Ocean” strategy for endpoint security. If you are unfamiliar with the concept/book, check out: www.blueoceanstrategy.com.)

First, we need to clear some of the misconceptions that many still have, such as whitelisting being the same as “lockdown,” or that it doesn’t include cloud-based blacklists. The truth is, today’s leading application control solutions like CoreTrace Bouncer have evolved beyond straightforward whitelisting functionality. They’ve addressed the shortcomings around basic application whitelisting and blacklisting products by leveraging both technologies to provide the visibility organizations require to see all known good and bad applications in their environment. For a solution to achieve Total Application Control, it minimally needs to include three essential components:

1. Application Whitelisting: Whitelisting on all endpoints as the enforcement mechanism to ensure established policies are enforced and all unauthorized applications are prevented.

2. Change Management: The ability to seamlessly handle change (new authorized applications and upgrades) even in dynamic environments without impacting IT production or user productivity.

3. Cloud-based Whitelists… and Blacklists: Cloud-based reputation service to assign risk profiles to all applications, including identifying known-good applications and any known pieces of malware. “Cloud-based” is key phrase: use the information in a offline capacity, so as to not impact system performance with onerous scans.

I’ve often wondered if hackers are taking full advantage of the rhetoric that goes on between competitive security vendors, who despite having the same anti-malware objectives, continue to create a cloud of confusion throughout the industry that actually stalls innovation, and new proactive ways to defend networks against more dangerous modern malware. Maybe bringing longtime adversaries like whitelisting and blacklisting together to create Total Application Control is the last thing cyber criminals want to see. We certainly think so.

So stop debating and start controlling your systems with a blend of the top defense mechanisms. Move past confusion and into enlightenment and receive all the control and performance benefits of whitelisting with the reporting and compliance benefits of offline blacklisting.

That said, what continues to baffle me is the ongoing practice of re-applying beatable security technologies to evolving malware, and expecting a different outcome. Time and time again, we’ve seen how increasingly ineffective traditional anti-malware products like antivirus software are at stopping modern attacks.

More recently, we’re seeing how cyber criminals can rapidly rewrite code overnight to evade even the latest security updates. The article, “Apple’s malware detection update circumvented in 8 hours,” shows us how quickly malware developers are creating new variants that can bypass security updates mere hours after the update is available. But this doesn’t apply to Macs alone. I’ve also recently talked about the Microsoft security update that was out all but three days before hackers were conducting active attacks on the same patched vulnerability.

The way I see it, it’s wrong to apply a known broken security approach to any platform, but especially wrong to do so on new ones. Whether it is a Mac, Linux, tablet or smartphone, why on earth would you use an old, ineffective approach to secure a new platform?? Doing so puts your network endpoints and critical business data at risk, and it gives cyber criminals the upper hand.

Putting short-term fixes on long-term problems is not the answer. Instead of deploying reactive solutions and hoping for the best, we need to approach IT security with a proactive vision in mind. We need a solution that provides proactive security, minimal performace impacts and clear visibility / risk profiling of all applications installed in our environment. What we need are application control solutions like CoreTrace Bouncer.

In the article, “Hackers move fast to exploit just-patched IE bug,” Symantec reported that after Microsoft issued a patch for 11 bugs in Internet Explorer last week, active attacks were spotted on one of the “patched” vulnerabilities just three days later. Although the vulnerability has seen limited attacks at this point, it is another in a long line of examples that demonstrate why enterprises need multiple layers of protection–most of which truly need to be completely out of the hands of users.

What good are security updates if hackers can jump right back in and exploit the same vulnerability? Honestly, the impact of an unpatched vulnerability would be significantly less if the endpoint protection (specifically antivirus technology) was effective at stopping the payload. As is becoming more and more evident, this is not the case. Traditional antivirus solutions are continuing to fall further behind in stopping the growing volume of malware exploits and variants.

[Time for the shameless plug. You can exit now if you don't want to know how to help actually solve the dilemma.]

Rather than reactively patching or depending on blacklists to identify and stop the tens of thousands of new online threats that come along each day (60,000 a day, according to Gartner), organizations need to take a proactive approach to not only protect their endpoints from all known and unknown malware threats, but also gain total application control of their systems to allow only what they want to run on their networks at all times.

CoreTrace’s Bouncer application whitelisting solution does this by providing complete insight and control over all installed applications across a highly distributed environment. By combining total application control with advanced, non-intrusive self-defending mechanisms, Bouncer helps organizations stop all known bad and unauthorized applications from running on any endpoints–including those that exploit a known, unpatched vulnerability.

One of the recommended techniques for protecting computer systems from unauthorized and malicious software is application whitelisting. Clearly, we are biased, but we completely agree more with those across the industry (including the author of the article) who are recognizing the anti-malware benefits of application whitelisting over reactive blacklisting products.

Furthermore, we also agree with some of the cited shortcomings around basic application whitelisting technologies. For example, solutions must be able to prevent attacks that “subvert known good applications” like memory exploits. Solutions must also be able to handle dynamic environments without frustrating users or killing IT productivity–unless they are simply lockdown mechanisms for “static” environments like POS terminals, control systems and ATMs (though these systems are really less “static” than most would realize).

While these are valid concerns if all you are looking at is a whitelisting product, leading solutions like CoreTrace Bouncer have evolved beyond simple whitelisting and into “Total Application Control” (TAC) solutions. TAC solutions include enforcement mechanisms that prevent memory exploits and other attacks against authorized applications. TAC solutions also have trusted change mechanisms to address dynamic environments, provide intelligence about all installed applications and assess application risk via cloud-based reputation services. TAC includes learning/assessing what is in your environment, planning and establishing policies, and then enforcing those policies on the endpoint.

In short, application whitelisting at its core is an excellent anti-malware enforcement mechanism to protect endpoints from modern malware attacks. But it is only the first rung on the ladder to Total Application Control.