LAS VEGAS – One consensus at the Black Hat security conference this week is that endpoints, even corporate owned and managed devices, should be considered hostile. This is in keeping with numerous SANS surveys that I’ve overseen as editor-in-chief of the SANS Analyst Program.
In the case of user endpoints (corporate and employee-owned) the real issue is users clicking phishing links and drive by downloads, based on a new survey (sponsored by Check Point) SANS is releasing August 11 during a live webcast (link here: https://www.sans.org/webcasts/2016-threat-landscape-survey-report-1021820). In it, 46% of respondents reported impactful attacks entering through email phishing links clicked by users, and 41% were able to track impactful attacks back to drive by downloads.
These trends implicate the browser as one of the top means attackers enter into networks.
Numerous browser exploits, particularly against Safari and Chrome, were demonstrated to go from breach to kernel access in a matter of minutes at the $hell on Earth’s Pwn2Own contest. On Wednesday $hell on Earth judges announced the eight most innovative browser to kernel exploits out of 21 seriously considered entries. (See: https://www.blackhat.com/us-16/briefings.html#$hell-on-earth-from-browser-to-system-compromise.)
The Safari exploits were able to gain kernel control through graphics interfaces using Java controls and heap overflows, as well as other means such as through attestation exploits and spoofing diagnostics binaries.
But the 360 Vulcan team exploit demonstrated against Chrome, which relies on out of bounds vulnerabilities in Flash to spoof system tokens and execute kernel level code on the machine, was identified as the “most dramatic” by the $hell on Earth judges.
With so much of this happening in memory, memory forensics techniques and technologies are becoming more important. Multiple other technologies were presented at Black Hat as part of the solution: Numerous networking, antimalware and intelligence vendors were positioning themselves as next gen endpoint protection companies. Some are simply monitoring packets, while others are attempting to redefine endpoint security starting with Antivirus.
“Just like firewalls and IDS moved to next generation a few years ago, we need to redefine what next generation antivirus looks like on the endpoint,” says Brian Gladstein, product marketing manager at Carbon Black, an endpoint security company that just acquired Confer, a next gen AV company.
My guess? There’s going to be a lot of confusion over security of the endpoints – particularly as new types of devices (aka the Internet of Things) demand access to company networks and resources.
So before going on any buying spree for “next gen endpoint and AV,” first assess your risk, along with the efficacy of existing tools and practices. When you do start shopping, ask to see what’s under the hood of these “next gen” technologies, and in particular how they would integrate with your current environment and expand or flex to meet future needs.