Being Pro-Active Against the "0-Day" Threat

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

"Houston, we have a problem"

While all of this sounds great, even those who do implement security in a proactive manner can't just sit around drinking coffee. One important fact to note about this vulnerability is that the initial advice was to upgrade to Internet Explorer 8 and enable DEP, however, even if you are running Internet Explorer 8 the vulnerability still exists until you install the patch. When a vulnerability exists on a high profile target, someone is working on a way to exploit it and keep it secret to profit from it in some way. DEP, even when hardware-based, can be defeated. In fact, there is already one organization claiming to have an exploit that works against DEP protected systems (details are light, others are claiming some exploits works against IE 8 with DEP enabled). By nature, buffer overflow exploits are unreliable. Someone once described them to me as a "controlled crash", which I thought was an extremely accurate description. If the attackers’ goal is to be able to run malware on the target system, which was the case with the recent incident at Google, then why bother with an exploit? There are methods of code execution that do not rely on a vulnerability. For example,Microsoft Office documents support macros that can contain embedded malicious code.

This demonstrates that our defense needs to go much deeper than enabling some protections, such as DEP, and installing updates and patches.

"Start Every Day Pretending You Have Been Compromised"

The quote above was recently reiterated to me by none other than Bruce Potter (founder of the "Shmoo Group"), and I could not agree more. While I don't buy into the whole "Defense In Depth Is Dead" theory (sorry, Bruce), I do think that your defensive layers need to evolve and directly address the problems you are faced with. Client-side exploitation techniques are wildly successful and being thrown at your organization at an alarming rate. Given this threat you should be:

• Patching Client Software - You must have a good handle on which applications are in use on the user's desktop and assert as much control over this as possible. Users should not be able to choose what software is installed on their systems. In most cases, software deployment and management should be centrally managed by the IT department.
• Make Sure Everything Is Patched - Vulnerability management is a key component to your security strategy as it will perform checks and balances. Anything that is labeled "Security" requires a process to make sure nothing is missed. Even if your patch management system reports that all hosts are patched, verify this by scanning hosts for vulnerabilities and performing periodic penetration tests against your environment. Tenable has released a credentialed check plugin that will detect if the MS10-002 patch has been applied. Also, a plugin has also been released that will report systems running Internet Explorer versions prior to version 8.
• Anti-Virus Software - Since anti-virus is largely signature based, it does little to protect against the unknown threats against us, though it does help with the known threats. One suggestion in this arena that can greatly improve the benefits of using this software is to review the alerts on a regular basis and see what is being triggered, then adapt your defenses accordingly. Also, you should be auditing your Anti-Virus software configurations to be certain all systems are being updated with the latest software and definitions.
• Actively Looking for Compromised Systems - Whether you know it or not, there probably are compromised systems in your environment. Right now as you read this, some form of malware or bot has likely infected one of your systems. There are varying levels of compromise; some could be bots that are never able to phone home, but others could be siphoning your organization’s most precious secrets and shipping them off to the competition. The point is, review all of your logs, correlate them from as many sources as you have available and take action accordingly.
• Forensics & Lessons Learned - When you discover a breach, learn everything you can about it. How did it infect a system in the first place? How was it able to communicate out of the network? How did it live on the infected host without being discovered? Once you've answered these questions, go back and fix what went wrong. Put a process in place to solve the problems in your defenses, then choose tools to help you implement those processes moving forward.

Further Reading

• Event Analysis Training – Analyzing Blacklisted Web Traffic
• Event Analysis Training- Basic Virus Analysis
• Event Analysis Training – More SSH Worm Analysis
• Event Analysis Training – Worm Outbreak