cracking the endpoint: insider tips for endpoint security...9 ms microsoft powershell 82.1% 0 0 0 10...

eGuide: Designing a Continuous Response Architecture

Cracking the Endpoint: Insider Tips for Endpoint Security


2

eBook


Table of ContentsIntroduction 3

Your Endpoints Are Vulnerable 4

How Vulnerable is Your Endpoint Software? 5

Social Engineering 6

Zero-Day Initiative 7

The Cyber Kill Chain 8

Inside the Head of an Attacker 11

Insider Tips for Endpoint Security 13

The Endpoint in Focus 16

Stopping Attacks at Delivery 18

How Bit9 Can Help 19

Summary 20

eGuide: Designing a Continuous Response ArchitectureeBook

Cracking the Endpoint: Insider Tips for Endpoint Security 3

IntroductionDespite decades of attacks, many organizations continue to struggle with the fundamentals of endpoint security IT organizations,

large and small, continue to wrestle with basic endpoint challenges such as understanding what applications are running in their

environment, who has administrative privileges, and what versions of software are installed on endpoints

In today’s dynamic security landscape, each new day brings new and

different threats targeting your organization Cyber criminals today are

more sophisticated than in day’s past and are launching higher profile,

more coordinated attacks against specific organizations of interest

Over the past 18 months, these attacks have reached new heights as

breaches across the retail, financial, entertainment, and healthcare

sectors have caught the eye of the media and for the first time, the

general public While media attention has focused on large-scale

attacks, it’s worth noting that the vast majority of attacks continue to be

focused on small and medium businesses

As the threat landscape has evolved, corporate servers and endpoints – and the employees operating them – have become the

primary target of attack

This eBook will outline the strategies and tactics cyber criminals use to attack corporate endpoints and servers and provide you

with strategies and solutions your organization can use to arm your endpoints against these attacks

71 percent of attacks target user devices and this

percentage continues to grow each year

— Verizon 2013 Data Breach Investigations Report


4

eBook


Your Endpoints Are Vulnerable

While the motivation behind individual attacks may vary, the object is always the same: to steal your organizations most

valuable data

In the past, the impact of cybercrime was limited to an individual level with limited strategic scope or impact However, with the

rise of organized cybercrime and state-sponsored actors attacks today have organizational, even national security level impacts

Since 2009, servers and end-user endpoints have risen to become the preferred point of entry for today’s cyber criminals to gain a

foothold in your corporate network As a defender, it is useful to understand this information as it can help shed light on gaps you

may have in your current security program and where you need to implement extra protection

As the crown jewels of corporate data, servers have always been the number one asset cyber criminals want to breach However,

as organizations move to adopt cloud and other web powered services, end user devices are growing in favor as they can often

serve as a backdoor into an organization’s corporate server system and are more likely to be managed by individuals susceptible to

social engineering attacks

Server

KioskPerson

Network

User Devices

800

600

400

200

2009 2010 2011 2012 2013

Figure 1

Source: Verizon 2014 Data Breach Investigations Report


5

eBook


How Vulnerable is Your Endpoint Software?

Cyber criminals often leverage vulnerabilities in software already running on a system to gain access and establish persistence on

a machine

Figure 2 lists the top 15 programs from Secunia’s 2014 Vulnerability Review, Top-50 Software Portfolio It shows the type of program

(Microsoft® or third party), the 2013 market share, and the number of vulnerabilities affecting the software programs

in 2012 and 2013

For example, Adobe Reader with an 856 percent market share had:

+ Five Secunia Advisories (an approximation of the number of security events in a given period)

+ 67 Common Vulnerabilities and Exposures (CVES: a dictionary of publicly known information security

vulnerabilities and exposures of security events)

+ 67 Secunia Vulnerability Count (VULNS: the number of vulnerabilities covered by the Secunia Advisory

We all remember when Adobe announced that their software was compromised in October 2013 Eventually 38 million accounts

were affected

According to the same report, 1,208 vulnerabilities were discovered in 27 products from seven desktop vendors in 2013, including

the most used operating system, Microsoft Windows® 7 This is a 45 percent increase in a five-year trend and a four percent

increase from 2012 to 2013 In addition, 68 percent of the 2013 vulnerabilities were rated as Highly Critical while 7 percent were

rated as Extremely Critical

Figure 2: The Top Software Portfolio

Source: 2014 Secunia Vulnerability Review

RANK TYPE PROD SHARE ADVS CVES VULNS

1 MS MICROSOFT XML CORE SERVICES (MSXML) 99.9% 1 2 2

2 MS MICROSOFT WINDOWS MEDIA PLAYER 99.4% 1 1 1

3 MS MICROSOFT INTERNET EXPLORER 99.1% 14 123 126

4 MS MICROSOFT NET FRAMEWORK 99.1% 6 18 18

5 TP ADOBE FLASH PLAYER 97.5% 12 56 56

6 MS MICROSOFT VISUAL C++ REDISTRIBUTABLE 95.4% 0 0 0

7 TP ADOBE READER 85.6% 5 67 67

8 MS MICROSOFT SILVERLIGHT 84.3% 3 9 9

9 MS MICROSOFT POWERSHELL 82.1% 0 0 0

10 TP ORACLE JAVA JRE 82.1% 7 181 181

11 MS MICROSOFT WINDOWS DEFENDER 77.1% 1 1 1

12 MS MICROSOFT WORD 74.9% 4 17 17

13 MS MICROSOFT EXCEL 73.8% 3 6 6

14 MS MICROSOFT POWERPOINT 71.7% 1 1 1

15 MS WINDOWS DVD MAKER 70.8% 0 0 0


6

eBook


Social EngineeringMore often than not, cyber criminals target people rather than technology because they are far easier to manipulate

Why break through a wall if you can convince someone to open the door?

Cyber criminals understand this so they are increasingly using social engineering and phishing attacks to obtain stolen credentials

and open a doorway into corporate networks According to the Verizon Data Breach Investigations Report for 2013, stolen

credentials are used in four out of five breaches

The reality in today’s world is that cyber criminals have learned that the weakest link in the security chain is the end user because

they are often naive and gullible to social engineering tactics Whether it is a mobile device or a traditional endpoint – such as

workstation or laptop – cyber criminals are leveraging the end user as a primary vector to gain access - initially to a single system

and ultimately to the larger corporate infrastructure

For example, the passwords of nearly 65 million LinkedIn accounts were hacked by Russian cyber criminals in 2012 Owners of

the hacked accounts were no longer able to access their accounts and LinkedIn encouraged its users to change their passwords

after the incident More significant than access to a Linked-In account is that many users use the same passwords for other online

accounts including their employee log-on Stealing credentials from one account can provide cyber criminals with access to

corporate networks as well


7

eBook


Zero-Day InitiativeZero Day Initiative (ZDI) is but one example of a website that chronicles existing software flaws that software developers or IT

experts have either discovered or are up and coming

Figure 3 displays a portion of the Upcoming Advisories Report from the Zero-Day Initiative website, which shows that Microsoft

and Adobe Reader have upcoming vulnerabilities Not shown in this snapshot of Figure 3 are other vendors including HP,

Motorola, Lexmark, Apple, and Solar Winds to mention a few Cyber criminals will often look for vulnerabilities in network

management software or other applications that are used by network engineers or IT professionals who have a high level of

security privilege This helps the cyber criminal more quickly gain access to the high value data they seek to steal

ZDI ID Affected Vendor(s) Severity Reported Deadline

ZDI-CAN-2626 Microsoft CVSS: 6.9 2014-11-06 (1 days ago) 2015-03-06

ZDI-CAN-2610 Adobe CVSS: 6.8 2014-11-04 (3 days ago) 2015-03-04






Figure 3: Zero Day Initiative: Upcoming Advisories


8

eBook


The Cyber Kill ChainWhen cyber criminals seek to infiltrate an organization, they follows a sophisticated, well-defined process that enables them to

leverage their skills effectively to quickly identify their targeted assets and avoid detection

To help security practitioners better understand and defend against this process, Lockheed Martin researchers Eric Hutchins,

Mike Cloppert, and Rohan Amin, developed a model known as the Cyber Kill Chain Widely recognized as a foundational model

for information security, the Cyber Skill Chain is an invaluable tool for helping security professionals understand the process and

techniques cyber criminals use to plan and conduct an attack

While the specifics and flow will vary from one attack to the next, the Cyber Kill Chain provides a model for understanding the

techniques cyber criminals will use to break into your environment

Figure 4: The Cyber Kill Chain1

1 http://digital-forensicssansorg/blog/2009/10/14/security-intelligence-attacking-the-kill-chain

Exploitation

Delivery C & C

Ex�ltration

Reconnaissance

Weaponization


9

eBook


Phases of the Cyber Kill Chain

ReconnaissanceSmart military planners never act without knowledge of the enemy’s defenses and tactics This is just as true in the domain of

cyber warfare as cyber criminals today spend extensive resources to understand the tactics and environment of their targets

The first step of reconnaissance is to identify appropriate targets that, if compromised, would meet the attacker’s objectives For

example, an attacker seeking to infiltrate a hospital’s medical records system may target the system administrator as a likely way to

gain access

After they’ve selected a target, cyber criminals then attempt to gather as much intelligence as possible to inform the next stages of

their attack This can include gleaning information from public websites, social networking, media reports, and other sources The

attackers seek to learn as much as possible about their target before launching any form of attack

WeaponizationAfter attackers have identified and researched an appropriate target, they then develop a weapon custom-tailored to their target

They analyze the information systems used by the attacker and select an exploit that affects an operating system or application

known to be used by the intended victim This may include the use of a zero-day exploit if both required by the technical

sophistication of the target and justified by the target’s value to the attacker

Attackers are reluctant to use zero-day vulnerabilities against all but the most valuable target Each time they launch a zero-day

exploit, they run the risk of the attack being detected and made known to the security community After this occurs, the zero-day

attack loses its effectiveness as a weapon

When an exploit is selected, it must be embedded in a delivery mechanism appropriate to the exploit and target For example, the

attacker may embed code exploiting a vulnerability in Adobe Reader in a PDF file Java exploits then may be coded into a website

that uses Java technology

DeliveryAfter carefully selecting a target and weapon, a cyber criminal must then deliver the weapon to the intended target Common

delivery mechanisms include the following:

+ Sending a carefully designed spear phishing message that tricks the target into clicking a link

+ Placing an infected file on a USB drive and getting it into the target’s hands as a gift or leave-behind

+ Storing the infected file on a website known to be frequented by the target

+ Sharing an infected file with the target through a cloud-based file sharing mechanism

+ SQL-injection attacks, where users try to send malformed data to database and backend-systems via websites and online forms to try

to gain access or retrieve data

Unlike the phishing messages some attackers send to large numbers of individuals seeking to find a couple of unwitting victims,

the spear phishing messages used by advanced threats are carefully designed to look like legitimate email sent directly to the

intended victim They make use of information that the attacker gathered during the reconnaissance phase to increase the

likelihood that the target will act on the message


10

eBook


ExploitationAfter malware is delivered to a target system, the malware engages the selected exploit mechanism to gain control of the system

The exploit gives the weapon the ability to manipulate the target system with administrative privileges This level of access

enables the weapon to configure system settings, install additional malware, and perform other actions normally limited to system

administrators

Command and ControlAfter a system is compromised, cyber criminals typically attempt to establish outbound connections to command-and-control

servers These command links provide attackers with a way to communicate with the software on their victim systems without

establishing a direct inbound connection

The connections made to command-and-control servers often use standard HTTPS connections to emulate normal web browsing

activity Because the connections are encrypted, they’re indistinguishable from any other HTTPS connection, other than the fact

that their destination isn’t a normal website This approach allows cyber criminals to limit the likelihood of their detection by

intrusion detection systems monitoring traffic on the victim organization’s network

In addition to bypassing intrusion detection systems, the command-and-control connection is also designed to evade firewall

controls on the victim network While most network firewalls are set to block unsolicited inbound connections from the Internet,

they often allow unrestricted or minimally restricted access to Internet sites when a system on the internal network initiates the

connection The attacker may then use this command-and-control connection to deliver instructions to the compromised system

ExfiltrationThe ultimate goal of the attack, exfiltration, is the stealing and removal of corporate or consumer data from your network Having

established persistence, the cyber criminal can and will remain present inside your corporate network for weeks, months, or years

at a time to slowly exfiltrate organizational data Today, it takes organizations on average more than 200 days to detect an attack

providing attackers with more than enough time to identify, steal, and exfiltrate large amounts of critical data


11

eBook


Inside the Head of an AttackerTo help you understand how each of these phases is executed, we will describe a fictional attack so you can see the Cyber Kill Chain in action.

Step 1 – ReconnaissanceJoe is a hacker and looking to infiltrate Company X He uses LinkedIn to identify employees who work there, primarily focusing on

the company’s engineers He starts to stalk some engineers on LinkedIn, Twitter, Facebook, and their blogs He sees that several of

the engineers announce on Foursquare when they go to the Starbucks location next to their company headquarters for lunch Joe

goes to this Starbucks location and watches the engineers work on their laptops He starts to sniff traffic using tools like Firesheep

and sees some of the basic information that the engineers are sending across the untrusted network

Soon, Joe is grabbing data off the open network He now has a few email addresses and knows what web sites the engineers are

visiting including techstuffscom With more reconnaissance work on LinkedIn, Google Groups, Facebook, and Maltego, Joe knows

who knows whom and begins to build an idea of how these engineers operate and what goes on in their lives

Joe then calls the organization’s help desk and gets information about the standard builds on the company’s endpoints

He goes to online support forums to see if any of these engineers have ever posted anything

Step 2: Weaponization and DeliveryOnce Joe has enough information, he is ready to take the

next step – a spear-phishing attack This takes the form of a

personalized email from engineer #1 (one of the engineers

he tracked on-line at Starbucks) to engineer #2 (Joe

obtained this email address during reconnaissance) The

email is very personal and very casual It says, “Hey man,

here is a catalog I found for tech stuff and it happens to

have a discount code in it, check it out”

Using social media, industry events, and information on

the company website, Joe will work hard to embellish

the “lure” in this spear-phishing tactic to build a message

that appears familiar and relevant to their target In some

extremely sophisticated attacks, Joe may even attend corporate or industry events in which their target participates

Captured:

Email address ([email protected]) Friend’s email ([email protected])Interests (www.techstuff.com)

Spoofed, of course

Most certainly clicking here


12

eBook


With a tailored subject line and message, the “lure” will contain a malformed document or perhaps a spreadsheet or it will prompt

the recipient to visit a dummy website or to run a program

If the engineers do not take the initial lure, Joe will continue to try him at different times with tweaked subject lines, messages and

payload vehicles

Step 3: ExploitationWhen engineer #2 clicks on the spear phishing email link, the attachment is not a PDF but AN EVIL PDF with embedded malicious

code that secretly drops an unknown malicious payload onto engineer #2’s machine Clicking on this PDF, kick-offs a chain reaction

which provides Joe with a foothold into the corporate environment and achieves his first necessary first-step, persistence This

chain-reaction can include the dropping of additional payloads, automated lateral movements to other network machines, and

ultimately an attempt to connect outside the network, on a different communication channel, to Joe to kick-off “Step 4”, command

and control

Step 4: Command and ControlHaving infected engineer #2’s machine and successful established both persistence on the system and outbound connectivity, Joe

is able to step into the drivers seat Having established outbound connectivity and remote control over engineer #2’s system, Joe

can now initiate a plethora of future malicious activities to advanced his goals

He could begin recording engineers #2s activity and conversations by copying emails, keystrokes or even accessing his computer’s

camera and microphone He could attempt to move laterally and establish additional infections on corporate servers or another

high-target user’s machine, such as executives, to gain access to log-in credentials or files of particular interest or value

Step 5: ExfiltrationOnce Joe has located targeted data, he will begin leveraging his C&C connections to exfiltration data This could be done in a

single push, but is more commonly done over a period of weeks or months to avoid detection

Having established persistence within a network, Joe will often bounce between step 4 and step 5 as new information of value

is discovered or as new infections are made Key to this point understands that the advancement of an attack to step 5, the

exfiltration of data, does not constitute the end of an attack In fact, often it can just be the beginning as attackers continue to

leverage their foothold to steal new information or compromise additional systems, both inside or outside of your organization


13

eBook


Insider Tips for Endpoint SecurityIn order to detect and stop cyber-attacks, you must have “empathy” with the cyber criminal, get into the head of the attacker, and

figure out how he or she thinks As in a combat situation, it is useful to think like your adversary and have a model, such as The

Cyber Kill Model, to align your defense to reflect the realities of the war you are fighting

Bear in mind that you have the home field advantage and can acquire various tools to detect and deny attacks by disrupting or

degrading the attack and deceiving the cyber criminal Your objective is to respond to attacks by actively engaging with the cyber

criminal In this way, you can reduce the time it takes to detect and respond to an attack from days or weeks to seconds

The Reconnaissance PhaseThe reconnaissance phase is an important part of this model for the cybercriminal but unfortunately, you as the victim do not have

a view into it If a cybercriminal is using Shodan, Google, or searching sites like LinkedIn trying to get information about you,

you do not necessarily know it However, you can use one little trick to get a clue if somebody is doing reconnaissance on you

For example Frank, a security professional, knows that cybercriminals search technical forums looking for instances where

administrators are careless when asking questions – perhaps they post sensitive data such as a router configuration, etc Frank put

together a fake router configuration for a Cisco router This contained an access password and IP address that he posted within a

question to one of the forums The fake router config actually pointed to a honeypot that Frank’s team created When someone

came into the honeypot, logging in with the user name and password that was included in the fake router config, it signaled Frank

that someone was actively performing reconnaissance on the company’s network

There are opportunities to detect this kind of behavior if you execute security strategies like this In addition, you can set up tar pits

and make sure that you are alerted when people do Google-style reconnaissance on you

The Weaponization PhaseObviously, as an intended victim, you do not have any direct visibility into this phase However, it is important that you understand

what is happening as it can provide intelligence you can use to prevent future attacks

Even the most sophisticated cybercriminals have a tendency to reuse certain toolkits and techniques If you have an

understanding of these, you can leverage this intelligence to detect an attack at the next phase, which is delivery

Insider Tip: Leverage intelligence sharing communities, such as ISACs, to stay-up-to date on the latest cyber war weapons

Adversary Activity Potential Intelligence for Defender

Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, et cetera Unique Browser/Crawler Behavior

Areas of Focus


Creating a Deliverable Payload Trojan Toolkits

Scripting Actions Obfuscation Techniques

Crafting Phish Bait

Setting Up a Waterhole


14

eBook


The Delivery PhaseThe Delivery Phase is the first time where an attack comes into your realm of control This is the point where a spear phishing email

is delivered or someone receives a link over Twitter, Instant Messaging, or Skype The attack can also be a waterhole attack where

delivery is multi-staged For example, the cybercriminal may pose as someone the victim knows and ask a question to entice

conversation via several emails back and forth Eventually, the cybercriminal sends an email with a link or attachment – the attack

payload It is important that you are aware of these kinds of social engineering tactics

The Exploitation PhaseMany times, traditional endpoint defenses are incapable of preventing exploitation from advanced attacks However, there are

actions your organization can take to reduce your attack surface such as rapidly installing updates / patches and deploying

application control solutions that only allow trusted software to execute Regardless of your current capabilities, you can

get a decent amount of intelligence from this phase If you have real-time visibility into your endpoints, you will know what

vulnerabilities and exploit techniques the cyber criminal used You can also identify techniques or specific malware signatures that

the cyber criminal may reuse on other devices inside your organization

The exploitation phase is where endpoint security comes into play because it involves dropping files, making a registry change,

stealing a cookie, or any activity that establishes a persistence mechanism or potential means to access your system

If you can consistently stop a targeted attack at this phase, you can reduce the risk of a data breach Network defenses, such as

sandboxes, can provide a first line of defense These technologies can give the cyber criminal the impression that he achieved a

successful installation, but ultimately you must secure the endpoint as it is the primary target of an attack

This is a very good example of using deception to trick the cyber criminal and let him think he actually reached the C&C phase

Unfortunately, in most cases, sandboxing will not stop an application from executing in your environment, but can help you

identify malicious activity faster Ideally, your organization should deploy an endpoint solution that integrates with your network

security defenses to coordinate the identification and blocking of malicious software


Transmission of Weapon to Target Environment IP Addresses

Sending an Attachment Via Email Hostnames

Sending a link via Twitter, IM, Email Email Senders

Attacking a Webserver Identifying Browser Information

Might be Multi-Stage Handles on Twitter, IM, etc

Payload Characteristics

Filenames

Targeted Individuals

and more


Weapon Will Exploit a Vulnerability or Flaw Vulnerability Details

Tricking a User Exploit Techniques

Installation of RAT or Backdoor Social Engineering Techniques

Change to System Configuration Details of Malware

Changes to System Configuration


15

eBook


Command and Control PhaseThis phase is your last chance to stop an attack before your network and systems are compromised Using available tools, you can

detect when something beacons out and block it, or detect when something beacons out and quarantine the host Either way,

you break the kill chain While IP blacklisting and IP anomaly detection systems can help, cyber criminals have developed ever

increasingly sophisticated techniques to evade these types of traditional network alerting systems

ExfiltrationThis is the final phase of the Cyber Kill Chain The cyber criminal now has a foothold on an endpoint or a server and he owns that

machine He is exfiltrating data out of your organization At this point, you have been breached and the Cyber Kill Chain ends Now,

the question you ask yourself is not Will there be damage but rather How great will the damage be?

From this point, the cybercriminal can go many different ways For example, he might:

+ Focus on privilege escalation and getting information off the machines he has compromised

+ Start scanning or trying to enumerate the network from the inside

+ Use this opportunity to study the network to launch a more complex attack

+ Already have stolen credentials and attempts to use them


Research IP Addresses

Identification and Selection of Targets Identifying Agent Strings or Referrals

Website Crawling, Googling, et cetera Unique Browser/Crawler Behavior

Areas of Focus


Achieve Original Objectives Adversary’s Information Targets

Privilege Escalation Additional Tools Used

Internal Reconnaissance

Lateral Movement

Data Collection

Data Exfiltration


16

eBook


The Endpoint in FocusThere are several ways you can prevent exploitation First, minimize your attack surface by keeping software up-to-date and

implementing solutions that only allow trusted software to execute In the past when Microsoft released security updates and

patches, most IT teams installed them on a handful of workstations or non-essential servers and waited for two weeks before

installing the update across the entire fleet Today, that is not the case When security updates drop, you must get them in place

within 24 hours for servers, 48 hours for desktops

Today, Microsoft does extremely good regression testing and we do not see security updates that have a major operational impact

However, if you are six months behind in updates, that may not be the case - another reason why it we recommend that you stay

on top of updates and patches It is worth investing time to achieve the level of operational excellence you need to get updates

and patches installed quickly

When Microsoft makes it Patch Tuesday announcements, always refer to their Exploitability Index This helps you prioritize security

bulletin deployment by providing information on the likelihood that a vulnerability addressed in a Microsoft security update will

be exploited2

If you see something that is potentially exploitable, even if it has not been seen in the wild4, you can assume it will be

exploited quickly

To prevent the installation of malware, there are several approaches that vendors incorporate into their security solutions:

+ Signature-based Blacklisting

+ Application Containers

+ Trust-based Application Control

Bulletin Vulnerability Title CVE ID

Exploitability Assessment for Latest

Software Release

Expolitability Assessment for Older

Software Release

Denial of Service Expolitability Assessment

Key Notes

MS14- xxx

User After Free Vulnerability

CVE- 2014- XXXX

2 - Exploitation Less Likely

1 - Exploitation More Likely Temporary

2 http://technetmicrosoftcom/en-us/security/cc998259aspx 3 http://searchsecuritytechtargetcom/definition/in-the-wild

Figure 5: Example of an Exploitability Assessment


17

eBook


Signature-based Blacklisting, or traditional anti-virus

software, stops malware installation based on a default-allow

approach This means the software has a list of known bad

conditions and if an attack matches a bad condition, the anti-

virus software will not allow it to run

Today, the blacklist approach is rarely effective and only of

real use against nuisance malware Advanced cyber criminals

will use various packing techniques to get past most antivirus

software and go undetected While there is no reason not

to filter against known bad, you cannot count on it as your

only approach and should be integrated with signature-

less approaches to advanced threat prevention, such as

application whitelisting

Application Containers are an increasingly popular approach

that has been gaining in popularity and leading endpoint

providers offer integrations to take advantage of network-

based sandbox technologies While containers can be

useful, most of these solutions do not natively protect

your organizations endpoints from advanced attacks While a few select vendors have attempted to bring containers, or micro-

virtualization, to the endpoint, these solutions are often Windows-only and even then protect only a select list of applications With

these limitations they cannot stop all zero-day attacks or attacks targeting vulnerabilities in unprotected applications

Last but most importantly, there are trust based approaches that stop the installation of malware based on a default deny

approach For any application or condition to run, it has to be approved by name, by publisher, by reputation or via other

mechanisms Proven to be effective against advanced attacks, trust-based solutions are the best way to prevent, detect, and

respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility

140,000,000

120,000,000

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

New Malware 2006

-

2007

-

2008

-

2009

-

2010

-

2011

-

2012

-

2013

-

2014

-

100%

% A

V VE

ND

ORS

DET

ECTI

NG

0

100

200

300

DAYS TO DETECTION

90%

80%

Antivirus Detection Rates

1st Percentile - Least Detected Malware(Advanced Attacks)

70%

60%

50%

40%

30%

20%

10%

0%


18

eBook


Stopping Attacks at DeliveryA very effective technology to stop attacks at delivery is network detonation Detonation software, FireEye or Palo Alto Network

Wildfire, sees executable code coming over the network, determines whether it is malware (based on what it does versus

matching against a signature), and if bad, detonates it Network denotation software is incredibly useful and moderately effective

at protecting activity for devices inside a corporate network However, network detonation solutions will not protect a device

when an employee is working offline – an increasingly common scenario with mobile employees In addition, many solutions

monitor the network passively and are not in line In these instances, there can be a lag between execution and detonation This

lag can provide an opportunity for an attacker to deploy a secondary payload that can go undetected To help address this issue,

leading endpoint security solutions offer integrations with network detonation services to extend these capabilities beyond the

network by sending files from off-network endpoints for analysis

Even if any employee is working online, bad conditions do not always present initially on the network If a file comes in over an

encrypted tunnel, like SSL, and you do not have a SSL man in the middle, you might not see it If that file comes in some type of

sandbox, like a ZIP, RAR, or 7Z file for example, the network detonation software cannot examine that sandbox and will let a bad

condition get into the network Lastly, a USB stick with a Trojan virus is also going to be first seen at the endpoint


19

eBook


How Bit9 Can HelpThe Bit9 Security Platform provides real-time visibility, detection, response, and proactive, customizable signature-less prevention

from advanced persistent threats At the heart of the Bit9 Security Platform is a unique policy-driven approach to application

control It combines real-time visibility and a file discovery agent, with IT-driven controls aided by trust ratings from the Bit9 Threat

Intelligence Cloud, to help organizations simplify and automate the set-up and administration of a secure whitelisting platform

This results in a customizable application control solution that combines the highest level of advanced threat protection with

minimal end-user impact and administrative overhead

With Bit9, you get three forms of protection:

+ Default-Deny: allows only software you trust to run and treats everything else as suspicious

+ Detonate-and-Deny: Bit9 automatically sends files from endpoints to network detonation services to be detonated and evaluated for suspicious behavior

+ Detect-and-Deny: Leverages advanced threat indicators to identify patterns of compromise and enables a security administrator to identify and ban malicious files where appropriate with little to no end-user impact

To learn more about the Bit9 Security Platform, please visit wwwbit9com/solutions/security-platform

www.bit9.com/solutions/security-platform

eGuide: Designing a Continuous Response ArchitectureeBook

SummaryToday, cyber criminals are more sophisticated using complex attack strategies and social engineering tactics to get into corporate

networks The reality in today’s world is that cyber criminals target your endpoints and end users to gain access to your to gain

access to your company’s most critical and valuable data Many times, your employees are not diligent about data protection, are

naïve about hacker strategies, or too trusting in the Internet of Everything world It is getting more difficult to keep up with cyber

criminals’ exploits, particular in large distributed environments where you have thousands of global users

To ensure the protection of your endpoints, your organization must execute several strategies:

+ Incorporate the Cyber Kill Chain into your strategy This model will help you identify and determine how far an attack has progressed

and where / how the damage occurs

+ To take advantage of the information you can gather via the Cyber Kill Chain, acquire the tools you need to detect and deny attacks

by disrupting or degrading the attack and deceiving and engaging with the cyber criminal This can help reduce the time it takes to

detect and respond to an attack from days or weeks to seconds

+ Be sure to quickly install updates and patches to reduce your attack surface

+ To prevent the installation of malware, install an application control solution that only allows trusted software to execute

Today, there are three types of data protection software:

+ Anti-virus software is a blacklisting approach that is rarely effective and only stops nuisance malware Cyber criminals can use

various packing techniques to get past most antivirus software and go undetected While valuable at stopping nuisance malware,

organizations should look to leverage antivirus solutions that are integrated with next-generation endpoint protection platforms

+ While application containers can be useful, most of these solutions cannot protect your organization’s endpoints from zero-day

attacks, attacks targeting unpatched vulnerabilities, non-Windows machines, or actors in lateral movement Many also do not provide

real-time visibility into endpoint activity

+ Trust based approaches that stop the installation of malware based on a default deny approach are the best way to prevent, detect,

and respond to advanced threats, malware, and zero-day attacks because they provide real-time visibility

+ Some organizations cannot implement default-deny especially in cases where IT doesn’t have full control over the software on a

given endpoint and must allow end users to install software on-demand In those cases, multistage detect deny and detonate and

deny are the best strategies to bridge this gap

Lastly, it is important that you integrate your entire security stack so that your network devices and endpoint security solutions

pass information back and forth Intelligence is useful but can have a short life The sooner you know that a security breach has

happened, the sooner you can stop it

ABOUT BIT9 + CARBON BLACK

Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable.

More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

© 2015 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.

266 Second Avenue, Waltham, MA 02451 USAP 617.393.7400 F 617.393.7499 www.bit9.com

20150318

https://twitter.com/Bit9

https://www.facebook.com/Bit9Inc

https://plus.google.com/+Bit9CarbonBlack/posts

https://www.youtube.com/user/Bit9Inc

https://www.linkedin.com/company/bit9

cracking the endpoint: insider tips for endpoint security...9 ms microsoft powershell 82.1% 0 0 0 10...

Documents