Which of the following is the most dangerous type of threat when using virtualization?

Vulnerability Window

Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat. For viruses, Trojans, and other zero-day attacks, the vulnerability window typically follows this time line:

The developer creates software containing an unknown vulnerability.

The attacker finds the vulnerability before the developer does.

The attacker writes and distributes an exploit while the vulnerability is not known to the developer.

The developer becomes aware of the vulnerability and starts developing a fix.

Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. They also may not know if the vulnerability is being exploited when they fix it, and so they may not record the vulnerability as a zero-day attack. However, it can be easily shown that this window can be several years long. For example, in 2008, Microsoft confirmed vulnerability in Internet Explorer, which affected some versions that were released in 2001. The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to seven years.

2.1 Zero-day trends

In the first half of 2014, the growth in zero-day exploitation continued unabated from 2013. Unsurprisingly, all of the zero-day attacks targeted end-user applications such as browsers and applications such as Microsoft® Office. Typically these attacks were launched using classic spear-phishing tactics. Although Microsoft Internet Explorer was the most patched product on the market, it was also the most exploited, surpassing Oracle Java and Adobe Flash. Bromium Labs believes that Microsoft Internet Explorer will likely continue to be the target of choice going forward.

In comparison, Java had no reported zero-day exploitation in the first half of 2014.

Released in late 2013, Microsoft Internet Explorer 11 has seen a quick succession of security patches, compared to its predecessors. Bromium Labs analyzed the timelines for each Internet Explorer patch release and documented when the first critical patch became Generally Available (GA).

Internet Explorer release to patch timeline.

5.2 Network forensics analysis (NFA)

Network forensics aim at finding out causes and impacts of cyber attacks by capturing, recording, and analyzing of network traffic and audit files [75]. NFA helps to characterize zero-day attacks and has the ability to monitor user activities, business transactions, and system performance. As a result, attack attribution, what attack methods and tactics were used and attack duration, can be analyzed and derived using NFA.

Recent articles claim that self-protecting systems are able to mitigate attack impacts by “static” IRS. Protection mechanisms selected by this type of IRS remain the same during the entire attack period [76]. None of these self-protecting systems, however, contain NAF. Notwithstanding, a static IRS is limited in its ability to fully and efficiently eliminate these attacks. To establish a fully autonomic computing system, as described in Section 2.2, the NFA must be activated once unknown attacks have been identified by the IDS. Some recent research performs the NFA as a postprocess analysis, but live NFA is required to support the 24/7 system availability. In this way using live NFA, the investigation of unknown attack signatures will not disrupt normal client requests. Additionally, live NFA is executed immediately after unknown attacks are detected, which reduce latency and quickly closes the window of vulnerability.

Gunter [77] discussed research on balancing access controls with audit in medical record systems, and using audit logs to understand roles and workflows to develop reliable anomaly detection and safe access controls. Philli [75] illustrated a generic process model for network forensics in real-time and postattack scenarios. The first phase is preparation, which makes sure security solutions such as monitors, firewalls, and IDSs have already been deployed. The second phase is detection, which identifies cyber attacks and captures network traffic, followed by the third incident response phase. The fourth phase is collection and preservation. Traffic data are collected and preprocessed for storage on backup devices for presentation. Together these phases identify attack indicators, classify attack patterns, determine attack paths, and provide documentation offline.

The challenges of next generation state-of-the-art NFAs are described by Philli [78]. The analytical complexity of real-world large-scale HISs grows exponentially, therefore, making full NFA computationally infeasible. In some NFA scenarios accurate vulnerability states are not available by virtue of the fact that the NFA process is fundamentally postcompromise. Also, analyzing an extremely large amount of auditing data in a very short time span is computationally infeasible. Additionally, in NFA it is often very difficult to distinguish primary attack signatures from trivial signatures. Let us examine today's live NFA tools.

Investigating high-volume auditing data in real time depends primarily on the abundance of computational resources. Normally, the size of one-days worth of auditing files for large-scale systems is larger than 100 GB. Data concentrators are used, for example, by data historians within the context of the distribution systems (i.e., the smart grid). Cloud storage platforms are, used to store and process such data. Chen [79] used the cloud storage and computing platform to analyze offline phishing attacks. Phishing filter functions can effectively scale to detect phishing attacks. Research described in [80, 81] adopts the Hadoop map reduce model to analyze a high volume of log files and extracts attack signatures for intrusion detection and prevention.

Contemporary NFA approaches manually investigate attack patterns after HISs are compromised. Real-time and dynamic forensics systems, which investigate attack causes and impacts automatically, have been deployed to address the scalability issue of such manual processes. The utilization of the cloud-based approaches makes NFA more practical to deploy. Nonetheless, the current question about how to realize a dynamic and automatic NFA system is the subject of much research. For example, Wang et al. [78] developed immune agents, which automatically generate crucial evidence of unknown attacks for rapid active responses. An automatic method was proposed by Wang et al. [82] to make regular expression signatures of the HTTP attacks offline. This approach first extracts application session payloads to identify common substrings and their positional constraints. Using these extracts, attack signatures are transformed into regular expressions.

Li et al. [83] designed a network-based signature generator, namely, LESG. The generator automatically analyzes zero-day buffer overflow vulnerabilities and generates length-based signatures via a three-step algorithm. The generator selects field candidate signatures, optimizes the signature lengths, and derives the optimal signature that produces minimal false alarms. The LESG has lower computational overhead than research by Brumley et al. [84], which generates vulnerability signatures using regular expressions. False alarm rates of an IDS applying the LESG are significantly reduced and the attack detection speed is improved. The LESG is also tolerant to noisy traffic.

The utilization of NFA allows the self-protecting system to investigate and learn the causes and impacts of an unknown attack. In the end, the HISs can be protected from both known and unknown attacks autonomously (i.e., without human intervention).

Advanced Threat Detection

Advanced threat detection (ATD) solutions go by several different names, including advanced threat protection, however the goal is always the same. ATD solutions are designed to detect (and prevent in some cases) zero-day attacks and malware by using a combination of detection techniques. These solutions may be comprised of more than one product to provide the comprehensive security coverage the product vendor is looking to supply. This may include a dedicated sandbox/detonation chamber for executing malicious files and accessing malicious URLs as well as dedicated appliances for taking action based on the data provided from both the product vendor’s research team and the results of analysis from the sandbox/detonation chamber.

ATD solutions use a combination of behavior analysis and signature detection, depending on which component of the ATD solution is being discussed. Sandbox/detonation chambers primarily use behavior analysis and look for changes within the environment being monitored. Dedicated protection devices may still use a level of behavior analysis; however, they will also use signature detection to aide in quicker detection thus leading to real-time protection/mitigation of attacks and malware.

Pros

For a high level of security, an application proxy is the appliance of choice. The detail of control permitted is unmatched by any other device.

Introduction

There is considerable interest in developing novel detection methods based on new metrics that describe network flow to identify connection characteristics, for example, to permit early identification of emerging security incidents, rapid detection of infections within internal networks, and instantaneous prevention of forming attacks. Buffer overflows continue to be one of the most common vulnerabilities prevalent today, especially in undetected and most dangerous "zero-day" attacks. This has motivated researchers to create more or less sophisticated defenses addressing this threat. The first line of defense is based on memory randomization (ASR), which makes the attack harder to accomplish, but unfortunately it is still possible to offset the current process address. The second line of defense is based on automated signature generation techniques that generate filters to block network traffic similar to an attack payload signature. Unfortunately, polymorphic attacks can evade these signatures, and hence subsequent research has focused on behavioral signatures that favor the development of several data mining methods defining sets of network metrics that describe the attack vector by its behavioral features. These methods use either the existing NetFlow standard or network traffic packets. Several earlier research studies left NetFlow to create its own set of network metrics, which provided more information and context in analyzed connections.

Recognizing the importance of the quality of network metrics for successful detection, our approach proposes a new set of metrics with a high detection and low false positive ratio. It is expected that detection algorithms based on these new network behavioral metrics will outperform existing methods and will be applicable to a wider range of intrusion detection and prevention systems.

Our primary goal is to create a network-based system for online defense against zero-day buffer overflow attacks in the production environment. We described the reduction of attack types to buffer overflow in a previous article [1]. The secondary goal of this research is (a) to design the architecture of a detection framework that will enhance the overall network security level with the ability to learn new attack behaviors without human intervention by using expert knowledge from honeypot (or similar) systems; and (b) to find the most suitable set of metrics for describing attack behaviors in network traffic and significantly increasing the detection rate and lowering the false positive rate.

In our previous article [1] we proposed a framework architecture that could be used for the detection of various network threats. The paper presented a novel Automated Intrusion Prevention System (AIPS) that uses honeypot systems for the detection of new attacks and automatic generation of behavioral signatures based on network flow metrics. We have successfully experimented with the architecture of the AIPS system and have defined 112 metrics (recently updated to 167), divided into five categories according to type. These metrics are used to describe properties of a detected attack, based not on the fingerprint of a common signature but on its behavior.

In this chapter we define the method used for generating network behavioral signatures from a set of network security metrics, Advanced Security Network Metrics (ASNM), consisting of 167 metrics enhancing the ability of detecting potential attacks from network traffic.

5.3 Cybersecurity Role and Certification of the Operators of Physical Systems

An important aspect of the defense of physical systems from cyber attacks is that immediate system-reconfiguration responses to attack detections (including system shut-downs, which can be very expensive) may be necessary in order to provide the desired level of safety. This aspect calls for doctrine regarding immediate responses. Doctrine must include: (1) the allocation of decision-making and response-control roles to specified personnel, (2) selection criteria for and training of those people, (3) exercising for preparedness, and (4) addressing the possibilities of unanticipated confusion regarding operator judgments related to the possibility of missed or incorrect attack detections (including zero-day attacks).

Part of the author’s research on physical system defense included human involvement in cyber attack scenarios. In the UAV case, a desktop simulation environment was used to gain an initial understanding of operator responses to a monitoring system that detects cyber attacks and provides suggested responses to the UAV pilots. In the State Police case, a controlled exercise was conducted involving unsuspecting policemen being dispatched and their cars being attacked and failing to operate properly. The results of these activities highlighted the point that the doctrinal processes to be developed must recognize the fact that cyber attacks on physical systems are an area where people do not and will not have practical experience to rely upon. Furthermore, since attacks are very unlikely to occur, responses may stray from what operators are trained for. The research efforts showed that operators, based on their past experiences, can usually imagine other causes for observed consequences of a cyber attack and, as a result, may not be as responsive to automated decision support as expected.

Consider the case in which a Sentinel detects a cyber attack that consists of an improper digital control message preventing a car from operating properly. From the operator’s perspective there can be many different causes for the car not operating properly (e.g., a failed battery), and these are typically causes they have previously experienced. Consequently, under the immediate pressure of needing to take decisive action, the operator may be more likely to assume these causes of failure, rather than a never-experienced cyber attack. Research results showed that even when an operator accepts a Sentinel’s input as being correct, uncertainty remains regarding the possibility for additional elements of the cyber attack having yet to emerge. This element of uncertainty is escalated when there are high consequences associated with an operator’s decisions, and the operator’s accountability for those decisions can impact behavior, including asking for access to cyber-security experts before making a critical decision. Of course, such calls for help can potentially delay decision making to an undesirable degree. As a result of these scenarios actually emerging during our research experiments, a significant effort has been initiated to better understand human behavior in uncertain circumstances that are likely to exist in scenarios regarding cyber attacks on physical systems. From a policy vantage point, research efforts are needed to address questions regarding selection, certification, and readiness training requirements for operators of physical systems for which cyber attacks could have serious consequences.

8.1.2 Myths About Malware Infections and Protection

There are a number of misconceptions and myths in the industry about malware infections and protection technologies that impact the security countermeasures in fighting malware infections. A number of issues are detailed as follows:

Anti-virus (AV) engines provide robust protection. AV engines are software programs that are installed in the operating systems to prevent the execution of malware and protect legitimate installed applications against any infections. AV engines use techniques such as signature drafting, heuristics, and emulation. Some believe that AV engines protect the end-user system from all types of attacks and malware. For example, some users feel that if an AV solution is installed, they can surf anywhere on the Internet without getting infected. Unfortunately, such users get infected based on this false sense of security. AV engines fall short of providing robust security against zero-day attacks in which attackers use exploits for undisclosed vulnerabilities. Sophisticated malware such as rootkits having administrative access can easily tamper the functioning of AV engines thereby making them inefficient. In addition, AV engines are not considered as a strong security solution to defend against malware classes using polymorphic or metamorphic code which mutates itself on every execution.

Deployment of an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) protects malicious code from entering my network. The majority of IPS and IDS are signature based, so detecting infection or malicious traffic requires a signature. But attackers can easily bypass IPS and IDS using techniques like unicode encoding, canonicalization, null byte injection, overlapping TCP segments, fragmentation, slicing, and padding [1,2].

Malware is distributed primarily through shady and rogue web sites such as torrents and warez. While rogue sites do distribute malware, many more-trustworthy sites also deliver malware. For example, in targeted attacks based on waterholing (refer to Chapter 3), legitimate and highly ranked web sites are infected with malicious code that downloads malware onto user machines through drive-by download attacks. It is hard to flag sites as secure to ensure users that they are interacting with legitimate web sites free of malware.

Email filtering mechanisms only allow secure and verified attachments to be delivered with emails. Email filtering is a process of filtering out the emails containing malicious attachments and illegitimate links that instantiate infections in the organization network. As described earlier (refer to Chapter 3), social engineered emails are used extensively in targeted attacks. In the corporate world, employees believe that their personal inboxes receive only secure emails with attachments from verified identities. This is not true because attackers can use several tactics such as social engineering with zero-day attacks to slip malware through enterprise email solutions and successfully deliver the malicious emails. The idea is to embed a zero-day exploit inside an attached file that bypasses through the filter and successfully delivers to the target. This technique has been seen in a number of recent targeted attacks.

Malware infections are specific to certain operating systems. For example, Mac OS is much more secure than Windows and is less prone to exploitation. This is false. Mac OS also gets infected with malware and has been targeted by attackers, the recent Flashback [3] malware being one of many. In addition, malware families such as DNS changer [4,5] are platform independent and infect almost all operating systems.

Mobile devices are completely secure. A number of users believe that mobile platforms are secure. Well, that’s not true. There has been a significant growth in Android-based mobile platforms, and attackers are targeting these devices to steal information. In this way, mobile devices provide a plethora of information that can help to carry out targeted attacks. For example, contact information is stolen from the infected mobile devices.

Virtualization technologies are untouched by malware. Virtualization is based on the concept of building security through isolation. Virtualization is implemented using hypervisors which are virtual machine monitors that run Virtual Machines (VMs). Hypervisors can be bare-metal (installed directly on the hardware) and hosted (installed in the operating system running on underlying hardware). In virtualized environments, guest VMs are not allowed to access the resources and hardware used by other guest VMs. Virtualization also helps in building secure networks as access controls can be restricted to target networks. Infected virtualized systems can be reverted back to previous snapshots (system state) in a small period of time as opposed to physical servers. Patching is far easier in virtualized servers, and migration of virtualized servers is easy among infrastructure which shows how virtualization provides portability. A number of users believe that hypervisors are immune from malware infections. Unfortunately, virtualized hypervisor malware does exist in the real world. Malware such as Blue Pill [6] is a VM-based rootkit that exploits the hypervisor layer, so that it can circumvent the virtualization model. Basically, when blue pill type of malware is installed in the operating system, the malware creates a new hypervisor on the fly and this hypervisor is used to control the infected system which is now treated as a virtualized system. As a result, it is very hard to detect the malware as it resides in the hypervisor and has the capability to tamper the kernel. These are sophisticated attacks that are difficult but not impossible to implement. A large set of users use VMs for critical operations such as banking which they think provide a secure mode of Internet surfing. The potential compromise of VMs (guest OS) in a network is vulnerable to the same set of attacks as the host OS. In addition, compromising VMs could result in gaining access to other hosts in the network. Several current families of malware are VM-centric which means they incorporate techniques that can easily detect whether the malware is running inside the virtualized machine or not. Based on this information, malware can alter the execution flow. Full hardware-based virtualization (host OS kernel is different from guest OS kernel) prevents malware from gaining access to the underlying host, but the malware can still control the complete guest OS. Partial virtualization (sharing same OS kernel as host) in which privilege restrictions are heavily used to manage virtual file systems can be easily circumvented by malware, if the kernel is exploited.

A Baseline Understanding of Security Concepts

What is an attack? It is an attempt to gather information about your organization or an attempt to disrupt the normal working operations of your company (both may be considered malicious and generally criminal). Attacks have all the aspects of regular crime, just oriented toward digital resources, namely your network and its data. A threat uses some inefficiency, bug, hole, or condition in the network for some specific objective. The threat risk to your network is generally in proportion to the value or impact of the data in your network, or the disruption of your services no longer functioning. Let me give a few examples to clarify this point. If your company processed a high volume of credit card transactions (say you were an e-commerce business) then the data stored in your network (credit card numbers, customer data, etc.) is a high target value for theft because the relative reward for the criminals is high. (For example, credit card theft in 2014 was as high as $8.6B [source: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014].) Or, if your business handles very sensitive data, such as patient medical record (which generally have the patient-specific government issued IDs such as social security numbers attached), you are a prime target. In either case, the value of data in your network warrants the investment and risk of stealing it. Say, you are a key logistics shipping company, the value to the attacker may be to disrupt your business, causing wider economic impact (classic pattern for state-sponsored cyber terrorism [example: http://securityaffairs.co/wordpress/18294/security/fireeye-nation-state-driven-cyber-attacks.html]). On the other hand, if you host a personal information blog, it is unlikely that cyber crime will be an issue. To put it bluntly, it is not worth the effort for the attackers. The one variable in all of this is the people who attack network “because they can.” They tend to use open source exploit tools, and tend to be individuals or very small groups, but can be anywhere on the Internet. We have to be aware of the relative value of our data, and plan security appropriately.

There are many ways of attacking a network, let us spend a few moments and cover some of the basics of security and performance. If we divide attacks into their classification, we can see the spread of class of attacks growing over time. What types of attacks may you experience in the production network?