As we previewed in the Introduction to our Endpoint Advanced Protection Buyer’s Guide, the first step to selecting an endpoint security product is figuring out what problem you are trying to solve. Then figure out which capabilities are most important to solve those problems. Only then can you start trying to find a vendor who meets those requirements. This is what we call establishing *selection criteria.
In the Introduction we also explained how organizations need both prevention and detection/response to fully protect endpoints. But these two capabilities do not need to be bought or deployed together – the technologies can come from different vendors if their agents play nicely together, and not every endpoint needs extensive forensics capabilities. So these two main functions need to be treated differently.
Though, to put a nice big caveat on that statement, there is value in leveraging prevention and detection/response from the same vendor. There is also value in having network security controls that work tightly with the endpoint security in place. Is that enough to drive you to a single vendor for everything? As usual it depends, and we’ll work through the decision points.
Over the next 5 days, we will explain the main Prevention capabilities you need to understand to select and evaluate these solutions. We’ll start by explaining the latest categories of attacks because many demand new and innovative defenses. Then we’ll dig into the capabilities that can prevent these attacks.
Finally we will dig into and explain how the foundational technologies underlying these new endpoint security platforms work. There are nuances to how each vendor implements these technologies, and they’ll be sure to tell you how and why their approach is better. But without a clear understanding of what they are talking about, you cannot really discern the differences between vendors.
Attacks
There are many types of attacks, which all have one thing in common: compromise of the endpoint device. To avoid exploding your cranium by trying to cram in infinite possibilities, we will categorize and describe the major attack techniques, which provide the basis for figuring out your best protection strategy. But before we get there, we will intentionally conflate the delivery of malware with device compromise. We do this because companies in this space describe their capabilities in terms of attacks – not necessarily by the means of defense.
To illuminate a bit, consider that some malware may be delivered by a phishing message and then use a known vulnerability to compromise the device. Is that different than the same attack was delivered via a drive-by download in your browser? Of course not – stopping the attack on the vulnerability is all that matters, not the delivery method. But, alas, security industry marketing machinery prefers to describe these as two totally different attacks.
File-based Attacks
In the first attack bucket, an unsuspecting user executes a compromised file which executes malicious code to compromise the device. This is basically traditional malware, and protecting against these attacks is the basis of the endpoint protection business we know today.
In these first two categories, files are allowed onto the machine by the device ‘owner’. This can happen via email or a legitimate web browsing session, or when a user allows a download onto their device (possibly through social engineering). In any case, the file shows up on the device and must be evaluated.
- Known files (classic AV): Someone has seen this file before, and we know it’s malicious. The file’s hash is in a database somewhere, and the endpoint security tool checks to see if each file is recognized as bad before it allows execution. The challenge with using a blacklist of malicious files is scale. There are billions of files known to be bad, and keeping a comprehensive list on each endpoint is not feasible. It’s also not efficient to check every file against the entire blacklist prior to execution.
- Unknown files Otherwise known as zero-day malware, these files have not yet been seen and hashed as malware, so any defenses based on matching file hashes will be unable to recognize the files or detect the attacks. The challenge in detecting this type of attack is that it’s very easy to change the complexion of a malware file (using a file packer or other technique to change its hash), which means the file won’t show up on blacklists. Additionally, adversaries have sophisticated labs to test their malware against common endpoint prevention offerings, further challenging today’s solutions.
The next attacks are a bit more obfuscated and require different tactics for prevention and detection:
- Document/macro attacks: In this kind of attack malicious code is hidden within a known file type like PDF or Microsoft Office, typically as a macro. The content is the attack vector and requires interpretation by the user’s application, but the attack is not an executable binary program. When opening or performing some kind of activity with the file, its code will execute to compromise the device. These attacks also get around traditional signature-based defenses because the file is a legitimate document – it’s the (invisible) contents which are malicious.
- Legitimate software: Yet another way to deliver malicious code to a device is to hide it within legitimate software. This typically happens with common applications (like Adobe Reader), system files, and multimedia files. Unsuspecting users can click a link within a legitimate search engine and download what they think is a legitimate app, but it might not be. With this type of attack everything looks kosher. It’s a familiar app and looks like something the user wants.
To protect against these attacks we need to focus more on what the file does instead of what it looks like.
File-less Attacks
Over the past decade savvy attackers realized the entire endpoint protection business was based on attacks leveraging files on the compromised device to store malicious code. But if they could deliver malware without storing it in files, their attacks would be much harder to detect. And they were right. This new type of attack totally evades traditional endpoint protection, requiring different techniques to detect and prevent.
- Script attacks: These attacks deliver malicious code and then use a legitimate application – typically via browser or common app such as Microsoft Office, Adobe Reader, or Flash – which then invokes a malicious script to execute the code using a legitimate system capability like PowerShell. This approach is more effective because system tools like PowerShell have substantial device privileges, so an attacker can do pretty much anything to the device without needing additional rights (requesting which might trigger other defenses). There is overlap between this attack vector and the document attacks described above – in both cases the attack is content evaluated by a trusted executable.
- Memory-resident attacks: In this technique an attack injects malicious code directly into the memory space of a legitimate process, without touching the file system. Monitoring file system activity is completely ineffective against these attacks. Existing purely in memory means this kind of attack only persists until a reboot, when device memory is cleared.
- Registry abuse: To address the persistence issue, malware writers increasingly store malicious code within the Windows registry on compromised devices. Such code survives a reboot and can be accessed from the registry when triggered by another attack’s execution.
Ransomware
We would be remiss to not mention ransomware as the newest and highest profile type of attack, even though it’s not really a separate thing – it uses many of the tactics already described. The challenge is not in how the attack is delivered or how it compromises devices – ransomware writers have all the file and file-less techniques above available to deliver their payloads. What distinguishes ransomware is that once the device is compromised, the malware encrypts the file system and effectively holds the organization for ransom. They won’t decrypt the files until they get paid.
Ransomware can encompass all kinds of malware techniques. We’ll get into specifics of how to protect against malware (including ransomware) later in this Buyer’s Guide.
With a basic understanding of the attacks, we can turn our attention to the approaches needed to actually prevent compromise of endpoints.
Reader interactions
One Reply to “Endpoint Advanced Protection Buyer’s Guide: The Attacks”
There is plenty of room for totally-new vendors to jump into the Endpoint Security space. Really anything can happen. This, to me, is weird. What have we been paying for? What are we buying when we buy into Endpoint Security? If the vendor you relied on for 2 years or even a decade or two can have its entire approach to Endpoint Security including its messy stack replaced by a newcomer, then what’s the deal with R&D for Endpoint Security vendors?
The answer is scarier than you think. Not a single commercial AV or NG-AV solution, nor does any EDR solution—nor any Endpoint Security stack cover bootkits or firmware rootkits. None of them protect a computer’s MBR/VBR or GPT—let alone on non-standard platforms including Apple. They don’t even see into the higher memory addresses such as the Interrupt Vector Table (IVT).
Then there’s the problem of digital certificates on Windows. Why do 99 percent of anti-malware solutions miss malicious logic that is signed? Stuxnet wasn’t even the first to use signed code. This has been a problem for too-too long.
Lastly, we are working against ourselves by naming threat agents. Families of malware must not be based on names that vendors use for marketing, even if it is technical marketing. The names must be based on a cataloging and/or clustering mechanism. I remember discussing this at RSAC in 1997. It’s been 20 years. Want to solve the cybersecurity problem or at least change the game? Tell your marketing team (and scream at your vendors) to buzz off when it comes to taking the kid gloves off.