Exploit mitigation holding back the tide

The HPE Cyber Risk 2016 Report has been published. The first part of the report provides a good view into regulation, how the security market works and the risks of over reaching legislation. The second part covered here looks at the types of attacks and why we need to improve patching and mitigation of attacks.

Patching should include better mitigation of attacks

According to the HPE Cyber Risk report, 2015 saw a record number of security advisories issued. This comes as no surprise as reports from other security vendors show a rise in almost all classes of attacks. Driving this increased security challenge has been the ability of cyber criminals to develop their own cloud infrastructure where exploits, vulnerabilities and other attacks are not only traded but are even available using a cloud-based as a Service mechanism. 

In the past the emphasis has been on issuing patches to deal with vulnerabilities. The problem with this is the large number of patches that get issued, theirfocus on a point solution and the time it takes to apply. The latter is particularly relevant because one of the most effective attacks in 2015 is a 5 year old exploit CVE-2010-2568.

This attack takes advantage of the shortcut icon on the desktop to give an attacker the same access rights as the user. If the user is an administrator or even a member of the Domain Administrators group then the attacker has access to the entire domain. Despite Microsoft releasing a patch for this in August 2010 and again in 2015. Despite this, HPE is reporting that 29% of vulnerabilities exploited in 2015 were due to this single CVE.

The solution is to move away from point patches to wider mitigations. This is something Microsoft began to do a few years ago and has carried forward into its latest browser technology. The effectiveness of mitigation classes of attacks with a single patch has now been taken up by other browser vendors with the most effective being the isolation of memory that is used by the browser. This has not only made it harder for the attacker to gain control of the local machine but has disrupted their attacks forcing them to develop new techniques.

Flash the most targeted application

It’s been a bad year for Adobe. Despite the number of patches to fix security problems inside its Flash player and Acrobat Reader the attacks keep coming. This has led to an increasing number of companies looking to deprecate the use of Flash inside their products. Google, for example, has made it clear that it will refuse new ads based on Flash this year and is urging developers to move to HTML 5 if they want to deliver multimedia adverts.

Windows still the most vulnerable platform

When it comes to platforms Windows still dominates but it is the most widely used platform with a lot of users still running older and insecure versions. This will continue to be a problem for some time despite the efforts of Microsoft to move users to Windows 10 to improve security.

Android is unsurprisingly the most attacked mobile platform and, like Windows, this is as much about its popularity as it is weakness in its security model. There has been a lot of work to improve security around Android apps with Google spending a lot of time going through the Google Play store to remove suspicious applications.

Java is also a major concern and recent developments here mean that it will continue to stay in the top three. The appeal of Java to developers has been the ability to write once and deploy on multiple OS and devices. According to Kaspersky the war between Russian and Brazilian cybercriminals has taken a new turn with Brazilian cybercriminals now distributing malware in Java JAR (Java Archive) files.

The worry about this new attack is that Java JAR files will execute on Windows, Mac and Linux. All it requires is for the user to click on the file which contains all the malware components it needs. There is no download from the Internetwhich means that the common way of detecting malware is avoided. At present the samples that Kaspersky has spotted in the wild contain droppers, pieces of code that download malware. It won’t be long before the complete malware package is embedded in the Java JAR files.

Malware growth slowing?

This is debatable. HPE reports that the massive ramp-up in malware sample from 2013 to 2014 was not repeated in 2015 and that it believes that malware growth is stagnating. Dell, Panda Labs, Kaspersky, Trend Micro and IBM would take issue with HPE based on the number of samples that they are seeing.

One of the dangerous developments in malware is new types of malware such as Spartan that are incredibly clever as they create themselves only in memorymaking them very hard to detect. Windows malware is dominated by self-replicating malware but HPE says that this is not about new families but development of older malware. It highlights Allaple, a polymorphic worm discovered eight years ago as being the most active on Windows in 2015.

Apple has found itself a target for malware writers after years of denying it could happen. What is interesting is the HPE reports the most common malware targeting OSX is not stealing logon credentials to banks or networks but instead is targeting Bitcoin wallets. As an extension to this some of the malware is also co-opting Macs into Bitcoin mining by installing software that takes advantages of the computers resources allowing the cybercriminals to mine new Bitcoins.

Linux has not seen any significant change in 2015 from the previous year. The most prevalent malware seeks to use Linux machines to launch DDoS attacks. Attacks are not always aimed at end-user computers. HPE reports that the increase in Linux usage by routers, home NAS servers and small office servers where patching is irregular is making it easy for cybercriminals to infect them.

On the mobile front Android continues to attract the bulk of the malware with HPE claiming to see over 10,000 new threats every day. That is a significant shift from last year and perhaps shows the continuing dominance of Android in phones and tablets. The risk for the enterprise is that many of these devices are brought into their environment via Bring Your Own Device (BYOD) and that means IT security teams need to develop better ways to protect enterprise assets.

There are two main classes of malware becoming dominant on Android – Ransomware and Banking (phishing) malware. These are often distributed via fake Adobe Flash players or through fake banking applications. In both cases the user installs the application thinking it is the real thing and then loses control of their device (Ransomware) and banking accounts. Interestingly HPE reports that Korean, India and Vietnamese banks are being heavily targeted by some of this malware.

HPE also reports that it has only recently begun to see iOS malware although other vendors are reporting it has been around for over a year. The fact that malware got into the Apple Store has been a major surprise this year and came as a result of XcodeGhost, an infected application development environment. The bigger risk for iOS users is jailbroken devices that are being targeted especially in China and Taiwan.

The outlook for 2016

HPE sees this as more of the same as IT continues to get more complex, especially with the mix of cloud and on-premises allied with increasing use of mobile.That’s disappointing but the big unknown is what will happen with various laws going through different parliaments around the world. The UK IPBill is already being cited as a major threat by UK software houses and there is similar legislation planned for the US and other countries.

HPE does make it clear that there is more for the industry to do rather than push the burden downstream. What will be interesting is whether vendors can become as agile as cybercriminals. For this to happen many will have to lose theirwalled garden approach to information sharing and while this is beginning to happen in the threat intelligence space there is much more to be done.

Conclusion

Malware continues to be a big threat but the move by vendors away from simple pointpatching to exploit mitigation is beginning to have an effect. While this is buying time for software vendors to review their products and improve security the amount of software that proves to be insecure just after it is release shows that security first is still a long way away.

What is interesting is that the approach of mobile software developers to short development times and regular non intrusive patching is being well received by users. More people are likely to patch their phone and mobile device than they are their computer. If we are to improve desktop security vendors need to establish the same level of trust with desktop users as they have with mobile users. This will take time and the biggest challenge will be IT operations and security teams who currently have rigid processes for testing patches.

The future is not quite a bleak as HPE paints it. While the battle is far from lost it is becoming more even between the good guys and the bad guys. However, without changes in culture that go far beyond technological solutions this is a war where ground can quickly be lost.