A New Approach for Blocking Zero-Day Threats
May 18, 2013 5:00 AM PT
Cybercriminals use zero-day and unpatched application vulnerabilities to install data-stealing malware on corporate endpoints because these are -- and will continue to be -- an issue with virtually all software applications.
Zero-day exploits that take advantage of unknown vulnerabilities are the hardest to defend. Even so, more than 60 percent of exploit kits target two-year-old vulnerabilities that actually have patches available. Any unpatched vulnerability, known or unknown, puts the user at risk.
First-generation endpoint malware protection relies on blacklisting known malware samples, sometimes including malware behavior analytics. Blacklisting is effective against known, relatively static malware, such as so-called "nuisanceware" malware that serves up unwanted pop-ups or redirects search queries to unscrupulous sites. Blacklisting approaches (antivirus and anti-malware) are easily evaded by malware that is designed to circumvent blacklisting rules.
Second-generation endpoint malware protection solutions use application control to significantly improve the security posture by preventing malicious files from executing on the endpoint. Some newer device protection applications use a technique called "sandboxing" to execute suspect files in a virtual environment to see if the file exhibits malware-like behavior.
The goal of sandboxing is to create an isolated environment on the machine where a suspicious file can be safely tested before it is allowed to execute. Although theoretically reasonable, sandboxing is fraught with problems. Because it is a software platform, it has exploitable vulnerabilities. A recent example is the Java zero-day exploit that broke out of the JVM "sandbox" access controls.
Also, a sandbox typically needs some route for users to export content out of the sandbox to the underlying device, which malware can exploit.
Defending the Endpoint
Network protection approaches attempt to identify malicious or suspect files as they are downloaded from the Internet to endpoint devices connected to a corporate network. Like antivirus applications, files that match known malware signatures are prevented from being downloaded to an endpoint device. As discussed, criminals regularly bypass this technique using polymorphism.
Many network protection approaches identify malware by utilizing virtual machine environments to run suspicious files in an isolated environment (similar to sandboxing, but off the endpoint device). However, some malware strains can detect virtual environment execution and then evade detection. For example, malware can check for certain registry entries, process names, or mouse and video drivers (usually not present on virtual machines). Malware can then evade virtual machine detection by not running or presenting itself as something different.
Another evasion tactic is simply to sleep for a period of time to avoid running while it is being monitored. Sleeping helps malware avoid virtual machine detection, but it only delays the inevitable on a legitimate end-user device. Also, network protection only functions when the endpoint device is connected to the corporate network. Employees often use corporate devices to connect to the Internet when they are at home or traveling. Devices that become infected while off the corporate network are a blind spot because network protection applications do not scan devices for malware.
The primary challenge with application control methods is that organizations need to predetermine which application files and activities can be trusted. This approach requires substantial resources and effort to configure and maintain as literally billions of files need to be considered.
Due to the dynamic nature of application and user environments, administrators have to continuously adjust security policies. They must approve exceptions and additions, or loosen defense policies, which may in turn open the door for malware attacks.
Application control, and HIPS in particular, often require the end user to respond to alerts when suspected fraudulent files are identified, creating both an unwanted annoyance and a security burden. End users are notoriously ill-equipped to make such critical IT decisions and routinely dismiss malware alerts. There have been relatively few meaningful application control prevention deployments to date due to these manageability shortcomings.
A New Endpoint Protection Solution
Stateful application control is a new approach that protects endpoint devices from advanced data-stealing malware by stopping the exploitation of system vulnerabilities.
It essentially validates the state of the application when it executes a sensitive operation -- for example, downloading a file. By analyzing application memory states during normal operations, this approach maps the legitimate application states of the targeted applications (i.e., browsers, Adobe, Flash, Java) when these applications write to the file system.
For example, a legitimate application state occurs when a user saves a spreadsheet to disk or when the application updates its code. The creation of executable files that occur outside of a legitimate application state, as happens when exploits attempt to install malware, are prevented.
Stateful application control actually stops the exploitation process regardless of the vulnerability being exploited. It is effective against both known or unknown vulnerabilities, is agnostic to the type of malicious file attempting to be installed, or the malicious file's source or its destination. The moment an unknown application state is created, the exploitation process is stopped and the downloaded file is quarantined. This approach essentially stops any type of exploit and is not susceptible to evasion.
Stateful application control allows for more stable, effective, and manageable endpoint security than traditional application control approaches. This is because there are far fewer and more static application states to analyze and maintain compared to the multitude of application files that other application control approaches must inspect and manage.
It requires no end user intervention and minimal IT staff involvement. This is accomplished through a sizeable network of endpoints that enable new, legitimate application states to be detected, whitelisted, and immediately pushed out to all protected endpoints via the cloud.