Post on 12-Jul-2015
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
DETECTION | PREVENTION | INTELLIGENCE
OCTOBER 31, 2014
DARRIN MOURER, CISSP
SOLUTION ARCHITECT
INVINCEA
Today’s Topics
• A review of the top attack vectors advanced threat actors are using to break into networks today
• What is the primary goal of EMET? What attack surfaces are covered?
• What security techniques are employed in pursuit of this goal?
• How does EMET compare?
• An example exploit of a system protected by EMET
• Are there better tools or methods available to address these attacks? YES!
• An overview and demo of application isolation techniques and benefits
Malware Evolution (1980s – 1990s)
3
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script KiddiesLone Wolves
“Hacktivists”Anti-Virus defenses
Malware Evolution (2000s)
4
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script KiddiesLone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Network Sandboxing
Malware Evolution (circa 2010)
5
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script KiddiesLone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
circa 2010
Anti-Virus defenses
Network Sandboxing
Anti-Virus Evasion
6
Test
exploit
against all
anti-virus
vendors to
guarantee
no
detection
before
attacking
Network Sandbox Evasion
7
Encryption
foils static
analysis
VM detection
foils dynamic
analysis
Operation DeathClick Vectors
Evade Network Sandbox & AV
• Invincea discovered a concerted campaign
against US Defense companies
• Represents a blending of traditional cyber-
crime techniques (malvertising) with APT
targeting and objectives
• Leverages advertising networks on ad-
supported web sites to compromise
specific company networks
• The threat evades almost all network-
based and traditional endpoint controls.
There is no patch.
Most Vulnerable Products
2013
Source: National Vulnerability Database and GFI
Recap: Malware Evolution
(circa 2010)
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script KiddiesLone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
circa 2010
Anti-Virus defenses
Network Sandboxing
2014+ changing Threat Curve
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
(today)
Takeaway:
Less advanced
adversaries now have
access to very
sophisticated
malware
Anti-Virus defenses
Network Sandboxing
New Defenses are Needed
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
(today)
Anti-Virus defenses
Advanced Threat Endpoint Protection
Network Sandboxing
Optimal Advanced Threat
Protection characteristics
• Zero reliance on signatures, heuristics & users for
protection
• Detection of advanced threats, unknown malware, 0-day
exploits
• Addresses attack surfaces exploited by adversaries in
practice
• Small footprint, Manageable, Deployable, and Scalable
• Detailed forensics for threat intelligence sharing
Microsoft Enhanced Mitigation
Experience Toolkit (EMET)Technical Discussion and Demo
DETECTION | PREVENTION | INTELLIGENCE
EMET Background
• Originally released as a free utility in 2009 by Microsoft’s
cross-product security oversight team
• Designed to harden Microsoft applications such as
Internet Explorer and Office from exploitation. It has
more recently been applied to 3rd party software
programs Java and Acrobat
• Software works by detecting and invalidating certain
common memory exploit paths that are used in buffer
overflows and similar type attacks
EMET Primary Mitigations
• Structured Exception Handler Overwrite Protection
(SEHOP)
• Data Execution Prevention (DEP)
• Address Space Layout Randomization (ASLR)
• Export Address Table Access Filtering (EAF)
• Return Oriented Programming (ROP) mitigations
• Attack Surface Reduction (ASR)
Demo: MS EMET 5.0 vs Current
Exploits
DETECTION | PREVENTION | INTELLIGENCE
Invincea FreeSpaceTechnical Discussion and Demo
DETECTION | PREVENTION | INTELLIGENCE
Existing Architecture
Office ApplicationsExcel, Word, PowerPoint
BrowsersIE, Firefox, Chrome
Operating System…
Hardware
Host Security Controls
AV, DLP, SSO
FreeSpace
Invincea Secure
Virtual Container
- Single container
with all untrusted
content
- Isolates all user
areas of the host
filesystem.
- Low overhead =
~50MB (static)
Invincea Enterprise Client
- Direct access to host
resources
- Monitors client health
Invincea Management Server
(IMS)- Maintains all Enterprise clients
- Pushes policy changes and product
updates
Secure Virtual Container
ProtectionAttacks against the browser, plugins, or
document readers are air-locked from
the host operating system. Detection, kill
and forensic capture occurs inside the
secure virtual container.
DetectionContainerized application behavior is
meticulously whitelisted. Any deviation
from known behavior is immediately
flagged as suspicious.
This means no signatures are required
and 0-day threat detection is realized.
Demo: Invincea FreeSpace vs
Current Exploits
DETECTION | PREVENTION | INTELLIGENCE
Advanced Threat Protection –
Recap and Summary
• MS EMET provides protection from certain classes of memory
exploits
• MS EMET does not provide sufficient protection from common
classes of exploits observed in the wild
• Invincea FreeSpace defeats exploits against targeted attacks, 0-
days, and unknown malware, including classes EMET does not
– Zero reliance on signatures & users for protection
– Detection of advanced threats, unknown malware, 0-day
exploits
– Addresses attack surfaces exploited by adversaries in practice
– Small footprint, Manageable, Deployable, and Scalable
– Detailed forensics for threat intelligence sharing
Questions?
DETECTION | PREVENTION | INTELLIGENCE