Tech ThrowDown:Invincea FreeSpace vs EMET 5.0

Tech ThrowDown:Invincea FreeSpace vs EMET 5.0

DETECTION | PREVENTION | INTELLIGENCE

OCTOBER 31, 2014

DARRIN MOURER, CISSP

SOLUTION ARCHITECT

INVINCEA

Today’s Topics

• A review of the top attack vectors advanced threat actors are using to break into networks today

• What is the primary goal of EMET? What attack surfaces are covered?

• What security techniques are employed in pursuit of this goal?

• How does EMET compare?

• An example exploit of a system protected by EMET

• Are there better tools or methods available to address these attacks? YES!

• An overview and demo of application isolation techniques and benefits

Malware Evolution (1980s – 1990s)

3

Mass Targeting Pinpoint

Targeting

High

Sophis

ticatio

n

Low

Script KiddiesLone Wolves

“Hacktivists”Anti-Virus defenses

Malware Evolution (2000s)

4


Targeting

High

Sophis

ticatio

n

Low


Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Anti-Virus defenses

Network Sandboxing

Malware Evolution (circa 2010)

5


Targeting

High

Sophis

ticatio

n

Low


Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

circa 2010

Anti-Virus defenses

Network Sandboxing

Anti-Virus Evasion

6

Test

exploit

against all

anti-virus

vendors to

guarantee

no

detection

before

attacking

Network Sandbox Evasion

7

Encryption

foils static

analysis

VM detection

foils dynamic

analysis

Operation DeathClick Vectors

Evade Network Sandbox & AV

• Invincea discovered a concerted campaign

against US Defense companies

• Represents a blending of traditional cyber-

crime techniques (malvertising) with APT

targeting and objectives

• Leverages advertising networks on ad-

supported web sites to compromise

specific company networks

• The threat evades almost all network-

based and traditional endpoint controls.

There is no patch.

Most Vulnerable Products

2013

Source: National Vulnerability Database and GFI

Recap: Malware Evolution

(circa 2010)


Targeting

High

Sophis

ticatio

n

Low


Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

circa 2010

Anti-Virus defenses

Network Sandboxing

2014+ changing Threat Curve


Targeting

High

Sophis

ticatio

n

Low

Script Kiddies

Lone Wolves

Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

(today)

Takeaway:

Less advanced

adversaries now have

access to very

sophisticated

malware

Anti-Virus defenses

Network Sandboxing

New Defenses are Needed


Targeting

High

Sophis

ticatio

n

Low

Script Kiddies

Lone Wolves

Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

(today)

Anti-Virus defenses

Advanced Threat Endpoint Protection

Network Sandboxing

Optimal Advanced Threat

Protection characteristics

• Zero reliance on signatures, heuristics & users for

protection

• Detection of advanced threats, unknown malware, 0-day

exploits

• Addresses attack surfaces exploited by adversaries in

practice

• Small footprint, Manageable, Deployable, and Scalable

• Detailed forensics for threat intelligence sharing

Microsoft Enhanced Mitigation

Experience Toolkit (EMET)Technical Discussion and Demo


EMET Background

• Originally released as a free utility in 2009 by Microsoft’s

cross-product security oversight team

• Designed to harden Microsoft applications such as

Internet Explorer and Office from exploitation. It has

more recently been applied to 3rd party software

programs Java and Acrobat

• Software works by detecting and invalidating certain

common memory exploit paths that are used in buffer

overflows and similar type attacks

EMET Primary Mitigations

• Structured Exception Handler Overwrite Protection

(SEHOP)

• Data Execution Prevention (DEP)

• Address Space Layout Randomization (ASLR)

• Export Address Table Access Filtering (EAF)

• Return Oriented Programming (ROP) mitigations

• Attack Surface Reduction (ASR)

Demo: MS EMET 5.0 vs Current

Exploits


Invincea FreeSpaceTechnical Discussion and Demo


Existing Architecture

Office ApplicationsExcel, Word, PowerPoint

BrowsersIE, Firefox, Chrome

Operating System…

Hardware

Host Security Controls

AV, DLP, SSO

FreeSpace

Invincea Secure

Virtual Container

- Single container

with all untrusted

content

- Isolates all user

areas of the host

filesystem.

- Low overhead =

~50MB (static)

Invincea Enterprise Client

- Direct access to host

resources

- Monitors client health

Invincea Management Server

(IMS)- Maintains all Enterprise clients

- Pushes policy changes and product

updates

Secure Virtual Container

ProtectionAttacks against the browser, plugins, or

document readers are air-locked from

the host operating system. Detection, kill

and forensic capture occurs inside the

secure virtual container.

DetectionContainerized application behavior is

meticulously whitelisted. Any deviation

from known behavior is immediately

flagged as suspicious.

This means no signatures are required

and 0-day threat detection is realized.

Demo: Invincea FreeSpace vs

Current Exploits


Advanced Threat Protection –

Recap and Summary

• MS EMET provides protection from certain classes of memory

exploits

• MS EMET does not provide sufficient protection from common

classes of exploits observed in the wild

• Invincea FreeSpace defeats exploits against targeted attacks, 0-

days, and unknown malware, including classes EMET does not

– Zero reliance on signatures & users for protection

– Detection of advanced threats, unknown malware, 0-day

exploits

– Addresses attack surfaces exploited by adversaries in practice

– Small footprint, Manageable, Deployable, and Scalable

– Detailed forensics for threat intelligence sharing

Questions?


Tech ThrowDown:Invincea FreeSpace vs EMET 5.0

Software

Transcript of Tech ThrowDown:Invincea FreeSpace vs EMET 5.0