Chris Betz, senior director of the Microsoft Security Response Center in the Trustworthy Computing Group at Microsoft Corp., details how exploit kits continue to evolve as a popular tactic used by cybercriminals to scale their potential for successful compromise.
Q: Chris, the most recent Microsoft Security Intelligence Report (July 2013-December 2013) focuses on the rise of exploit kits and talks about how the potential for illegitimate profit by prospective attackers from exploit kits can be considerable. Why is that a current problem – and what can be done about it?
Chris Betz: We’ve been seeing a high volume of exploit kits for years, and the data from the most recent Security Intelligence Report (SIR) shows how exploit kits continue to evolve as a popular tactic used by cybercriminals to scale their potential for successful compromise. Rather than target one vulnerability, these kits often contain exploits for multiple vulnerabilities in a variety of different applications, browsers, and operating systems from many different vendors.
There are some best practices which can help to mitigate against the threat from exploit kits:
- Use the newest versions of applications and operating systems. This may sound obvious, but its impact can’t be overstated. Windows 8.1, Internet Explorer 11, and Office 2013 all take advantage of improved security features that more effectively mitigate techniques that are currently being used to exploit vulnerabilities. Deploying these product versions can widely help mitigate the risk an organization faces from several of the most commonly detected exploits. Using the 64-bit edition of Internet Explorer 11 with Enhanced Protected Mode enabled can also help protect customers from a range of Internet-borne threats.
- Stay current on security updates. Our research indicates that the majority of cyberattacks target vulnerabilities for which security updates have already been available for a significant amount of time. This is especially true for exploit kits. Installing security updates as soon as they are available can help minimize risk. myBulletins, a new online service tool, can help customers create their own custom lists of updates for products running in their environment.
- Use the Enhanced Mitigation Experience Toolkit (EMET). EMET can be used to protect applications that run on all supported versions of Windows. The features included in EMET are specifically designed to break exploitation techniques that are currently used by attackers. This makes it that much more difficult for attackers to carry out a successful exploit.
Q: Tell me about the next Microsoft Security Intelligence Report which, I assume, is due out soon. Any hints as to a few of the areas it will highlight?
Betz: Each new report released includes the latest threat trends on exploits, vulnerabilities, and malware based on data from more than a billion systems worldwide and some of the busiest online services. Like the previous editions, the upcoming version will offer thoughtful insights and analysis on these trends based on the data. While we are working on the next release, we welcome feedback. Please share your thoughts with @MSFTSecurity.
Q: Microsoft is a Diamond Sponsor of Black Hat USA 2014. What will be your strategy at the conference … and what can attendees expect to hear from Microsoft?
Betz: Black Hat is a great opportunity for us to get out into the community and engage face-to-face with security researchers, industry partners, and our customers. We look forward to having some great conversations about the latest in Microsoft’s security offerings and how we can better serve the community.
Wolfgang Kandek, CTO at Qualys, details its free SSL Server Test tool which reveals whether a site is vulnerable to Heartbleed, and its new Continuous Monitoring service designed to make continuous auditing of a customer’s perimeter effortless.
Q: Wolfgang, the day after the OpenSSL security bug Heartbleed was publicly disclosed, Qualys announced a free tool that allowed administrators responsible for the security of Web sites to enter a URL and find out whether their site was vulnerable to the new threat. What enabled you to move so quickly on that … and what sort of response did you receive from the public?
Wolfgang Kandek: The tool you’re referring to is the SSL Server Test. It was developed by Qualys SSL Labs several years ago to give a comprehensive evaluation of a site’s SSL setup and distill its findings down to a grade ranging from A to F. The grade depends on a variety of factors, such as certificate quality, ciphers used, and vulnerabilities in the setup. Things like weak ciphers lower the grade, grave vulnerabilities like Heartbleed cause an automatic F. SSL Labs was architected from the get-go to allow for the easy integration of new test suites to make the underlying research goals more readily attainable. Over the years, we have been able to adapt SSL Labs to new findings and quickly integrate new criteria. Integrating Heartbleed was literally done overnight.
The general response, as measured in traffic to the site, was immense. The day after Heartbleed was disclosed, usage jumped 10X and even now, two months later, it is still running at twice the volume we had before Heartbleed. We expect this increased usage will continue as additional code audits of OpenSSL lead to more flaws being uncovered.
Q: This year “SC Magazine” awarded Qualys its “Best Security Company” award. Pretty impressive! What new services or tools has Qualys released recently to deserve such an honor?
Kandek: We are honored to be recognized as the Best Security Company by SC Magazine and its readers. The award validates the SaaS delivery model of our security platform and is underscored by thousands of customers and partners who have adopted our award-winning vulnerability management, policy compliance, or web application security services.
We also feel that our innovative Continuous Monitoring service, which we introduced recently, had an impact. In short, Continuous Monitoring makes continuous auditing of your perimeter effortless, so you can keep up with hackers who are constantly scanning, cataloging, and exploiting your vulnerabilities with their automated tools. The service uses a baseline of a company’s Internet perimeter and alerts the security team in real-time to important changes it detects -- for example, new machines and services, unexpected operating systems, aging certificates, and severe vulnerabilities. Because it uses the elastic computing power of our cloud platform, it can easily scale up to do this for your global perimeter.
Q: As a Diamond Sponsor of Black Hat USA 2014, what will be your focus and strategy for the conference?
Kandek: Black Hat is the industry’s most important technical event. We attend for the presentations that provide insight into what security researchers are working on. At the same time, it is an excellent opportunity to connect many of our technical experts with our customers -- security engineers from Fortune 500 companies. We return from the show with new ideas, a better understanding of the threat landscape, and important technical insights that we can use to guide the company's research and product roadmap for the next year.
Besides all that, Black Hat is an excellent forum for industry networking. It is a place where many of our most successful connections have been made and where we have met many of our current employees.
Amit Yoran, senior VP at RSA, gives advice to corporations that never thought of themselves as cyber targets, and reveals that the top-tier anti-virus/anti-malware vendors only have a 50-50 chance of detecting advanced threats and attacks.
Q: Amit, you’ve talked about the news concerning the five Chinese military officers charged with cyber espionage and how the targets – Alcoa, U.S. Steel, and Westinghouse – weren’t defense contractors or high-value geopolitical targets. Your comment was that this clearly demonstrates that, in today’s highly connected digital world, no company can assume that it isn’t a worthwhile target any longer. What advice would you then give corporations that never thought of themselves as targets?
Yoran: RSA tells its customers to think about security in terms of risk to their business. We ask, “What would happen if someone stole information about your customers?” “What if they stole information about your product or processes that are considered proprietary?” “What if your company was compromised to be used as a steppingstone in order to launch an attack against your most important customers or partners?”
When organizations look at it this way, they usually come away with a different sense of urgency about their security program. They don't want to lose the trust of their customers or partners due to being a weak link in the security chain. Losing that kind of trust can have a very limiting effect on business opportunity and growth which could be far more expensive than investing in the right training and technologies to bolster security defenses.
Q: Your recent “Cyber Espionage Blueprint” report concludes that top-tier anti-virus/anti-malware vendors have only a 50-50 chance of detecting advanced threats and attacks. That is going to shock a lot of people. Why does RSA believe that – and what can be done to increase the odds?
Yoran: RSA gets a lot of firsthand exposure to ongoing customer incidents through our network and host forensics products and our incident response service teams. We have the ability to gather detailed information on active malware infections, even when the customer has deployed the best firewall, IPS, and anti-malware products money can buy. We've been saying this for a very long time --while improving security controls certainly helps, failure in the face of advanced threats is certain over time. These products might do okay to stop known threats, but the bad guys have gotten smarter in the way they continually change up their attacks. Most perimeter security products can do almost nothing against these unknown threats.
The best strategy for early attack detection so we can decrease the number of days, weeks, and months those attacks go undetected is through improved visibility, advanced analytic methods, and enabling time for not just faster, but also more complete action. We see too many organizations detecting an exploit and moving too quickly to clean it up without realizing it is part of a much larger campaign against them. They lose visibility into where else an attacker has infiltrated their organization and the result is a much more damaging long-term outcome.
Q: RSA has chosen once again to be a Diamond Sponsor of Black Hat USA 2014. How will you be participating in the upcoming conference?
Yoran: While RSA is known as the world leader in strong authentication and identity management, we have also built deep expertise and a rapidly growing business in security operations, incident response, and hardcore threat research. RSA didn't end up in these markets by accident. There is an important convergence happening in the industry that we've been tracking well over the last four years, that as advanced threats increasingly abuse privileged access and identity becomes a critical component of decentralized enterprise IT environments, organizations have to rethink their approach to security. Security professionals have to move away from a “prevention” mindset that was based on yesterday's static, enterprise-controlled IT infrastructures, and towards a “visibility” mindset that's based on deeper understanding of the behavior of people, information, and applications. The hardcore security community at Black Hat gets this and they remain a critical user and target market for us.
So we'll be showing off a whole heap of RSA solutions at Black Hat in our Advanced Security Operations Center theater area that will cover our offerings in fraud risk intelligence, GRC and identity, and access management.