Endpoint Protection

 View Only
Back to Library

Exploit Prevention - Don’t Leave Home Without It 

Oct 15, 2016 02:44 PM

Every software application has vulnerabilities.  Many are addressed immediately, but some even the developers themselves are not aware of.  Cyber criminals, however, are incented to discover these vulnerabilities – and exploit them.  In fact it’s a growing business – according to the Symantec Internet Security Threat Report zero-day vulnerabilities grew 125% in 2015.

Zero day exploits 60pc.jpg  Source: Symantec Internet Threat Report April 2016

If you thought the most common and often used applications were the least likely to have vulnerabilities you’d be wrong.  Common operating systems, end-user browsers, and enterprise applications are all at risk - that’s all layers of your software stack in your organization.  We’ve seen in the recent past vendors releasing patches for 200 or 300 vulnerabilities in their software suites, many remotely exploitable, and of the highest severity – or a common operating system that had a 20 year old vulnerability sitting in plain sight.

From an attackers standpoint exploiting a browser vulnerability means they have a large foot in the door of an organization.  Gaining access through the operating system means they can infect one machine and use that as a watering hole to infect other machines, moving laterally within an organization.  And finally, by compromising an enterprise application there is the possibility of gaining access to mission critical information, an ERP system, or customer data.

What’s really scary is the rapid weaponization of zero-day vulnerabilities.  From the Symantec Internet Security Threat Report we know that within hours exploits go from being disclosed underground, to being available in very sophisticated exploit kits.  For example, the Angler Exploit kit, which has launched hundreds of thousands of attacks provides exploits that are able to download and execute malware from memory without writing any files to disk – avoiding detection by many traditional protection methods and next-gen methods that rely on files.  In the not too distant past, these exploits would show up in a localized fashion.  Today, they are very quickly being rolled out at scale around the world.

Criminals know that even after an exploit has launched it takes weeks in some cases for a vendor to release a patch – then it could be months before you can update your endpoints.  That’s a large window of opportunity to continue to exploit the vulnerability, steal your sensitive data, and disrupt your organization.

You may be asking yourself about now, what’s the best way to handle these types of exploits.  Memory exploits cannot be blocked by signatures or identified by machine learning, the new silver bullet of endpoint protection.  What’s needed is a unique technology – Exploit Prevention.  Symantec Endpoint Protection (SEP) exploit prevention is called Memory Exploit Mitigation.  It is signature-less, instead using an understanding of exploit behavior to pre-emptively block zero-day exploits.  Once installed it will protect your endpoints from memory exploits regardless of the behavior or technique used to exploit the flaw, bug, or vulnerability. 

Let’s take a look at a couple of different types of behaviors: 

  • Heap Spray, for example, fills the memory of an application with a specific pattern.  This pattern not only induces the application to return control to the malware controlled memory, but also can be executed.  Symantec mitigates a heap spray attack by identifying the locations in memory these patterns point to, then inserting code to generate an exception and return control to our endpoint protection product.

  • Java exploits work using logic flaws.  The malware causes the interpreter to mistake one call for another that can provide the opportunity to disable the Security Manager, after that the attacker can do anything the user would normally do on the machine.  In this cause the best mitigation is to make sure the Security Manager cannot be turned off.

As you can see each exploit is unique and requires a well thought out strategy to mitigate it.  It should be noted that a behavior can be addressed using different strategies and some are more effective than others.

Exploit prevention is targeted for a very specific use, but plays an important role in helping to provide comprehensive next generation endpoint protection in a layered solution

  • It compliments other technologies such as Intrusion Prevention Systems, antimalware, and reputation analysis that protect against high volume attacks based on monitoring network packets, signatures, and reputation.

  • It is essential even if you have Application Control that allows you to identify a whitelist of applications.As we have discussed, it is many of these “legitimate” applications that contain vulnerabilities.

  • It can provide protection that other next-gen technologies cannot because they rely on having a file written to disk or executing to identify a threat.Always ensure your endpoint protection solution has both machine learning and exploit prevention.

  • It protects you regardless of how the attack originates (ex. maldvertisement, an infected file off a USB stick, etc.).

Once available on your device, exploit prevention will mitigate memory attacks wherever you roam – don’t leave home without it.

Find out more about Symantec Endpoint Protection here

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

ianatkin
Nov 14, 2016 11:11 AM

It's almost as if this post was straight from http://www.trusteer.com/en/solutions/zero-day-exploit-prevention

;-)

bhagyesh
Nov 14, 2016 02:58 AM

Majority of malware infections are a direct result of exploitation of known and zero-day vulnerabilities. Cybercriminals continuously develop new exploits that take advantage of application vulnerabilities, to introduce malware and compromise endpoints. Once compromised, cybercriminals gain full control over the endpoint, which enables them to get further access to enterprise data and network resources. Ideally, enterprises should deploy security patches on all endpoints, as soon as they become available, to eliminate exploitable vulnerabilities. But in reality, enterprises still don’t deploy patches as fast as they should. As a result, most enterprise endpoints remain vulnerable.  

Migration User
Nov 03, 2016 04:27 PM

Very enlightening article. There will always be Zero days, that's the point of them. Hopefully, this will help people shine the light on how to protect themselves as much as possible.

Migration User
Nov 02, 2016 07:12 PM

very good points!

chaves8111
Nov 02, 2016 11:39 AM

Its hard enough keeping on top of update for Java and flash. 

Having the ability to turn on this feature should provide some additional protection and peace of mind while we work get this stuff off our network.

You also need to constantly keep all of your devices up to date including the endpoints.

ianatkin
Oct 28, 2016 04:00 PM

Part of the layered solution can also be a "Least Privilege" philosophy for user interaction with the OS. This is important as should an exploit be activated, the OS will naturally try to limit the exposure according to the user's security rights. This is industry standard practice, and whilst it doesn't "solve" the problem, it can certainly help mitigate it.

Migration User
Oct 25, 2016 02:11 PM

Interesting article

Thank you.

Migration User
Oct 25, 2016 01:30 PM

Zero days will always occur, and hackers will always find the way, even after finding zero days vulnarabilty it takes a lot of time to patch things up and solve it , depends on how much resources u have, precaution is always best in these cases,

for things which we can handle, symentec is alwats best and trustworthy, planning and moving with protocol is always best solution, even though we cant avoid these vulnerabilities we can always be vigilant.

Fantus_Longhorn
Oct 24, 2016 02:49 PM

Always good to see more information building off of the threat report. It's reassuring to see the approach to defence is changing alon with the threat, though you'd hope that the threat lessens over time as standards evolve.

superray72
Oct 24, 2016 11:08 AM

I am not sure about anyone else but Security shouldn't be so complicated.  How many applications/services/devices do we need in order to mitigate or prevent exploitations? Symantec is doing a great job of trying to provide the best possible solution to this problem but maybe we are overthinking things? All the security we have today didn't prevent the DDoS last week.  It isn't going to get any easier in the days ahead.  

Powershell_Guru
Oct 23, 2016 11:49 AM

We go around and around about this topic. The fact remains that anyone can change a single bit in a known exploit and create a zero day. I think application security is the most important thing here. Identify lapses in code etiquette and protocol handling. Make sure everything is solid at home before you worry about the attacjers outside!

Hogan Chen
Oct 22, 2016 01:01 AM

SEP 14.0, the way to go, I like the way the product allows us to enable or disable each individual module for the protection, With this approach, I am confident that the product can provide much more than Microsoft EMET serve. Oct 28, few days away. SEP 14.0

Simon Chaperson
Oct 21, 2016 12:53 PM

Very interesting article.

It's amazing how many exploits are out there. Whitelisting application is a good process to help stop a lot of these memory based attacks, won't stop them all though unless definitions are up to date.

ThaveshinP
Oct 21, 2016 01:47 AM

Anything can and WILL find a way....

Migration User
Oct 20, 2016 10:38 PM

Great way to keep us informed on the vulnerablilties of security software.

Many people who are in business don't realize how difficult it is to stay ahead of the security game.

It's more than buying a few security products for your network expecting that's all you need to do to be safe.

You also need to constantly keep all of your devices up to date including the endpoints.

Every Tuesday the hackers are in full force reverse engineering all Microsoft patches looking for just one vulnerable piece of code that they can use to gain access to your device/network 

It only takes a hacker one time to gain access, steal your info and game over...

I give Symantec props for doing a GREAT job on security updates!!! 

They're #1 in the industry 

mprocter
Oct 20, 2016 02:25 PM

I find it unusual that people would consider the most common applications/platforms to be the most secure. It seems like common sense that hackers would target a larger audience and look for exploits in more popular software. Never seem to hear about security problems on BeOS 5.0 Personal Edition :-). The problem is the more common the software the lower the average computer literacy/education, the more users are aware of things like this the more we can fight it.  

DLP kishorilal
Oct 20, 2016 10:33 AM

Nice article that make you aware about the protect against Zero days attacks.In this latest version hope many old and know attacked also efficientlyconsidered to protect against. I would also suggest that now Symantec has to think reduce the size of application and definition to use resources efficiently. machine learning is one approach towards this has This  plays an important role in helping to provide comprehensive next generation endpoint protection in a layered solution

Migration User
Oct 20, 2016 05:14 AM

Great to see new methods are being used to help mitigate against attacks.

Hopefully the increase won't continue, it's a worrying landscape to be in atm.

Now we just need to get the masses using it.

TonyS
Oct 20, 2016 04:59 AM

A very good read, sadly, no matter how much we try to protect, they WILL find a way round to it.

Not all software are perfect. In fact, does anyone remember the old day where many people are saying "Ha, Mac are strong and will never be hacked/attacked/etc" - now look at it, they're the ame as on Windows, Linux and other platforms.

The only way we can REDUCE (not stop as it's impossible) this sort of thing is via education to users. The more users are aware the better chance we can reduce it.

Migration User
Oct 20, 2016 03:57 AM

Great to see these methods,

symentec always looks at zero days very carefully, the numbers are very enlighting and worth taking note of

 

Migration User
Oct 20, 2016 03:13 AM

Thanks @Symantec for enlightening us with some of the great work you do to help protect us from zero day attacks, the use of memory exploit mitigation will be great in SEP14. Its hard enough keeping on top of update for Java and flash etc so having a extra barriar of protection there is always a good thing against these attacks.

Migration User
Oct 19, 2016 10:29 PM

This article help me to understand zero day attack has been incresed and how to mitigate the same. But symantec always help us to protect from these kind of zero day vurnabilities.Also intersted to know the different types of exploits in detail. 

Migration User
Oct 19, 2016 06:58 PM

We see threats on a daily basis - even zero days.

Glad we have Symantec in our corner to help protect our environment.

Anxiously awaiting SEP 14 too - went to a user group meeting, it's going to be awesome!

ℬrίαη
Oct 19, 2016 02:39 PM

I'm happy to see this will be apart of SEP 14. We already have a hard enough time dealing with vulnerability and older version of software (ie. java and flash). Having the ability to turn on this feature should provide some additional protection and peace of mind while we work get this stuff off our network.

m.travis
Oct 19, 2016 02:23 PM

Application whitelisting is a great process to help prevent a lot of these memory based attacks. Also, importing threat feeds from companies such as Symantec in order to block known bad sources and destinations should help significantly reduce theses threats. My favorite method is give my endusers paper and pencil.

dyeLucky
Oct 19, 2016 01:34 PM

Great article, @Symantec!

I agree with @jjesse on how fast software is being exploited.  What is really mind boggling is how many exploits there are out there!  There are so many out there that it is scary AND it doesn't seem to be getting any less!

rudyMOC
Oct 19, 2016 11:50 AM

The rapid deployment of such 0 day exploits is astounding! I would like to see what methods or in-house apps the exploiters use. I'm sure it's great technology/coding just being used for the wrong purpose. 

jjesse
Oct 19, 2016 10:46 AM

I find it amazing how fast these 0 days are being exploited.  What stinks is they are being sold and traded all over and as fast as one is squashed another one pops up.

A bit crazy there.

Migration User
Oct 19, 2016 07:45 AM

Hello,

I have always promoted a proverb for Information Security - Prevention is better than cure.

Symantec Internet Security Threat Report is helping all the users making sure they are aware of the security world and the dark world.

Unfortunately, as long as there are zero day exploits, attacks are unavoidable... only prevention is the cure.

Thank you Symantec.

Related Entries and Links

No Related Resource entered.