Blocking zero-day application exploits: A new approach for APT prevention

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Cybercriminals continue to develop new methods to bypass security controls in order to install malware on corporate endpoints. The recently discovered advanced persistent threat (APT) malware, Trojan.APT.BaneChant, uses multiple evasion techniques to bypass some of the newer detection approaches being utilized. First, the malware evades virtual machines by only executing the second stage of the attack after mouse activity is detected.

This allows the malware to evade several common detection mechanisms, including sandboxing, virtual machine execution and automated malware analysis systems. The malware then downloads a malicious .JPG file to compromise the end-user device and open up communication with the command and control center in order to steal sensitive data.

This is another example of a targeted attack that exploits the biggest enterprise weakness – vulnerable endpoint applications. The attack exploits vulnerabilities in endpoint applications to introduce malware, which then enables the attack progression. By blocking the exploit, the entire attack can be stopped.

But that can’t be done with blacklisting solutions, as we have seen with the recent New York Times, Washington Post and Wall Street Journal breaches. Since most targeted attacks exploit zero-day vulnerabilities, an effective solution must be able to block the attack without knowing anything about the vulnerability targeted or the malware used.

A new endpoint malware protection paradigm
An endpoint protection approach that provides both effectiveness and manageability must begin with an understanding of the attack vectors that require mitigation. Malware can compromise end-user devices in several ways. For example, malware can silently install through the exploitation of an application or operating system vulnerability, it can be downloaded by the end-user via social engineering or it may be pre-installed on the device. Therefore, enterprises need to take the preventative steps to avoid information-stealing malware from reaching the endpoint device in the first place. Enterprises also need to prevent information-stealing malware from successfully functioning when it does end up on the endpoint through other methods.

Two new layers of security
Stateful Application Control is a new approach to protect endpoint devices from advanced data-stealing malware. It combines two important components: the first is designed to prevent malware from installing on the device and the second is designed to prevent malware from executing on the device. The first layer, application exploit prevention, applies whitelisting to application states instead of the applications themselves. This method prevents application exploits from leveraging vulnerabilities and introducing malware onto the computer file system.

By analyzing application memory states during normal operations, this approach maps the legitimate states of the targeted applications, such as browsers, Adobe, Flash and Java, when these applications write to the file system. For example, a legitimate application state occurs when a user saves a spreadsheet to disk or when the application updates its code. The creation of executable files that occur outside of a legitimate application state, as happens when exploits attempt to install malware, are prevented.

Application exploit prevention allows for more stable, effective and manageable endpoint security than the traditional application control approaches. This is because there are far fewer and more static application states to analyze and maintain, as compared to the multitude of application files that other application control approaches must inspect and manage.

In the event that malware is somehow able to install on an endpoint device, a second and different layer of protection should be implemented to prevent the malware from accomplishing its goal of stealing information. This mechanism also uses the concept of whitelisting and applies it to data exfiltration states. In other words, it monitors and only allows legitimate external communication to be transmitted from the endpoint device.

When information-stealing malware enters the endpoint through an email attachment, a web download or infected media, it attempts to use data exfiltration techniques to communicate stolen data and credentials to the Internet. For example, malware can compromise a legitimate application process, creating a “zombie” process that looks authentic, or directly send data to an external IP address.

With this second layer of security, applications that exhibit data exfiltration states are restricted from communicating with the Internet or other processes but are permitted to perform other, more benign operations such as printing and file access. Restricted applications are then further analyzed and either whitelisted or removed if found malicious.

Automated management
The key to implementing Stateful Application Control is making it highly manageable so that it requires no end user intervention and minimal IT staff involvement. This can only be accomplished through a sizeable network of endpoints that enable new, legitimate application and data exfiltration states to be detected, whitelisted and immediately pushed out to all protected endpoints via the cloud. Additionally, corporations should be able to whitelist specific tools that would otherwise be restricted due to the nature of their operation.