Preventing Modern Attacks with Modern Defense and Testing Methodologies

The Problem 

Cybercriminals are targeting organizations successfully in spite of traditional security measures as noted recently by the NY Times and a front page article in the Wall Street Journal on cyber espionage.  This issue is driven by the cybercriminal gangs’ ability to compromise vulnerable systems using sophisticated reconnaissance and penetration tactics.  So, how do we solve this problem and what testing organizations can help us understand what solutions are effective?

 To answer this question we must first understand the cybercriminal’s mindset and approach to breaching a large organization’s IT infrastructure.  The first step taken by any cybercriminal is to simply understand their target’s network design, systems, applications and security posture. This is the reconnaissance step. It’s generally not too difficult given the extensive Internet connections any enterprise must have in place to do business.  Nearly all enterprises of any size are now under constant surveillance by potential attackers.

 The second step is to monitor the target organization’s patching and security behavior.  Then the hacker waits for windows of vulnerability. A recent high profile attack against the Federal Reserve demonstrated that new vulnerabilities can now be attacked within an hour or two of appearing.  

The most common example of this scenario is the race between industry and cybercriminal’s on Microsoft’s Patch Tuesday. That monthly “Black” Tuesday, the starting gun shoots and the race begins. If the published vulnerability is noted as critical with characteristics of “remote exploitation and code execution”, the race is a rabid one with many cybercriminals poised at the starting line with dancing hands on keyboards looking for exploit kits capable of leveraging both known and unknown vulnerabilities.

In many cases the exploit kits available pre-date the release of the software containing the vulnerabilities they exploit. Having acquired one, the cybercriminal simply inserts the IP address or domain of his target and steals the information he wants. He then very likely also injects a back door Trojan so he can enter the system more easily next time. He will then use that system as an espionage launch pad to conduct reconnaissance on other networks and domains.

Antivirus software (AV) is a necessary, but insufficient defense mechanism in this ever so common scenario and here is why. 

The first stage of these attacks commonly involves exploiting a known vulnerability. AV focuses way down on attack phase three where it focuses on protecting against a common payload.  As an industry we must shield the vulnerability. This is done best through host and network based technologies that use vulnerability shielding techniques. Unlike inferior pattern matching signatures, we need to embrace this broader approach of vulnerability shielding.  These techniques have commonly used for a decade in network devices while host based advanced protection has been more slowly adopted.

As noted by the recent NY Times article, now is the time.  As an industry we must raise the bar! None of us (vendors or practitioners) can persist in believing that if we build and deploy a traditional AV certified by historical AV testing techniques, that we’ll be safe.  


The Solution

We must understand the way a hacker works and his basic attack steps and start the race before the starting gun goes off.  That means blocking attacks as early as possible or in the model above at the vulnerability stage. The question THEN becomes, how do you KNOW if the product is performing as promised. The issue here is that the third party testing labs have historically focused their testing methodologies on the Payload phase where traditional AV products do their work. While this approach was appropriate to assess the endpoint products of five years ago, it does not provide an accurate picture of how today’s products address today’s threats.

I have personally asked the testing organizations to enhance their methodologies and adopt this more sophisticated and real world approach to measuring detection effectiveness The answer I’ve historically received is that it’s simply too expensive. I’m pleased to report that one lab, NSS Labs has now adopted testing methodologies that are consistent with the way cybercriminals now work to penetrate your networks and devices.

NSS Labs is currently unique in utilizing this new approach. They simply understand better how a cybercriminal thinks and have crafted their methodology around that mindset.  First, NSS Labs creates a list of the most prevalent software that organizations use including Windows, Adobe Flash, JRE, Firefox, Google’s Chrome, Internet Explorer and MS Office. They then enumerate the associated known vulnerabilities and use weaponized exploits to attack those vulnerabilities! Voila!  Just like a cybercriminal attacking your network or endpoint devices.

 Due to McAfee’s strength in the enterprise segment of the market and working with governments and banks to understand the cybercriminal mindset, McAfee has developed technologies to block attacks at stage zero or vulnerability stage.  We are pleased that NSS Labs tests has adopted this new and very relevant approach.  They recently released two reports describing the first round of results to emerge from the new NSS Lab tests. With this background, there is little surprise that we have earned the dominant position in their latest reports. 

The McAfee endpoint triad of VirusScan Enterprise, Host Intrusion Prevention, and Site Advisor Enterprise achieved the #1 ranking in both the Exploit Prevention and Exploit Evasion tests. While we are gratified by this outcome, we know our work is not over. The cybercriminal gangs and state actors that desire to breach the IT infrastructure of public and private sector enterprises will use increasingly more sophisticated techniques. McAfee will continue to develop and deploy products to address this rapidly evolving threat landscape. We look forward to working with NSS Labs and other progressive labs and analysts to provide you with the information you need to optimize your security posture.


Android Malware Goes Bollywood

We already know that mobile malware is growing at a fantastic rate, but we now see a new trend that concerns us: specific regions targeted by mobile threats. Just last week McAfee Labs blogged about a new malware threat targeting phone owners in South Korea. Today we have identified another new strain of Android Trojan that aims at users in India. A twist in this new strain is that all the apps the Trojan is wrapped into have a Bollywood theme.

McAfee Mobile Research has identified five apps distributed on third-party app markets that contain this fake job-offer Trojan. Reminiscent of a badly written Bollywood musical, with the bad guy interrupting the song-and-dance number, the Trojan runs as a background service when the infected device boots, and shows the message “Important incoming email from HR, do the needful,” followed by redirection to a bogus job-offer letter hosted on an external website as an image.



The scam requires the victims to believe they have been selected as job candidates. In order to secure their placement in the company, they must make a deposit into a bank account. Our investigation shows that there are two versions of this scam, one circulated in January and another circulated in February. Both refer to the same job offer, with slight differences in the dates.



McAfee Mobile Security detects this malware as FakeJobOffer.A. If you have been targeted by this scam, we would like to hear from you.

Pwn2Own takes down IE 10 running on a Surface Pro

Browser security took a drubbing during the first day of an annual hacker contest, with the latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbing to exploits that allowed attackers to hijack the underlying computer.

The Pwn2Own contest, which is sponsored by HP's Tipping Point division, paid $100,000 for the successful exploitation of IE 10 running on a Surface Pro tablet powered by Windows 8. The attack was impressive because it was able to bypass a variety of anti-exploit technologies Microsoft has added to its flagship operating system and browser over the past decade. To succeed, researchers from France-based Vupen Security had to combine multiple attacks, a technique that is growing increasingly common.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," the firm announced by Twitter on Wednesday.

Read 6 remaining paragraphs | Comments

Evernote Hacked – ALL Users Required To Reset Passwords

The big news in the past week or so was the Evernote hack, being a user of Evernote I was interested by this one – it seems to be a pretty pervasive hack with user IDs and e-mail addresses being leaked. Thankfully the passwords are salted hashes, so it’s unlikely they’ll get brute forced any [...] The post Evernote Hacked –...

Read the full post at