03 Apr New Vulnerability? Begin Change Management to Patch and Start Monitoring for Exploits
Every new cybersecurity vulnerability that’s announced sets off a race as organizations strive to patch it before someone with malicious aspirations finds a way to exploit the hole.
That was one of the underlying issues observed in the aftermath of the Equifax breach. Big organizations with complex IT infrastructure prefer to test new vulnerability patches before implementing these to a live environment. This change management process helps ensure new software patches don’t cause another problem or have unintended consequences.
However, the time it takes to shepherd a patch through the change management process initiates a technological race. That race is the time between the revelation of a new vulnerability and the implementation of a patch. Bad actors work feverishly to narrow down high-value targets to attack among those that remain unpatched and vulnerable.
Patching isn’t the Only Answer
There’s usually more than one way to solve a problem, and while patches are important to the long-term health of the IT infrastructure, it’s not the only way to protect the enterprise against emerging threats.
Security teams can and should use standalone intrusion detection and prevention (IDS/P) to monitor for attempts to capitalize on an exploit as well. For example, a Snort rule was available for the vulnerability that hit Equifax about a day after the exploit was announced. Those rules could have been implemented to detect malicious activity even as a patch worked its way through the change management process.
This could well work in the cases of hardware vulnerabilities too. It’s a timely notion given the problems associated with the Meltdown and Spectre. As one reporter aptly wrote, “you can’t patch silicon” so the long-term fix for hardware holes is more complicated.
The point is, any data that a transgressor wants to exfiltrate data must traverse back out through the network. Therein lies in activity cybersecurity teams can identify those actions and mitigate the risk.
5 Ways IDS Defends Against New and Emerging Threats
Modern IDS examine threats from multiple perspectives including signatures – and beyond. For example, IDS should screen for behavioral anomalies on the network, conduct deep packet inspection to look for malware characteristics, and capture network information about an infected machine’s interactions immediately before and after an incident.
This level of sophistication provides security with five opportunities to prevent or rapidly mitigate security events as they are unfolding along the kill-chain. These opportunities are described in detail in a complimentary use case paper – The Five Ways Bricata Helps Defend Your Enterprise Against Modern Laterally-Spreading Malware or Ransomware – and are summarized as follows:
1) Stopping the initial exploit of known malware
Traditionally, the initial download of malicious software either tricks users into clicking a link or exploits a vulnerability that causes a machine to download software. Signature analysis works well for known exploits, including new vulnerabilities because it usually faster to write a detection rule, than it is to develop an exploit.
2) Stopping the initial exploit of unknown malware
For unknown exploits, advanced IDS analyzes the file contents and looks for malware characteristics necessary to convict zero-day threats. Research from Hackmageddon shows that “unknown” was one top 10 attack techniques and growing in recent years. It’s also worth pointing out this works for less well-known exploits too, as was the case with EternalBlue. It was an exploit that used an old Windows protocol, which suggests threats are often a mix of old tools with new adaptations.
3) Identify command and control signals
Should malware be introduced to the network through a USB device, file sharing, or other “trusted” cloud-based product, there’s a second chance to identify it and stop the threat. Known malware typically calls an outside command and control (C2) server which can be detected. This enables security teams to take action on the compromised system and prevent the malware from completing its mission.
4) Recognize the signatures of malware moving laterally
One of the new twists the likes of Wannacry and Petya brought was the ability to move laterally without user interaction. This means when a compromised endpoint identifies another system on the network where it can execute commands remotely, it will try to laterally transfer malicious code to that system. Modern IDS can be configured to monitor for lateral movement and analyze file objects for malicious behavior in a way similar to the how it identifies malware downloaded from the internet.
5) Recognize the behavior of malware moving laterally
It’s not enough to rely on signatures because malware evolves to evade signature detection. This is why IDS systems that also analyze network behavior is so important. Malware in the process of exploring the internal network to expand its footprint will behave in ways that can be detected, investigated and stopped. There is an added benefit of monitoring for behavior because it captures data about what a machine was doing before and after an incident, which is essential for triage and understanding the scope of an attack.
* * *
Patching is and will remain an important part of the remedy to new exploits. However, a complementary and well-integrated set of security tools like IDS, are key defenses during the time it takes to patch. Enterprises should begin the change management process to patch when a new vulnerability is announced – but they also need to monitor for aggressively for emerging exploits. The complete use case on modern IDS is available for download without registration at the link above.
If you enjoyed this post, you might also like:
The 20 Best Cybersecurity Predictions for 2018 [Roundup]