Page 75 - Cyber Defense eMagazine - September 2017
P. 75
The Race to Claim Victory over Malware
Whenever there is a major cyber security incident (about every week these days) the race
begins for the security and software industries: name the malware (ideally with a cool and
threatening sounding name), create signatures, patch the newly discovered vulnerabilities, and
push the patches out to customers as quickly as possible. At that point, security and software
vendors like to pat themselves on the back, and announce publicly how sophisticated their
defenses are because “we caught this one…”.
But the reality is that most malware damage happens in the days or weeks before this public
frenzy begins, and when a patch is finally released, it may be weeks, months, or never, before it
has been implemented by most customers. As we saw with WannaCry, months after Microsoft
had released a patch to its SMBv1 vulnerability, a shocking number of servers globally were
unpatched and exposed.
Even more troubling is that the NSA knew about this vulnerability since at least 2013 (when the
EternalBlue toolkit was put together to exploit it), and other nation-state attackers may have
been exploiting this since 2001, when Windows XP was first released with the vulnerability.
Protecting Unpatched Systems in the Real World
Rather than continuing to focus on “best practices” that in reality are often avoided or viewed as
a liability, it’s time to look for security solutions that accept the piece-meal nature of complex
networks and legacy systems, but still apply effective security across the boards. The holy grail
for many security professionals is to have protection that can be applied to systems as they are
– old or new, patched or unpatched. But, in order for this to happen, there has to be a paradigm
shift in security thinking.
For the past 25+ years, most security has been built around a perimeter mindset. The old
security adage has been “keep the good stuff in, and keep the bad guys out”. The primary tools
for this battle were gateway security devices, like firewalls (including IDS/IPS, next-gen firewalls,
and web application firewalls), and growing lists of known vulnerabilities used for virus
signatures and pattern matching to detect recurring malware. These gateway and list
approaches may have eliminated repetitive, static threats, but they have not kept up with
innovative and resourceful full hackers that are continually devising new ways to elude
conventional defenses.
The latest wave of fileless memory-based attacks are effectively invisible to conventional
security controls. They manipulate legitimate application processes to corrupt memory, and
hijack control over systems to steal or ransom data, or merely cause painful disruption. Even in
a mythical world where all servers were immediately patched, these new class of threats would
fly under the radar of most security tools.
Because it’s impossible to anticipate and prepare for the infinite amount of unknown and future
threats, and patching is always slow and reactive, there is a new approach that is garnering
interest, especially in the ICS space, where legacy systems are a fact of life. Rather than focus
on external threats, or holding together the disappearing network perimeter, a new class of
75 Cyber Defense eMagazine – September 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
