The war is more and less on the go. It's an new cold war but the big question for me is against whom?

To day allready Google provide China with tool to monitoring internet trafic and search thrue the China's GrateWall.
In my country today ther is some deep discusion about companys that sell aquipenst like telecom that help nondemocratic countrys to get track of ther residence ware thay are and who thay talking with and about what. This seams to be up at the agenda for EU also now.

So this is a global problem thet seams to be the cost for the freedom (or?).

So my conclution is that everybody who can and have the ability is spying on every body else to make then know more then other. So offcouse U.S. is spying as more and less every bondy else both countrys and companys and peaples that have some special intrest of info of some kind.

Preventing Modern Attacks with Modern Defense and Testing Methodologies

The Problem

Cybercriminals are targeting organizations successfully in spite of traditional security measures as noted recently by the NY Times and a front page article in the Wall Street Journal on cyber espionage.  This issue is driven by the cybercriminal gangs’ ability to compromise vulnerable systems using sophisticated reconnaissance and penetration tactics.  So, how do we solve this problem and what testing organizations can help us understand what solutions are effective?

To answer this question we must first understand the cybercriminal’s mindset and approach to breaching a large organization’s IT infrastructure.  The first step taken by most cybercriminals is to simply understand their target’s network design, systems, applications and security posture. This is the reconnaissance step. It’s generally not too difficult given the extensive Internet connections any enterprise must have in place to do business.  Nearly all enterprises of size are now under constant surveillance by potential attackers.

The second step is to monitor the target organization’s patching and security behavior.  Then the hacker waits for windows of vulnerability. A recent high profile attack against the Federal Reserve demonstrated that new vulnerabilities can now be attacked within an hour or two of appearing.  Frankly, sometimes the hackers know the vulnerability before the market does through vendor publication.

The most common example of this scenario is the race between industry and cybercriminal’s on Microsoft’s Patch Tuesday. That monthly “Black” Tuesday, the starting gun shoots and the race begins. If the published vulnerability is noted as critical with characteristics of “remote exploitation and code execution”, the race is a rabid one with many cybercriminals poised at the starting line with dancing hands on keyboards looking for exploit kits capable of leveraging both known and unknown vulnerabilities.

In some cases the exploit kits available pre-date the release of the software containing the vulnerabilities. Having acquired one, the cybercriminal simply inserts the IP address or domain of his target and does what he wants, such as steals the desired information. He then likely also injects a back door so he can enter the system more easily next time. He will then use that system as an espionage launch pad to conduct additional reconnaissance.

Antivirus software (AV) is a necessary, but insufficient defense mechanism in this ever so common scenario and here is why.

The first stage of these attacks commonly involves exploiting a known vulnerability. AV focuses way down on attack phase three where it focuses on protecting against a common payload.  As an industry we must shield the vulnerability. This is done best through host and network based technologies that use vulnerability shielding techniques or a more rigid technology, application control.  Unlike inferior pattern matching signatures, we need to embrace this broader approach of vulnerability shielding.  These techniques have been commonly used for a decade in network devices while host based advanced protection has been more slowly adopted.

As noted by the recent NY Times article, now is the time.  As an industry we must raise the bar! None of us (vendors or practitioners) can persist in believing that if we build and deploy a traditional AV certified by historical AV testing techniques, that we’ll be safe.


Solution

We must understand the way a hacker works and his basic attack steps and start the race before the starting gun goes off.  That means blocking attacks as early as possible or in the model above at the vulnerability stage. The question THEN becomes, how do you KNOW if the product is performing as promised. The issue here is that the third party testing labs have historically focused their testing methodologies on the Payload phase where traditional AV products do their work. While this approach was appropriate to assess the endpoint products of five years ago, it does not provide an accurate picture of how today’s products address today’s threats.

I have personally asked the testing organizations to enhance their methodologies and adopt this more sophisticated and real world approach to measuring detection effectiveness.  The answer I’ve historically received is that it’s simply too expensive. I’m pleased to report that one lab, NSS Labs has adopted testing methodologies that are consistent with the way cybercriminals now work to penetrate you networks and devices.

NSS Labs is currently unique in utilizing this new approach. They simply understand better how a cybercriminal thinks and have crafted their methodology around that mindset.  First, NSS Labs creates a list of the most prevalent software that organizations use including Windows, Adobe Flash, JRE, Firefox, Google’s Chrome, Internet Explorer and MS Office. They then enumerate the associated known vulnerabilities and use weaponized exploits to attack those vulnerabilities! Bang! Just like a cybercriminal attacking your network or endpoint devices.

Due to McAfee’s strength in the enterprise segment of the market and working with governments and banks to understand the cybercriminal mindset, McAfee has developed technologies to block attacks at stage zero or vulnerability stage.  We are pleased that NSS Labs tests has adopted this new and very relevant approach.  They recently released two reports(linked) describing the first round of results to emerge from the new NSS Lab tests. With this background, it is understandable we have earned the top position in their latest reports.

The McAfee endpoint triad of VirusScan Enterprise, Host Intrusion Prevention, and Site Advisor Enterprise achieved the #1 ranking in both the Exploit Prevention and Exploit Evasion tests. While we are happy with this outcome, we know our work is not over. The cybercriminal gangs and state actors that desire to breach the IT infrastructure of public and private sector enterprises will use increasingly more sophisticated techniques. McAfee and others in the industry must continue to develop and deploy products to address this rapidly evolving threat landscape. We look forward to working with NSS Labs and other progressive labs and analysts to provide you with the information you need to optimize your security posture.


Orginal article: Thursday, March 7, 2013 at 1:11pm by Rees Johnson