Have Meltdown or Spectre made you change ANY of your cyber security strategies?
Both of these vulnerabilities have been upon us for just under a week now and yet I’ve only really heard cyber hygiene (patch your systems and monitor for trouble) discussed as viable approaches to this problem. Cyber hygiene is indeed very important, but there are many strategic and tactical issues that should be on the table for discussion in response to these vulnerabilities — and vulnerabilities like them we will face in the future. In this blog, I will look at this from a cyber practitioner’s point of view and recommend some strategies you’ve looked at in the past but perhaps your organization hasn’t adopted yet.
Cyber hygiene — include firmware and cloud providers
Of course we need to have very good cyber hygiene, which can be summarized as efficient patching and monitoring. For a more detailed view, implement the NIST Cyber Security Framework. When it comes to patching and measuring vulnerabilities related to Meltdown and Spectre, you need to go beyond desktops and mobile phone and include firmware and your cloud providers.
Auditing the underlying firmware of most OSes is supported in general by most scanners such as Tenable.IO. With the attention on CPU vulnerabilities right now, we should expect the disclosure of more vulnerabilities in the future. This implies having to patch firmware in your organization more often and building a best practice there. If you can’t deploy and audit firmware patches with your current stack, you may also want to consider firmware monitoring solutions such as Eclypsium or Trapezoid, which look at unauthorized change in the running firmware.
For cloud providers, or any third-party vendor providing some sort of network service for you, you should track if they know they are or are not vulnerable and when they will have a fix. Your major brands will likely take this upon themselves but you should be warry of having a service that does not have the sophistication to do this on their own. If you don’t have a list of cloud providers and third-parties providing services, you should do this as part of your overall cyber hygiene. Solutions from Tenable can do this for you automatically and most CASB (Cloud Access Security Brokers) like SkyHigh (recently acquired by McAfee), web proxies and network security monitoring solutions like Eastwind Networks, Proectwise and DarkTrace will as well.
If your organization can’t claim proficiency in each of the five areas of the NIST Cyber Security Framework (inventory, prevention, detection, response and recovery) then I would recommend you should leverage the “crisis” of Meltdown and Spectre to improve your organization’s cyber hygiene by shoring up any of the five areas that are weak and need investment. If you do have good hygiene, you should consider the following other strategies to dramatically reduce your attack surface.
Merging Access Control and Authentication
Meltdown and Spectre exploits will likely target user credentials — keys, hashes, ciphered passwords, .etc — that are in memory because it’s a small amount of data and can be used to log in without malicious software. This should result in a spike in attacks on user accounts.
If your organization has adopted a “Beyond Corp” style of network, which focuses on application and endpoint security, and some sort of authentication to the application, you may be more vulnerable to an increase in password or credential harvesting.
To compensate for this, you should consider combining access control with authentication. For example, rather than having SaaS applications directly available from the entire Internet, lock them down to cloud VPN providers like Zscaler or NewEdge. Within an enterprise network, you can deploy traditional network access control (NAC) solutions like ForeScout, more advanced network access solutions like Cisco TrustSec or and CryptoniteNXT, or software based solutions like Stealth or Illumio. Each of these solutions gives you a variety of access control based on the authenticated user.
In each of these solutions, a user can’t even get to the on premise or cloud application to try a stolen credential if they are not authorized on the network. This makes an adversary trying to exploit Meltdown or Spectre’s job that much harder. Instead of stealing a credential and logging in everywhere with it, they need to navigate each of these potential barriers to the SaaS application or enterprise network.
Making this type of cyber strategy change takes a lot of effort, but the payoffs can be dramatic and you will have much better protection against the next Meltdown of Spectre.
Solutions from vendors such as Authentic8, FireGlass (which was acquired by Symantec) and Light Point Security keep your browser away from directly interacting with the Internet. Think of it as “webexing” into a different friend’s computer each time you visit a new web site. If a hostile web site is visited, there are no credentials to harvest from the browser or any indication of the actual source.
This type of isolation is now even more important due to memory reading attacks that can be performed with a basic browser vulnerability. Thanks to Meltdown and Spectre, a minor browser vulnerability can be leveraged to read the core memory, and potentially credentials and other sensitive information. Even after these vulnerabilities are patched, research will likely continue in this area and there will be a new wave of memory reading attacks which are easy to exploit and hard to detect. Having this sort of isolations prevents your employees from exposing their credentials to hostile attacks.
Lastly, don’t confuse web proxies which log Internet browsing and help filter known hostile traffic and content with browser isolation solutions. Proxies will happily deliver zero days, including exploits against browser that can also leverage memory attacks if they do not originate from a site that is known to be a threat provider.
Deploying browser isolation is a change in cyber strategy that can protect your organization from the next round of threats exploiting vulnerabilities similar to Meltdown and Spectre.
Limiting the Attack Surface via White Listing and Virtual Desktops
Any software running on a system which is vulnerable to Meltdown and Spectre can read sensitive memory. These types of attacks will likely occur again in the future, perhaps without as much fan-fare as more research is performed. Methods to reduce the attack surface of exploitable software and allowing unauthorized software to run include white listing and delivering virtual desktops to network users.
A wide variety of companies offer solutions that allow enterprise networks to limit which software is allowed to run on the network. Examples include Carbon Black and start-up companies like White Cloud Security. Network administrators set up a policy for users or groups about which software can run, and how new software gets authorized. This limits sprawl of new types of software IT needs to patch and also, by default, prevents other potentially malicious software from running.
Another way to accomplish this type of software control is to only deliver authorized software through virtual desktops. These solutions offer the experience of an operating system without having to put an operating system on the desk of a user. This makes maintenance, updates, secure storage of data and the ability to monitor and audit these very easy. It can often be less expensive to operate as well. There are a variety of solutions like this from VMware, Citrix, Microsoft and many third party vendors offer turn-key solution’s such as RackTop Systems’s vBOX that combines virtual desktop technology, storage, security and compliance auditing into and easy to deploy solution.
The approaches of application white listing and the adoption of virtual desktops require a change of strategy on the part of the enterprise and a recognition that hygiene alone will not prevent a major attack leverage vulnerabilities such as Meltdown or Spectre.
Now is the time to build upon great cyber hygiene and recommend something else beyond patching your systems and monitoring for evil things on your network. We will see many more vulnerabilities like Meltdown and Spectre in the near future. As an industry, we will diligently patch them and monitor our networks for exploits, but those future vulnerabilities are in our network right now. What are you doing to prevent exploitation of them today? What changes can you make in your 2018 cyber projects to mitigate that risk?