Advanced Attacks Call For New Defenses

With conventional wisdom now that advanced attacks happen, has the time come to create the next-generation sandbox or other containment method?

This is the third and final installment in an occasional series on securitys new reality.
A senior security executive at Adobe earlier this year rocked the research community by urging security researchers to channel their expertise into building the next sandbox or other attack-mitigation method.
Few researchers were thrilled with the idea of shifting their focus from bug hunting to building a better mousetrap -- some argued that Adobe was, in effect, asking for free research -- but Brad Arkin, senior director of security for Adobe products and services, wasnt asking them to change job descriptions.
His main point was that the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack
, like sandboxing and Microsofts Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do.
With
a growing acceptance that theres really no way to stop a determined attacker
from infiltrating your network and
its all about containing the attacker
before he steals your intellectual property or does any other damage, has the time come to create the next sandbox or other defensive method?
Microsoft is doing its part in encouraging research into next-generation mitigation methods: Its
Blue Hat Prize contest
will offer more than $250,000 in cash and prizes for contestants who come up with new ways to mitigate exploits that go after memory-safety flaws such as return-oriented programming (ROP) and just-in-time spraying (JITSpray). The grand-prize, second-, and third-place winners will be announced at the upcoming Black Hat USA 2012 conference in Las Vegas, and will retain ownership of the intellectual property. They will be required to grant Microsoft a license to the technology.
And according to Arkin, Adobe is already investing in mitigation methods like sandboxing, rather than just rooting out and fixing bugs.
Tim Rains, director of Microsoft Trustworthy Computing, says Microsoft is hopeful that the Blue Hat Prize will yield that next groundbreaking defense and mitigation technology. The Blue Hat Prize is also a way to give researchers incentive to build these new defenses, he says.
We are fortunate to have a group of researchers across the industry who continue to help us by identifying vulnerabilities and reporting them in coordinated vulnerability disclosure, Rains says. At the same time, I do think that theres a realization that vulnerabilities are always going to exist in software, and that mitigations make it really expensive to exploit those vulnerabilities.
[ Its time for defenders to add intelligence gathering, counterintel, and even offense to the game, security experts say. See
Security Teams Need Better Intel, More Offense
. ]
But not everyone agrees that a new technology is the answer. Im not sure we need [new] technologies, per se, says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. I think we need to find a better way of applying existing technologies.
Wang says theres just not enough time for an enterprise to analyze all content and traffic coming in and to isolate the bad stuff. Communication has to happen in real time. So there needs to be innovation to make sure the analysis we do more accurately and more quickly delivers the performance we need, Wang says.
Even as new vendors and products emerge touting features for spotting and ultimately containing any damage an attacker can do once he gets inside, no one is saying to ditch your firewall or your antivirus software. But most experts agree that in addition to the old defense-in-depth mantra, there may be other ways to mitigate the attack that havent been explored.
The reality is that many of todays security products -- even those that are touting anti-advanced persistent threat (APT) attacks -- still rely on signature and blacklist technology, notes HD Moore, chief security officer at Rapid7 and creator of Metasploit. And new products that monitor the attackers actions may not be the answer, either, he says. Its like standing outside [and watching] while someone breaks into your house. Im not sure if that helps, Moore says.
Whether Microsofts Blue Hat Prize will set the stage for a new emphasis on building new defense-mitigation methods remains to be seen.
Meanwhile, mitigation methods such as sandboxes, DEP, and ASLR have indeed raised the bar for attackers. They have made a big difference, says Oliver Friedrichs, senior vice president of Sourcefires cloud technology group.
But like any security defense, ultimately they can be beaten. The problem is the [attackers are] just going to move somewhere else -- thats what has happened for the last two decades, Friedrichs says. They moved from the network surface to the client side. Ultimately, the user is the weakest link, which is why social engineering and spear-phishing are still very successful.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Advanced Attacks Call For New Defenses