Is the Skyfalling? James Bond, Miss Moneypenny and the Kill Chain

When NSS analysts Stefan Frei (@stefan_frei) and Frank Artes (@franklyfranc) started talking to me about the kill chain, my mind immediately drifted into the world of sharp tuxedos, Aston Martin DB5’s and Walther PPK’s.

Once they dragged me back to reality, however, they demonstrated something almost as cool; it didn’t even require two Ethernet cables plugged into my laptop (OK, so if you haven’t seen the movie that means absolutely nothing to you!)

Basically, the kill chain refers to the route from an external attacker to a target, which leads to the compromise of a victim’s server or desktop machine, and looks something like this:

The defender will try and break the kill chain at various points – at the network perimeter, in the core, or on the endpoint - to prevent the attack, or detect the breach should prevention fail.

To prevent such attacks an enterprise can use firewalls, intrusion prevention systems (IPS), next generation firewalls (NGFW), endpoint protection systems (EPP), the Web browser’s built-in protection mechanisms, or any combination thereof.

So far, so good. But as we have witnessed from test after test and report after report coming out of NSS’ testing facility in Austin, TX, vendor expansive claims regarding security effectiveness rarely hold up in real-world deployments. So enterprises resort to a strategy of “defense in depth”, installing multiple layers of security (e.g. firewall plus IPS plus EPP, or even multiple versions of one or more of those products for those with healthy security budgets.) The expectation behind this is that one device may block exploits missed by another, leading to the oft-used formula for protection failure rate, PA x PB = PAB.

Not so fast. It turns out that by feeding data from our most recent tests of different types of security products into Maltego[1] and applying some proprietary transforms created by NSS analysts, we can identify how, even with multiple security products in the “security stack”, certain groups of exploits or evasion techniques can bypass the entire defense system as if it wasn’t there.

Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS researchers to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools.  Utilizing the empirical data collected during NSS’ tests on NGFW, IPS, breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) we are able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack.  We can also simulate popular or customer-specific software portfolios, allowing mapping simulations specific to their infrastructure environment.

In the image below (which was produced by our proprietary Maltego transforms) we can see three different types of security device (green dots) and the exploits that went undetected by each (blue dots.) The group in the middle identifies those exploits that successfully evade detection by all three technologies in this security stack.

It is evident that our protection rate formula no longer holds true due to the correlation of exploits between the disparate layers of the security stack. 

We can also approach this from an offensive standpoint, drilling down into the data from another direction to identify the smallest group of exploits and/or evasion techniques that would be required to evade a specific security stack. During the test illustrated below, three exploits were discovered that are unindentified by seven of the ten tested vendors.  These seven vendors represent over 90% of the market share of deployed IPS.

The implications are staggering, and this is the subject of a presentation given by Stefan and Frank at BlackHat Abu Dhabi this week. This is groundbreaking stuff, and right up there amongst the most important research ever to come out of our team of analysts.

It is already changing the way some NSS clients are viewing their approach to threat mitigation. Some clients are already providing us with custom data from their own environments to enable us to model the security stack and relevant kill chain for them and identify those areas that require immediate attention.

Let’s see James Bond do that!

This research is available in two analyst briefs: Cybercrime Kill Chain vs. Defense Effectiveness, and Modeling Exploit Evasions in Layered Security. These briefs are available outside the NSS pay wall and can be downloaded by both subscribers and non-subscribers free of charge. NSS clients should arrange inquiry calls with analysts to discuss the research and investigate how it might be applied to their environment to help with risk mitigation. Follow me on Twitter(@bwalder) to keep informed as new research is released.

[1] http://en.wikipedia.org/wiki/Maltego

Newer Is Not Always Better

One of the great insights we have at NSS Labs, given the work that we do, is into the trends demonstrated by vendors in terms of performance and security effectiveness across multiple versions of a product.

For some reason, the area we see that is broken most often during a product refresh is anti-evasion measures. Protections that have been in place over several versions can suddenly disappear as a particular section of the code base is updated to include shiny new features. The other major hurdle for many vendors is the move from one hardware platform to another. This often requires major code revisions, if not a complete rewrite, and in this fast-moving industry it is rare that the folks who wrote the original code are still around. The result can be problems in performance and/or security effectiveness that did not exist in previous incarnations of the product.

These deltas and trends across multiple versions allow our analysts to provide actionable advice to NSS subscribers on whether or not to upgrade to a new version of a product, or stay with an older version until problems are fixed (or until it is time to refresh completely and you can investigate other options.)

The response we get from a vendor when we find these issues tells us a lot about how they value their customers over their shareholders, or vice versa. Some are all over the problem and want to work closely with our engineers to discover the root cause of the issues so they can be fixed. Others respond with veiled threats copied to legal counsel, and some serious marketing spin. I would much prefer to see a vendor employ a couple of new developers and fix their problems rather than launch a PR offensive and budget for some legal fees. Either way, we never shy away from publishing the results.

This is why it is important not to simply look at our test reports at purchase time, but also review new reports throughout the life of each security product you have deployed. This can help ensure that no costly mistakes are made in deploying product updates that could have potentially disastrous consequences to your business.

Dogs and children may be for life, but you are not committed to a security vendor in the same way. There is nothing to stop you from doing a forklift upgrade of a product from a vendor that has lost the plot in terms of quality control, and the cost of doing so could be far less than the cost of upgrading to a faulty product just because the vendor wants to EOL the one you have.

Follow me on Twitter (@bwalder) to keep informed as new research is released.

SonicWALL And Dell: What Are The Risks For Enterprise Customers?

As you can’t have failed to notice by now, a hardware vendor bought a UTM vendor last week. Of what earthly interest could that be to enterprise security folk? As it happens, the Dell acquisition of SonicWALL is interesting for a couple of reasons. The first is the concern many SuperMassive customers might have regarding its future under a company not renowned for its enterprise security products; the second is the way Dell is setting its stall out to take on HP and Cisco in the enterprise.

The SonicWALL acquisition strengthens Dell’s security offerings considerably for both enterprise and small to medium-sized business (SMB) customers. Although there are hurdles to be overcome, NSS Labs considers this a positive move for current and potential SonicWALL customers, particularly those considering deployment of the SuperMassive NGFW platform.

This acquisition is actually more positive for SonicWALL, its partners and customers than a scenario where the company was purchased by a larger security vendor seeking a rapid entry into the unified threat management (UTM) or next generation firewall (NGFW) market. Dell is clearly seeking to build an enterprise class portfolio of servers, data storage, core networking, and security products that will allow it to compete with established enterprise vendors such as HP and Cisco.

During the recent NSS Labs NGFW Group Test, one of the concerns of our analysts was in SonicWALL’s ability to execute in terms of SuperMassive support in the enterprise space. It is vital that the Dell acquisition accelerates the growth of the enterprise support group to ensure the success of SuperMassive going forward.

One other area of potential concern is the lack of any mention of the Aventail SSL VPN product line. Customers and potential customers of the Aventail products should seek assurances from SonicWALL and Dell that their needs will be met to their satisfaction going forward. This deal also underscores the importance of having security products in a complete enterprise-computing portfolio. For larger security or networking companies looking to acquire this kind of technology to flesh out a portfolio in this manner, the shopping list is getting shorter by the day, with the likes of Fortinet, Stonesoft and SourceFire standing out as potential acquisition targets.

I have just completed an Analysis Brief that addresses this transaction in more depth and covers the potential risks and concerns to enterprise customers. This brief is available outside the NSS Labs pay wall and is available to both subscribers and non-subscribers free of charge. Follow me on Twitter (@bwalder) to keep informed as new research is released.