Wednesday, December 05, 2012

Is the Skyfalling? James Bond, Miss Moneypenny and the Kill Chain

When NSS analysts Stefan Frei (@stefan_frei) and Frank Artes (@franklyfranc) started talking to me about the kill chain, my mind immediately drifted into the world of sharp tuxedos, Aston Martin DB5’s and Walther PPK’s.
Once they dragged me back to reality, however, they demonstrated something almost as cool; it didn’t even require two Ethernet cables plugged into my laptop (OK, so if you haven’t seen the movie that means absolutely nothing to you!)
Basically, the kill chain refers to the route from an external attacker to a target, which leads to the compromise of a victim’s server or desktop machine, and looks something like this:
Cybercrime Kill Chain
The defender will try and break the kill chain at various points – at the network perimeter, in the core, or on the endpoint - to prevent the attack, or detect the breach should prevention fail.
To prevent such attacks an enterprise can use firewalls, intrusion prevention systems (IPS), next generation firewalls (NGFW), endpoint protection systems (EPP), the Web browser’s built-in protection mechanisms, or any combination thereof.
So far, so good. But as we have witnessed from test after test and report after report coming out of NSS’ testing facility in Austin, TX, vendor expansive claims regarding security effectiveness rarely hold up in real-world deployments. So enterprises resort to a strategy of “defense in depth”, installing multiple layers of security (e.g. firewall plus IPS plus EPP, or even multiple versions of one or more of those products for those with healthy security budgets.) The expectation behind this is that one device may block exploits missed by another, leading to the oft-used formula for protection failure rate, PA x PB = PA\circ \!\,B.
Not so fast. It turns out that by feeding data from our most recent tests of different types of security products into Maltego[1] and applying some proprietary transforms created by NSS analysts, we can identify how, even with multiple security products in the “security stack”, certain groups of exploits or evasion techniques can bypass the entire defense system as if it wasn’t there.
Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS researchers to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools.  Utilizing the empirical data collected during NSS’ tests on NGFW, IPS, breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) we are able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack.  We can also simulate popular or customer-specific software portfolios, allowing mapping simulations specific to their infrastructure environment.
In the image below (which was produced by our proprietary Maltego transforms) we can see three different types of security device (green dots) and the exploits that went undetected by each (blue dots.) The group in the middle identifies those exploits that successfully evade detection by all three technologies in this security stack.
Modeled Defense Layers
It is evident that our protection rate formula no longer holds true due to the correlation of exploits between the disparate layers of the security stack. 
We can also approach this from an offensive standpoint, drilling down into the data from another direction to identify the smallest group of exploits and/or evasion techniques that would be required to evade a specific security stack. During the test illustrated below, three exploits were discovered that are unindentified by seven of the ten tested vendors.  These seven vendors represent over 90% of the market share of deployed IPS.
Exploits that bypass IPS
The implications are staggering, and this is the subject of a presentation given by Stefan and Frank at BlackHat Abu Dhabi this week. This is groundbreaking stuff, and right up there amongst the most important research ever to come out of our team of analysts.
It is already changing the way some NSS clients are viewing their approach to threat mitigation. Some clients are already providing us with custom data from their own environments to enable us to model the security stack and relevant kill chain for them and identify those areas that require immediate attention.
Let’s see James Bond do that!
This research is available in two analyst briefs: Cybercrime Kill Chain vs. Defense Effectiveness, and Modeling Exploit Evasions in Layered Security. These briefs are available outside the NSS pay wall and can be downloaded by both subscribers and non-subscribers free of charge. NSS clients should arrange inquiry calls with analysts to discuss the research and investigate how it might be applied to their environment to help with risk mitigation. Follow me on Twitter(@bwalder) to keep informed as new research is released.