The Need for Vulnerability Testing in a Mission-Critical Environment

Most businesses are familiar with exploit frameworks (i.e. Immunity CANVAS, Core IMPACT, and Metasploit) and proof-of-concepts exploits (e.g. those syndicated on milw0rm.com) for their use by penetration testers. While the authors of these tools may have had a smaller market of users in mind, regular business IT administration teams should also be very familiar with these utilities for testing their networks near patch cycles.

General Usage
These exploit toolkits are commonly employed by penetration testers (either internally or externally) to verify the most important aspect of IT security: are these systems fully protected from a certain vulnerability? In most cases, protection comes in different forms like security update rollout, registry modification, host or network-based IPS rules and generic buffer-over flow protection. With all of these potential vulnerability mitigation strategies, the administrator is commonly left to trust that the software vendor or security provider that provides protection does fully prevent from an attack against this certain vulnerability.

But what if an administration team is in charge of a mission-critical network and needs to be absolutely certain that the network is not susceptible to attackers leveraging a certain vulnerability? The administration team should take the mitigation verification one step further by ensuring that the vendor-suggested mitigation is properly rolled out. This is where a non-malicious proof-of-concept exploit testing tool would work perfectly; it would demonstrate to the administration team that the mitigation that they just rolled out does indeed protect against any potential attack using that vulnerability.

Within these networks, continuity is critical; therefore, these test-exploits should never be delivered to a production environment by the administration team, or by anyone. The administration team will be left to test the vulnerability on a test network, a place where professional penetration testing teams are unlikely to ever roam because it is not a realistic target. Administration teams can make good use of virtualization to test vulnerable system configurations using a test-exploit tool. Once all possible configurations are verified with the test-exploit, the administration team is empowered to make the most-informed business decision and determine the best form of protection to roll out network-wide.

Example: MS08-001
The most critical Microsoft vulnerability reported last month was in tcpip.sys (MS08-001). This vulnerability had very little technical details reported publicly; however the Microsoft and researcher advisories put many administration teams into emergency-patching mode, an expensive mode in an enterprise-sized network. This patch is further complicated by the wariness of administrators to patch kernel-level drivers (tcpip.sys) because of the potential issues associated with it (loss of network connections, broken internal network applications, BSODs, etc).

Most administration teams would like to rely on their host-based IPS system to protect from this vulnerability; however, there’s no way for them to know if their IPS protects from exploits, even if they are claiming to do so on their product website. If these administrators were privy to proof-of-concept exploits, they would be able to test the validity of their IPS against a real-world attack scenario. If their IPS system did protect from this vulnerability, then the administrators have bought themselves valuable testing time to verify the update does not adversely affect any internal applications. If the IPS system is unable to block the exploit, the administration team has to look at rolling out some other sort of mitigation or to roll out the patch in emergency mode. Either way, the administration team now has the full-knowledge of how this vulnerability affects their network and was able to make a well-informed decision about a technically-vague vulnerability.

Conclusion
Administrators are urged to learn how these exploit tools work so that they can make an informed business-critical decision for their network. If they’re able to go beyond the vague information delivered by research/vendor advisories and be able to fully investigate their network’s posture against a threat, then that network will likely remain more secure and preserve continuity that can commonly be diminished with panic-patching scenarios. Furthermore, by utilizing a security intelligence service that can deliver these exploit test-tools, full reverse-engineering and threat-analysis details, administrators are even more likely to make informed decisions that will end up saving their business money and time while also retaining security and continuity.

Disclaimer
Administrators should only use these tools after understanding their full consequences. These test tools should only be utilized in test environments to ensure that continuity is not affected within the production network.

Source: Andre Derek Protas, Director of Research and Preview Services

Information Security Magazine: Color Me Complex
"Endpoint security products have introduced a new dynamism into our industry, as antivirus vendors augment their wares with fresh features to compete against each other and hungry challengers. To help sort out all of this, Information Security evaluated seven enterprise endpoint security solutions. Grading each on its management capabilities, reporting, ability to detect and block malware, detecting and thwarting exploit attempts, and integration of the various desktop security capabilities in one package." Full Article

Rootkit targeting Master Boot Record in the wild
"A rootkit attacking Master Boot Record (MBR) - a vector used more than a decade ago on MS-DOS operating systems - on various Windows operating systems is spreading in the wild, according to researchers." Full Article

Exploring enterprise policy management options
"Modern operating systems have a bewildering number of settings and are thirsty for programs to run. Enterprise policy management products allow administrators to establish a single, solid, enterprise-wide configuration, with fine-grained control of managed machines. Some policy management tools let an administrator list specific applications that should be given permission to run. Such a whitelist can block all other non-authorized applications." Full Article

View All Media Coverage
"eEye and its security solutions have been covered by numerous press and media associations." Full Article

Q: Is MPack still the most dangerous client-side attacking framework used by malicious attackers?

A: MPack development looks to have not moved forward in a little bit of time, and during this delay, eEye Research has seen the emergence of multiple frameworks with a similar methodology. Many of these attack frameworks seem to be focusing on researcher/IDS evasion by increasing the amount of JavaScript obfuscation and utilizing a more sophisticated piece of malware. Although MPack may no longer be getting updated, the attack process employed by MPack is expected to continue and be enhanced by other developers.

Of course, as these frameworks are becoming more sophisticated, many IDS systems are going to have a tough time offering protection against them. Host-based IPS solutions still have the best vantage to deal with these types of attacks, and this is another reason why the use of host-based IPS solutions is going to be the only way to combat this rapidly evolving threat.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Security Solutions Used by Over Half of the Fortune 100
Ten of thirty-five industries in annual ranking serviced by security firm Full Article

eEye’s Blink Protects Against Phishing Schemes
Blink antivirus software product protects end users and networks from malware threats associated with phishing schemes and email spoofing. Full Article

eEye Ranked Top Host-based Security Solution by Information Security Magazine
eEye’s Blink is rated the top endpoint security product, beating major security companies and leading to 53% sales growth Full Article

View All Articles and Announcements
eEye and its security solutions set have introduced a number of newsworthy security advisories and security technology deliveries that have been covered by the press. Select any of the links below to view more details regarding our most recent articles and announcements. Full Article

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.