Protect Before You Detect: FlawedAmmyy and the Case for Isolation
Posted by Ratnesh Pandey, Alex Holland and Toby Gray.
In June 2019, Microsoft issued warnings about a phishing campaign delivering a new variant of the FlawedAmmyy remote access Trojan (RAT), and a spike in the exploitation of CVE-2017-11882 in the wild. In this blog post we take a look at some of the weaknesses of detect-to-protect technologies such as anti-virus, endpoint detection and response (EDR) and anomaly detection systems, and how Bromium’s protect-before-you-detect technology addresses these weaknesses.
With detect-to-protect technologies that rely on signature updates, such as anti-virus, there is a time lag from when novel malware infects a system to when it can be detected because updating and deploying new signatures takes time. This time lag increases the dwell time that the malware is resident on a system, providing a window of opportunity to an adversary to act on their objectives.
Detection using behavioural analytics, as used by EDR, has the same flaw in that these solutions also rely on rule updates. Additionally, to get the best out of EDR, they typically require considerable tuning. Without investing considerable time and effort into creating a baseline of the monitored environment, EDR tools tend to generate a lot of false positives, particularly when trying to detect the malicious use of high risk living off the land binaries (LOLBins).
Many EDR solutions can contain infected devices from the rest of the network to stop lateral movement, but only after systems have been compromised, meaning that organisations still need to perform expensive eradication and recovery activities. Anomaly detection systems, such as those based on machine learning, also come with the penalty of remediation costs. Remediation can be an expensive affair because of the cost of conducting forensic investigations, rebuilding systems and lost productivity. Often companies pay more on remediation than the licensing cost of their security solutions.
According to Google Project Zero, it takes 15 days on average for a vendor to patch a zero-day vulnerability that is actively being exploited in the wild. Add to that the 20 days on average it takes for US federal departments to patch critical vulnerabilities and the result is that organisations are exposed to a significant window of vulnerability by zero-day exploits, even with good patch management.
Gartner recognises the value of application isolation to stop breaches. In a 2018 report, Gartner vice president Neil MacDonald argued that isolation and containment technologies are an important part of preventing damage from attacks.
Timeline of events – June 2019
Figure 1 – Timeline of notable security events in June 2019.
Here are a few of the malware trends we have observed in the first half of 2019:
- Downloaders that exploit old Windows vulnerabilities to achieve code execution, particularly CVE-2017-11882, CVE-2017-0199, CVE-2017-8570 and CVE-2018-0802.
- Malware that runs entirely in memory and does not save artefacts to disk (fileless