I attended the RSA Conference in San Francisco last week. I would have posted this article earlier, but it took some time to decrypt my notes.
I’ve covered Advanced Persistent Threats (APTs) in a number of articles this year; so many articles, in fact, that it would be cumbersome to provide links to them here (feel free to use the search box). Little did I realize at the time I wrote those articles that protecting against APTs is now job #1 in the cyber-security world. Or so it seemed at the RSA Conference, where you couldn’t toss a rubber tchotchke without hitting a vendor promoting their APT defenses.
Astute readers will note that I did not use the word ‘solution’ a single time in the above paragraph. None of these vendors are claiming to have completely solved APTs—or other attack vectors in general—which is somewhat refreshing transparency. But holy camoley, there are a TON of vendors trying: Agari, Area 1 Security, Barracuda Networks, Blue Coat Systems, Bromium, Caspida, cPacket Networks, Cyphort, FireEye, Fortinet, Guardian Analytics, Hillstone Networks, LightCyber, Palo Alto Networks, Pivot Cloud, SentinelOne, Shape Security and TaaSera. And those are just companies in Silicon Valley proper; there is a cluster of vendors in Maryland and another bundle in Boston.
On the off chance that the length of that list didn’t raise an eyebrow, every single one of those companies has a PRIMARY FOCUS on “behavioral network analysis” in one form or another. Put another way: the above list does not include broad-line players—Cisco, for example—that have their own product lines dedicated to APT defense.
There is a LOT of impressive work going on here; the challenge is making heads or tails of all of it. How does an enterprise IT department go about testing these “next generation firewalls (NGFWs)” … and more daunting still, how does one perform a competitive analysis? In the relatively stable world of conventional malware, there are multiple organizations that evaluate security suites against massive libraries of known threats; the value of such evaluations is questionable even in that context, given that the past is not necessarily an indication of current performance against unknown future threats.
To give you a sense of “behavioral network analysis,” here is what I scrawled down to capture the functionality of just one of these tools:
- Maps behavioral elements into a 12-stage malware lifecycle
- Generates behavioral profiles by performing pattern analysis across the network and over time
- Filters against contextual analysis and, optionally, against a normal baseline
- Presents network state in dashboard; highlights threats and suggests remediation
Some of the aforementioned companies are exclusively focused on stopping phishing attacks. While this might seem myopic, phishing continues to be the primary attack vector for APTs. Yup, people really do click on those links. In fairness, spear phishing attacks have become targeted and sophisticated: threat actors mine social media to assemble details into VERY specific and convincing emails. You might be thinking, “damn that must be time-intensive,”and you would be wrong: the processing is broadly automated once the targets are identified. Creepy, no?
The anti-phishing tools leverage databases of known-to-be-questionable domains, name servers and IP addresses. They also perform the checks that everyone OUGHT to be doing themselves, such as verifying that the text of the hyperlink matches the actual destination of the hyperlink (always, ALWAYS hover your mouse-pointer over a hyperlink before clicking).
Some of the NGFWs leverage virtual machines (VMs) to evaluate downloads and attachments. I highlighted FireEye earlier this year; their technology opens and executes file attachments/downloads BEFORE the client risks life and limb doing so. This technique has become something of an arms race between the attackers and the defenders: the most sophisticated malware evaluates its host and makes an “is it real or is it Memorex—strike that—is it a VM?” decision. The NGFW vendors do everything possible to make their VMs indistinguishable from physical clients. If the malware is successful in its evaluation, it “behaves itself” in the VM and activates its payload only if it is convinced that it is on a genuine client machine. Creepy, no?
Because the VM technique is not 100% effective, and because there are other attack vectors such as good ol’ USB flash drives, the VM approach is almost always accompanied by behavioral network analysis. In other words: the NGFW attempts to stop the malware before it infects any client machines, but knowing that is not foolproof they look for the footprints of malicious activity indicative of a successful infection.
And then there is Bromium. This company impressed me in many ways, though the company name is NOT one of them. (Seriously team, ‘Bromium’ is a homeopathic remedy using the element Bromine, which is NOT a nice element: “from the halogen group; corrosive and toxic at room temperature.” So upon hearing the company name, scientifically minded people will think “it may kill me” and on the other side of the coin, folks will think “it may help me with my gland problem.” In summary, if the company name DOES invoke a response, it will almost certainly NOT be “I gotta’ get me some of that.” But I digress.)
Bromium (the company) works from a fundamental worldview that I believe is unique and differentiated:
- Computer users WILL do things they really shouldn’t do
- Saving these folks from their mistakes is a losing battle
- Therefore, we are going to let the users do their damage, but we will completely contain any damage inside single-use VMs
Bromium has developed a SUPER-lightweight VM that runs … wait for it … not on the NGFW, but on the CLIENT MACHINES. At first blush, the decision to run the hardened VM on the client machine might appear inferior to running it on the NGFW. Isn’t it inherently better to stop the malware BEFORE it reaches the client machine? Well, not necessarily …
You see, Bromium’s approach requires A LOT of VM instantiations. One for every single browser tab, for starters. Each client machine can easily spawn 10 or more VMs at a time, and that would require beaucoup hardware if implemented at the network level. I am sure the vendor would happily equip their NGFW with the compute horsepower to support the load, and I am equally sure the enterprise IT budget would bust in the process.
In many of my posts, I’ve observed that we have A LOT of untapped compute horsepower in our client devices. Bromium taps that horsepower. Running the hardened VMs on the client machines has other significant advantages, for example, the whole thing still works when the client machine is off the corporate network. Which when you stop and think about it, is when the client machine has the greatest attack surface and is at greatest risk.
I’ve said a lot of nice things about Bromium (other than the fubar naming) without describing the functionality. Let’s start with web browsing. As mentioned above, each and every browser tab runs in its own hardened VM. New tabs open in under a second; I didn’t clock it, but each new tab appeared in ‘normal’ time.
- Should a tab crash for one reason (Adobe Flash) or another, its VM is killed and the rest of the tabs happily chug along
- If the user clicks on an innocent looking link that actually injects malware, the infection is contained COMPLETELY in the tab’s VM
- When a tab is closed, its VM is killed, vaporizing any malware in the process
All of the above is pretty tidy from a user perspective, indeed, it is completely transparent. Well, up to the point that the user cannot find the important file they downloaded because it was zapped when the host VM was killed. This brings us to how Bromium handles files from all external sources: downloads, USB drives, email attachments, etc.
- All external files are considered suspect and treated as such
- You can save these files to your real (aka physical) machine in your real file system
- When you open/execute a suspect file, it is opened/executed INSIDE its very own VM
So anytime you open a suspect Word document, for example, a VM is created and Word is launched inside the VM with the suspect file. Here again, the process is completely transparent to the user: double-click on a document and Word opens; totally normal and expected behavior as far as the user is concerned. Should the Word file in question execute some nasty hidden bit of Visual Basic code, the ensuing nastiness is contained entirely INSIDE the hardened VM.
When the user saves the document, it is written back to physical drive and continues to be treated as suspect. Note that the malware remains in the file, but it is ALWAYS opened in a VM that contains the EFFECTS of the malware. Because the VM is destroyed every time it is closed, the malware never has an opportunity to damage the real (physical) client machine.
Unless I missed something—and I don’t think I did—there is a key missing element to the otherwise bulletproof Bromium universe. That infected Word document is a ticking time bomb, and it will go BOOM and do REAL damage as soon as it is opened on a machine that is not running Bromium. While my latent marketing instincts could view this as a technique for selling the value of the product (“Hey, sorry my Word doc infected your entire corporate network, but that wouldn’t have happened if your company ran Bromium.”), I do not think for a minute that will fly in reality.
What is required here is a method to both detect and scrub suspect files, turning them into trusted safe files. A conventional anti-malware suite is a good start—and Bromium readily admits they do not remove that requirement—but here Bromium needs to take a page from the NGFW folks. They’ve got what appears to be a well-hardened VM; they need to INSTRUMENT the VM so that it detects and flags abnormal behavior.
When that nasty hidden bit of Visual Basic code modifies the registry and/or overwrites a Windows DLL, Bromium not only kills the VM but also NUKES the offending Word document. The malicious behavior SHOULD be detected the first time the document is opened, so the nuking will not destroy hours of document modifications.
I strongly suspect Bromium is already working to “close the loop” along these lines. Now if they could only go back in time and come up with a better name for the company. From Silicon Valley.