By Al Hartmann

Cyber World War Z, Part 2: Zombie Defenses Easily Evaded by the Competent Attacker!

Enterprise Client Security Suites Set a Low Bar, Are Readily Evaded By Competent Attackers

While necessary for compliance, the typical enterprise security suite is readily evaded by any organized attacker (hacktivists, criminal syndicates, state sponsored cyber-espionage units, cyber-terrorists, etc.). There are about a half-dozen commonly encountered enterprise endpoint security suites, quite well-known, and even the smallest organization can easily afford to lab test their attacks against all of them before deploying to the field.

Adding enterprise network firewalls and gateway security to the layers of protection poses some additional effort to overcome, but many of the client endpoints are mobile and frequently operate outside the protected corporate network environment and off VPN. Attackers can easily time their spear phishing emails for weekend or holiday periods or when the target user is known to be traveling. Also, at any given time there are several hundred thousand compromised web servers on the Internet primed and ready with instantly installable drive-by malware payloads for any of your thousands of users who may chance upon them. Bot herders love recruiting enterprise clients into their botnets, and it is the rare enterprise that doesn’t have some number of client endpoints in this sorry state.

The bottom line is that enterprise endpoint security suites are not the security solution – they are necessary but not sufficient. Treating cyber threats as a security problem with security software won’t suffice – attackers will evade your defenses and you will be owned.

Large Enterprise Client Populations Present Bloated Attack Surface Areas, Inherently Porous to Attack

In Greek mythology the Trojan War hero Achilles was invincible except for his heel, which in cyber terms constituted an “exposed vulnerability” that led to his death. The more unique software an enterprise runs across its client population, the more vulnerabilities it will expose (and the more cyber compromises it will suffer).

As mentioned earlier, Ziften client agents report the cryptographic MD5 hashes of all executing process images, and the Ziften management server analyzes this list against a vast knowledge base that classifies and evaluates the discovered executables. These analyses compute a key performance indicator (KPI) we term “attack surface area bloat factor,” which is defined as the ratio of the number of unique MD5s encountered in the organization’s client population to the number of necessary unique MD5s. This KPI generally runs in the 5-10X range.

A combination of pernicious factors drive this excessive attack surface area bloat:

  • Version proliferation – Fielding more than the most current one or two versions of an application constitutes version proliferation. Large enterprises can easily have version counts in the double digits for common applications. Older versions expose known vulnerabilities and generate trouble tickets for bugs that are already fixed in later versions. All enterprise IT departments claim to do patch management, but Ziften data indicates it is “patchy” at best.
  • Application sprawl – Fielding applications on only one or two client systems (out of thousands) is occasionally justified, but not at the huge scale seen in Ziften data. A major contributor to attack surface area bloat is sprawled applications, which Ziften defines as applications found on fewer than 0.1% of the client population. It is not uncommon to see as many as half the enterprise’s unique MD5’s driven by application sprawl, resulting in double the risk exposure as well as potential trouble ticket filings for thousands of applications which are largely unfamiliar to IT support staff.
  • Extraneous processes – These are processes with little to no business value or user utility as judged by the Ziften process knowledge base (and vetted by Ziften Labs). In Ziften analyses, the common enterprise Windows client system is running double-digit numbers of extraneous processes (averaging a fifth to a quarter of all active processes). Usually about four-fifths of these extraneous processes are autostarted at boot, thus exposing vulnerabilities and squandering system resources 24×7. Remediating these benign but extraneous processes reduces risk, improves system performance, and frees resources for higher business value applications (or for more demanding endpoint security software).  Note that version proliferation, application sprawl, and extraneous process classifications are not mutually exclusive, and some software may be guilty of multiple offenses.

Ziften found the following MD5 breakout at one large enterprise:

  • Proliferated alone – 26%
  • Sprawled alone – 22%
  • Extraneous and proliferated – 20%
  • Necessary (no attributes) – 14%
  • Extraneous alone – 8%
  • Extraneous and sprawled – 7%
  • Proliferated and sprawled – 2%
  • Extraneous, proliferated, and sprawled – 1%

Without knowledge-base-informed analytics it is not possible to tell what is running out there in the ocean of processes across thousands of client endpoints. If you don’t know what is running out there and can’t classify or evaluate it, then you can’t measure it, report against relevant KPIs or adequately secure your client population.

Check out this webinar to learn more:  Having A Tattletale Endpoint May Be a Good Idea!

Watch for Part 3 of this blog, “Like Zombies, Enterprise Clients Are Largely Unobserved, Loosely Managed Assets Crewed by Naïve Users”


Get the General Here