#hygiene #response #tips_and_trends

What are Meltdown and Spectre, and How Can Ziften Help?

by Josh Harriman

January 8, 2018

access_time 8 min read

Ziften is aware of the latest exploits affecting practically everyone who works on a computer or digital device. While this is a very large announcement, we at Ziften are hard at work helping our customers discover vulnerable assets, fixing those vulnerable systems, and monitoring systems after the fix for potential performance issues.

This is an ongoing investigation by our team in Ziften Labs, where we keep up-to-date on the latest malicious attacks as they evolve. Right now, most of the discussions are around PoC code (Proof of Concept) and what can theoretically happen. This will soon change as attackers take advantage of these opportunities. The exploits I’m speaking, of course, are Meltdown and Spectre.

Much has been written about how these exploits were discovered and what is being done by the industry to find workarounds to these hardware issues. To learn more, I feel it’s best to go right to the source here (https://spectreattack.com/).

What Should You Do, and How Can Ziften Help?

A key area that Ziften helps with in case of an attack by either method is monitoring for data exfiltration. Since these attacks are basically taking data they shouldn’t have access to, we believe the first and easiest methods to protect yourself is to take this confidential data off these systems. This data might be passwords, login credentials or even security keys for SSH or VPN access.

Ziften monitors and alerts when processes that normally do not make network connections start exhibiting this unusual behavior. From these alerts, users can quarantine systems from the network and / or kill processes associated with these scenarios. Ziften Labs is monitoring the evolution of the attacks that are likely to become available in the wild related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s look at areas we can monitor for vulnerable systems. Zenith, Ziften’s flagship product, can easily and quickly find Operating Systems that need to be patched. Even though these exploits are in the CPU chips themselves (Intel, AMD and ARM), the fixes that will be available will be updated to the OS, and in other cases, the browser you use as well.

In Figure 1 below, you can see one example of how we report on the available patches by name, and what systems have successfully installed each patch, and which have yet to install. We can also track failed patch installs. The example below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be populated on this report to show the vulnerable systems.

Figure 1: Tracking operating system patch installs in Ziften Zenith

The same holds true for browser updates. Zenith monitors for software versions running in the environment. That data can be used to understand if all browsers are up to date once the fixes become available.

Speaking of browsers, one area that has already picked up steam in the attack scenarios is utilizing Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not use Javascript anymore and mitigations are available for other browsers. Firefox has a fix available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out this week.

Fix – What Can I Do Now?

Once you have identified vulnerable systems in your environment you certainly want to patch and fix them as soon as possible. Some safeguards you need to take into consideration are reports of certain Anti-Virus products causing stability issues when the patches are applied. Details about these issues are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the capability to help patch systems. We can monitor for systems that need patches, and direct our product to apply those patches for you and then report success / failure and the status of those still needing patching. Since the Zenith backend is cloud-based, we can even monitor your endpoint systems and apply the required patches when and if they are not connected to your corporate network.

Monitor – How is Everything Running?

Lastly, there could be some systems that exhibit performance degradation after the OS fixes are applied. These issues seem to be limited to high load (IO and network) systems. The Zenith platform helps both security and operational teams within your environment. What we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help uncover issues such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU over time. This data can be used to monitor and alert on systems that start to exhibit high utilization compared to the period before the patch was applied. An example of this monitoring is shown in Figure 2 below (system names intentionally removed).

Figure 2: System Memory and CPU Usage over time

These ‘flaws’ are still new to the public, and much more will be discussed and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best educate and protect our customers and partners.