This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
It’s just about time for some pretty big security conferences. The words “Threat Intelligence” are going to be thrown around a lot, and the definitions are still going to involve a lot of gesticulation and muttering about dwell times and algorithmic analytics. And those are good things! We need to develop them because someday they’ll be incredible. And in the meantime some of them can help. But they’re going to help the humans at the top of the stack who are shoveling through the hills of information and sieving out the bits that mean something to your organization.
That’s what our Sherlocks do. We keep one eye on the pile of information coming from the threat intelligence and vulnerability community. Our other eye is firmly on the service we’re providing to you, putting that data to work for you. Here are a few of the things we’re caring about this month.
Client Side Vulnerabilities: #1 – Adobe
WHAT: Time has not been kind to Adobe’s most popular duo of products, Flash and Reader. October saw several massive batches of patches pushed to remediate and then to remediate the remediation of many critical vulnerabilities.
WHY: The Internet has called for Adobe’s head for years now for its application security practices. And I believe that Adobe tries. But much like the result of getting your IT guy to perform brain surgery, trying isn’t enough. IT shops often automatically bundle these pieces of software in their builds because their users are accustomed to them. However, a significant bulk of hits in our log analyses pertain to attacks against both of these. Let’s start leveraging some community intelligence synergies (how’s that for conference lingo?) and stop installing these by default.
Client Side Vulnerabilities #2 – Apple (?!)
WHAT: Apple products are very popular. This also means that the software which goes along with it is also popular. Users, especially those who can install their own software, will do just that and wind up with a potentially unmanaged, outdated installation of iTunes, Safari, or Quicktime.
WHY: “Lack of patching is one of the most fundamental issues we see in security analysis. This problem gets compounded when non-IT people begin taking on a “quasi” IT roles,” is something I wrote that last month. It’s still true. Patch management is a massive organizational problem that is compounded by lack of resources and often an interest in disrupting their users’ productivity. Fortunately the most common result of this that we see originates from “blocked” hits in IPS logs of attacks aimed at, yes even Apple, unpatched products.
Client Side Vulnerabilities #3 Self-Morphing Exploit Kits
WHAT: IT security is an arms race in which the defense does not have the advantage. Exploits that change themselves haven’t been unrepresented in high-level state-sponsored attacks. But now the Nuclear Exploit Kit, a very common exploit kit, has been seen exhibiting this behavior. It can change its signature, command servers, encryption, and even payload on the fly. All in a simple to use kit.
WHY: We’re following this closely, because the behavior this exhibits promises to make our job quite a bit more difficult. Presently the exploits witnessed were the now-patched Flash vulnerabilities mentioned in the first item in this blog entry. But the nature of this kit promises to make endpoint protection detection and signature detection much more difficult for the time being.
So, who’s up for removing antiquated and constantly insecure web software from their domain now?
The big focus this month presented to us were client side vulnerabilities. It serves as a good reminder that while it’s comfortable to operate on “autopilot,” IT security is not a job about comfort! IT security needs to periodically re-evaluate its security policies and implementations to account for the changing trends of the security landscape. Let’s keep adapting to what we’re getting thrown to do what we can to reasonably protect the people who trust us. We welcome any conversation on these topics in the comments below!
Check back next month for our December Sherlock report.