By: Carolyn Crandall
The use of agent-based solutions that access kernel space has always been tricky for security teams, even before today’s Meltdown and Spectre news. With access to the kernel space, one can manipulate just about anything, enabling the kernel of critical servers and workstations to be exploited by applications and used to provide access to attackers. This backdoor creates an opportunity to access stored passwords, company data, intellectual property and employee, patient or customer information. Typically, the hardware security built into modern processors prevents lower-privileged applications from accessing the kernel space, but Meltdown and Spectre bypass these measures.
Meltdown, found in virtually every Intel chip and certain high-performance ARM designs used in mobile phones, is easier to exploit and enables any user program to read the kernel data. The severity of the flaw depends on the way that operating systems share memory between user programs and the kernel. The operating system changes made to fix this bug appear successful for Intel, Apple, and future ARM chips that are susceptible to the attack. The solution, notably with performance penalties, works by putting an end to information sharing.
Spectre, applicable to chips from Intel, AMD, and ARM, is also based on speculative execution and is designed to read memory within a single process. This is then used to attack the integrity of virtual machines and sandboxes, and cross-process attacks. Systemic fixes for some aspects of Spectre appear to have been developed, but they don’t come with a simple fix. This may require modification and/or recompilation of at-risk programs and will likely require manual effort by developers. As a result of this complexity, it is expected that vulnerabilities related to Spectre will be around for a while.
Both Meltdown and Spectre require extensive rearchitecting of current processor design, meaning that it will be some time before the performance penalties in current patches and any lingering vulnerabilities can be fully mitigated. The longer it takes Intel, ARM, and AMD to rearchitect their processors, the longer attackers have to find effective methods that can leverage the vulnerabilities and successfully mount attacks.
As it relates to this and other recent vulnerabilities, the Attivo Networks Deception Platform consists of deception decoys, endpoint credentials, and other lures that will entice the attacker into engaging, in the event they have gained access to the network.
Many believe that catching the attacker at the endpoint is the preferred approach to detection. However, this often comes with an agent-based performance tax. Attivo believes that both strong endpoint detection and the ability to detect in-network lateral movement create the ideal scenario to detect threats. The Attivo ThreatStrike™ Suite provides agentless endpoint deception that is designed to lure an attacker into using deception credentials. Then, the attacker is directed back to an engagement server where their tactics, techniques, procedures and full indicators of compromise can be captured and recorded.
This new set of hardware bugs is widespread, patching Spectre is complex, and with the performance hits being incurred with the patches for Meltdown, there may be situations where risks will be taken to preserve performance and user experience. In general, and for these situations, adding deception can play a critical role in the early detection and discovery of attackers attempting to exploit these vulnerabilities. Contact Attivo now to hear how we are helping our customers navigate the risk of these and other security threats.
* Attivo Networks is committed to the highest levels of quality and customer experience and is actively working to make patches available for effected Attivo Networks solutions. Please email the support team for information on how to patch installed systems or if you have any further questions.