Introducing LAVA:
When I say LAVA I mean the Live Attack Visualization & Analysis automated framework Gaurav and Simon mentioned in their recent vSentry announcement blogs. The intent of this blog is to introduce, at a high level the new enhancements we’ve made to the Bromium Microvisor for the enterprise security SOC teams. In future blogs I will dive deeper into technical specifics. LAVA was built after we received great feedback from our initial customers to address the challenges which they face in large complex enterprise environments. Also how they currently deal with false positives, false negatives and remediation of endpoints. The current industry practice seems to be far from efficient and we want to address this aspect leveraging the advantages of micro-virtualization technology.
Today, it is very complex and time consuming to analyze and confirm attacks on the endpoint. Most of the time it can take days or even months by the time the attack gets identified. Confirmation and remediation of endpoint compromise is yet another painful process for large enterprises. Below is a representation of the typical ‘data theft cycle’ in an enterprise that the adversary takes advantage of.
LAVA was built with the following goals: provide visibility to the actual point of attack and *relevant* information in an actionable manner. We built up an engine that provides relational, temporal and functional {R,T,F} evidence as the attack occurs. Micro-virtualization technology provides unique advantages in analyzing advanced malware targeting endpoints.
Each threat vector, such as rendering a particular website or opening a particular document, is isolated at the hardware layer in its own container (micro-VM), isolated from the underlying system, network and other websites and documents open (for more information check out the vSentry whitepaper). Due to the use of hardware level virtualization technologies (VT and EPT) all CPU, memory, disk and network activity related to the threat vector pass through the Microvisor, thereby giving it perfect visibility of the attack. Unlike traditional detection engines that run within the compromised system, micro-virtualization uses micro-VM introspection to provide “outside in” detection of even advanced threats such as bootkits.
Another benefit provided by this architecture is the ability to analyze post exploitation behavior of an attack. Conventional detection technologies, such as anti-virus, have to stop an attack at the earliest possible stage to prevent infection of the system. Micro-virtualization provides the luxury of allowing an attack to execute safely – as it has already been isolated from the system. This provides view into the typical kill chain of the attack – exploit ->execute -> escalate-> persist -> propagate. This helps dramatically reduce the attack response cycle for the enterprise.
Our ultimate goal is to make the security ops more streamlined, automated and cost effective.
Let’s take an example of a simple drive by download attack leveraging a Java exploit which then drops and executes the infamous Win7 x64 bootkit – Xpaj from a publicly available sample. There are already enough technical details available from our friends in the security community on this bootkit. Xpaj was taken just as an example to illustrate one of the capabilities of VM introspection and taint analysis post exploitation; this can be reproduced with any other real world (root|boot) kits.
Here is how this attack plays out:
Internet Explorer 9 (latest SP) –> Java JVM exploited (CVE-2012-4681) –> execute XPAJ post exploitation.
The malicious changes done post exploitation by Java get tagged by the taint analysis graph inside the micro-VM and the Java exploit initialization phase is highlighted as described in the graph. XPAJ (like many others in this category) tries to bypass PatchGuard on Windows 7 x64 by doing a MBR overwrite at its ASEP (Auto Start Extensibility Point). The Microvisor intercepts this clearly unexpected event inside the micro-VM and provides several response actions like Auto Remediate, DENY or ALLOW – which can be configured based on user defined policies. Also, LAVA in this example highlights an ‘Immutable memory’ event that is a result of in-guest kernel memory introspection (we’ll address this capability in-depth in future blogs).
Below is a screenshot of a simplified attack trace generated by the LAVA taint analysis engine which at one instant can show that a malicious event occurred to the SOC analyst.
Remember, since we’re in a micro-VM container which insures the system is protected, we can choose to allow the attack to fully play out and gather all the live forensics information like the changes to the Registry, various CPU Registers, File System, Network, Process, Memory, API invocations, etc. and provide this to the SOC analyst(s) for detailed investigation. All of this can be enabled via policies from our threat management console.
Full forensics information can be provided with exported data along with the graph as an evidence for the SOC teams to update their enterprise security infrastructure and take remediation measures enterprise wide.
LAVA is a vSentry feature currently in beta and all we look forward to your feedback!
No comments:
Post a Comment