Advice on reflective memory injections from Lumension

Alan Bentley is SVP Worldwide at security company Lumension. He talks to us about their new Endpoint Management and Security Suite built to tackle malware like 'Reflective Memory Injections' in particular and address issues around cross-platform encryption.

For more related podcasts click here.

To subscribe to receive new podcast episodes for free click here.

Alan, firstly a quick trawl through your website will reveal advice around ‘Reflective Memory Injections’ – cited as one of the most serious malware threats affecting businesses today. Explain what these are and what they do?

It is quite technical so unfortunately a bit of technical depth is required to fully understand what reflective memory injections are. They come from buffer overflows and remote dealer reflections around buffer overflow which a lot of people will have heard of. What that basically means is that any application that is effectively loading has allocatable memory and it has hooks into the operating system to make that application have allocatable memory and strings to make it work. What a memory injection does is, exploits a vulnerability in the application that can be exploited by a hacker to make the memory overflow so memory is allocated to make the application work correctly, a buffer overflow effectively moves the memory into a different memory space where the hacker will have some kind of shell code to inject something into the application to make it do something it wasn’t expecting to happen. The shell code itself is normally relatively small but certainly can do denial service or distributed denial services and also then make calls for the application to go and find other pieces of malware codes to inject into it. That is not new it has been around for a while but buffer overflows are always listed as critical vulnerability because of their nature and they are very invasive and hackers can then write things to disc and then pick up other bits and pieces in terms of trying to get local privileges etc etc.

Traditional technologies like antivirus and application control white listing are really looking at hashed executables to ensure that only the right DLL’s etc are using the right calls to the operating system to make it work. With reflective memory injection the real clever thing about reflective memory injection is that it doesn’t use any local OS load functions. What that means is that ultimately your traditional security technology is looking for any changes in patterns within the local OS or what is written to the disc so reflective memory injection is basically creating a malicious DLL in memory without relying on any local OS load functions. It is really difficult to even know it is happening let alone stop it unless you have very good clear forensic process and analysis on a particular machine to look for anomalies in the way that executable libraries are occurring. But the reality is that it is almost impossible to do across multiple machines so you have to have a particular technology that can look for that particular type of attack. The reality of the way we operate in the world now is that, as we have to move into identifying advanced persistent threats and sophisticated forms of attack buffer overflow or memory injections. These are the types of vectors that criminals or organised people in the hacking environment use to be able to gain access to a machine. They look for vulnerability in the application itself and they then try and execute a memory injection within the application. They now know that reflective memory injection is a very difficult thing to protect against so the sophistication is there for them to be a be really able to move into using these types of attacks against people.

What sorts of organisations do these types of threats affect the worst, already we know governments and banks are particularly vulnerable don’t we?

Absolutely, especially the types of attacks that are occurring against critical infrastructure like governments and banks. We have seen the US banks being under constant attack over the last 12 months, it is almost like a cyber war against those. The UK government is seeing thousands of attacks hourly. There is nation against nation stuff going on but there is also a lot of cyber terrorism hacking and anonymous political people with statements to make, so we are all having to think about the way we protect ourselves these days as the world that we operate in has changed completely. I would like to say that it is not just government and banks and the nature of types of attacks we are trying to protect ourselves against. In today’s modern environment are much more obvious than they have ever been, what I mean by that is that the name of the game is to get in get what you want and get out before anybody realises that it has happened and therefore certainly something like reflective memory injection is totally in a stealth mode in terms of wanting to do something for anybody who picks it up. That is why you would use a reflective memory injection because you know that the majority of people are not even going to know that you have gone before anybody realises that it has happened. That is a threat for all organisations not just for government and banks I would say.

Behind every attack is a human being with criminal intent isn’t there and we perhaps might not appreciate how dangerous these kinds of cyber attacks are around the world from those that wish to do nations harm?

I agree with it and I think we are seeing a lot more of it in the mainstream press. Certainly China were slated as being the people that were attacking Google and we are definitely starting to see a little bit more understanding that cyber warfare is without doubt the pre-cursor for any type of warfare. We have seen with other examples the Iranian chemical plants how it was never said who actually did it but it was certainly a nation against nation in terms of injection code that somebody had a remote capability to control their nuclear plant and effectively slowed it down by six months. I think we would be naive to think that there wasn’t already some kind of espionage cyber capability in North Korea; I wouldn’t say it definitely is but I would be surprised if it wasn’t. Nations against Nations have been conducting espionage way before computers were invented but I ultimately all of our critical infrastructure and all of our individual work is done operationally from an infrastructure point of view that is totally reliant on computers. All the stuff we are doing right now without computers we wouldn’t be doing this podcast.

And as threats go it’s probably the cheapest and most covert there is?

To a certain extent I would agree with you. The other side that has been going on for years and years and I think governments have a pretty good handle on Nation against Nation because they are all doing it against each other and ultimately there are kind of rules of engagement and one should not cross the boundary unless or is a diplomatic incident. I think the real challenge is around organisations that have intent but not necessarily the monetary backing and then there is also cyber criminality which is a huge business. Cyber criminality makes more money than drugs and the drug problem worldwide is huge. This is also for hire and you can buy programmes that will bring your competitors website for 50 bucks an hour. These are all over the Internet and you can buy these malwares as a service. It is already out there and you get it and purchase it and put it against somebody you have a grudge against or a company that you want to put out of business and it is 99% anonymous.

As part of the industry working to guard organisations against attacks like these, tell us the measures and technologies that you are developing to address issues especially around Endpoint Management?

Looking at security as whole I would say that there is not one technology that can do everything you need. There is no silver bullet unfortunately or fortunately whichever way you would like to look at it. We focus on one particular area of security which is Endpoint management and managing the Endpoint in terms of being proactive about controlling access and whether or not there are vulnerabilities within applications that you are running and whether those applications are authorised to run. We have been in that business for a pretty long time and as I said at the beginning, the key thing with buffer overflows is that 99% of the time, they are exploiting a known vulnerability within the application itself. Patch management has been around since the beginning of time but it is still an absolute critical security posture to take care of because if you mitigate known vulnerabilities, you are doing a very good job of protecting yourself. We do patch management and security control and device control and antivirus all on the same platform. The application control is where the reflective memory injection comes into play because with our application control we are putting a trust mechanism into applications that allow to execute within your environment within a business environment so you are effectively white listing applications saying I trusted this application, I have hash coded every line of code within it so it can only execute that which I have approved to use and there are a lot of organisations around the world that are starting to recognise that defence in depth strategy is better than just relying on one or two technologies and application control is being seen as a very important component of the first line of defence against malware because there is so much of it, there are so many people developing it and just trying to keep up with signatures is becoming incredibly difficult.

So with our application, control reflective memory is all part of that application control module because with application module control we are looking at local OS load functions, we are looking at the DLLs that allow to execute. We are basically looking at all of that to the files that save to disc and if you are injecting malware into memory on an application that is authorised to run so that is another component so we have built that reflective memory injection into at that high level of security to cover people that are trying to just do memory injections which without technology to help you do that it would be a very very manual process to try and check all of your machines for reflective memory injections.

Also I notice you have been working quite extensively on covering mobile devices, tell us about your work there?

Yes we have. We have a broad spectrum of customers around the world and although we are a US based company we are very global we have offices Galway, Luxemburg, UK. A lot of our customers because we are talking about security around the Endpoint a lot of our customers have said to us mobility is the thing they are having to deal with BYOD people’s expectations to be able to use different mobile devices and tablets and bring those to work. It is almost like that is the business driver has come before the security conversation. The reality of your tablet, your phone, you’re smart phones etc they are just an extension, just another Endpoint so it made absolute sense to us to move into that market place. We give our customers an enforcement, visibility and protection so without visibility you can’t understand what the risk is associated to the business and you can say to people yes, you can bring what you like but unless you know what they are bringing and what they are connecting to in your corporate environments you have no concept of the risk associated with that so you can actually see what is happening so bringing visibility on a corporate level and giving you the ability to enforce policy whether it is a corporate owned device or whether it is owned by the user themselves because obviously there will be different types of policies based on whether it is owned by the employee or the corporation. Then the ability to protect yourselves from loss of data, theft, IP and certainly customer data which is important to a lot of organisations that are governed by compliance.

The rapid adoption of Enterprise Mobility has caused some real challenges for the security industry hasn’t it?

I think it the security organisations around the world are probably screaming no it is not an after though but the employees and the board members are saying yes I want my iPad, I want to be able to use this Smartphone and so on, etc. So, for the security industry certainly organisations are playing catch up to try and figure out how they can best protect their corporate environment. That is ultimately the name of the game when it comes to security when you are talking about business as a whole it is a complete risk management environment. I have to have the best for my business and make the maximum efficiency and effectiveness and I have to match that against the risk associated with doing it. The most secure environments are the ones where you are not allowed to do anything but obviously if you can’t do anything you would not be in business very long. That is the whole crux of the problem for security mangers around the world today it is trying to balance the requirements if the business which smart phones, tablets ipads are an absolute requirement and they are only going to get more and more. You only have to look at the Intel report that came out showing the massive decline in PC sales and an organisation that size and the big increase of sales of tablets and most people today are not going out and buying a big old chunky laptop let alone a box that sits under their desk at home they can get everything they need by using ipads and tablets and smart phones.

Office environments are not straightforward are they in terms of platforms and just like ourselves here at ITProPortal many offices have bother Mac and Windows systems running and you have managed to design a system that encrypts across these different platforms and languages haven’t you?

We work on the Linux, Linux Mac on the patch management side. So we give our customers the ability to patch across platforms and also what we have released through 7.3 is the ability to decrypt on a Mac from an encrypted device that has been corporately encrypted on your machine at work that may be a Windows device. So we have got read write decrypt on a Mac using our inbuilt system. This is an inbuilt encrypted capability in the device itself so we have added that because you are absolutely right as we don’t just want to decrypt the USB onto a Windows and I want to go home and I have got a Mac book at home and I want to work on my work when I am at home so I want to decrypt it and then encrypt it back on a stick when I get back to work.

Alan looking into the future and the developing patterns of threats, what do you see as the security issues that will be concerning us in the next couple of years?

I think it is more of the same right now I see in the terms of the nature of attacks that we have to defend ourselves from external and let us not forget the internal as well engineering issues as well. I think organisations really have to get more proactive about how they manage their environments from a people process and technology point of view. It is going to be more of the same and it is going to be a continuous battle and the goal posts will continue to move and so if we look at the way we are trying to defend ourselves in a reactive way we will never get ahead of the game. For me certainly the mobility side will certainly increase so we will have to manage people’s capabilities from a mobility point of view, but we need to be putting ourselves in a trust mechanism rather than a threat mechanism because if we just try and guess what the next threat is going to be by the time we have guessed what it is it is already executed. For me it is about making sure we understand what the risk is to our businesses and we put ourselves at a point of educating our people in terms of how they should behave when accessing the internet or using corporate defined machines as well as their own and making sure that we have got technology that can support those policies. I think from an external hacking perspective, they will continue to utilise technologies that work until organisations get a better handle on protecting themselves from those techniques and then we will start to see some changes in the way those techniques are used. Right now a lot of the techniques are still working as they were working 2 or 3 years ago.