At 11:08 a.m. on August 15, 2012, every security professional’s nightmare came true for Saudi Aramco, the world’s largest oil company. A piece of malware known as W32.Disttrack, or, more familiarly, Shamoon, crippled more than 35,000 of its PCs and servers, replacing the files they stored with an image of a burning American flag.
Shamoon was engineered to spread undetected through a network, infect as many computers as possible, and, upon command, overwrite their master boot records, destroying the computers’ information and leaving them incapable of being restarted.
In order to contain the malware, Saudi Aramco resorted to ripping computers and networking gear out of the wall. Its internal communications network was largely offline for weeks.
As a final injury, the day after the attack, a file was uploaded to Pastebin, a website for storing text, that included router names, administrative passwords, and an email address and password that appeared to belong to Saudi Aramco’s then CEO.
In their Bristol, U.K., offices, researchers at Hewlett Packard Labs re-create attacks like the one that hit Saudi Aramco in a purpose-built computing environment with an isolated network where they can run the world’s most dangerous code without allowing it to spread.
“You think your system is OK, but actually, there’s malware on there.”Richard Brown, Hewlett Packard Labs
The Labs team is taking a different approach to information security—one that’s part of a broader effort to fundamentally change how security works.
Security products are typically created as a reaction to new kinds of attacks. This forces businesses to plug in an ever-growing number of products, each addressing specific exploits or areas of vulnerability—networks, applications, Web browsers, and so on. This mix is challenging to manage: The products don’t always work well together, and gaps still exist between them.
“Usually, security is bolted on after the design work is done,” says Bill Horne, director of security research at Hewlett Packard Labs. His team’s work involves new computer architectures that incorporate security from the ground up, at every level of the stack.
Labs researchers are developing ways to separate the part of a computer responsible for security from the main operating environment so it can monitor for signs of an intrusion. They’re also coming up with technologies for detecting anomalous behavior on the network, rapidly encrypting data even while it’s in use, and authenticating not just users and applications but also discrete processes.
Taken together, these capabilities will improve an organization’s ability to prevent intrusions, as well as detect, respond to, and recover from attacks that slip through. Providing this type of comprehensive security is a massive challenge that has eluded the security industry for years.
“These are very ambitious, multiyear programs,” Horne says.
How to Fight Malware with Hardware
A needed reboot
Over the past decade or so, security software has evolved from antivirus programs that blacklisted known bad code to advanced threat detection programs that search for rogue file transfers. But the underlying approach has remained consistent: The software has worked under the direction of the operating system.
This approach—and not necessarily the software programs themselves—is problematic, says Richard Brown, who oversees security research at Hewlett Packard Labs in Bristol.
Modern malware has become increasingly sophisticated. It doesn’t just gain unauthorized access; it alters a computer’s operating system and hides itself with techniques such as process hollowing, DLL injection, and API hooking.
Using methods like these, malware finds a legitimate program or process already running in the computer’s memory, creates a new copy that includes a malicious function, and then replaces the legitimate copy with the malicious one.
For example, malware might start up an instance of Windows Explorer in suspend mode, copy itself into the memory of the suspended process, overwrite the existing in-memory executable, and then resume execution. While this is happening, the user might just see Explorer.exe running.
“You think your system is OK, but actually, there’s malware on there,” Brown says.
As a testament to how well malware can hide itself, the average breach isn’t detected for 205 days, according to security company FireEye.
Excellus Blue Cross and Blue Shield of New York, for example, discovered in September 2015 that it had been breached in December 2013. During that time, hackers had stolen data pertaining to as many as 10.5 million patients, including Social Security numbers, financial records, and clinical records.
Another campaign used malware called Flame—which could steal files from infected computers, take screenshots, and use a computer’s microphone to record conversations—to compromise hundreds of government and research institutions in almost 70 countries over five years.
Organizations spent more than $75 billion on information security in 2015, according to research firm Gartner. Yet the number and severity of hacking attacks continues to grow.
Last year, U.S. organizations publicly disclosed 296 data breaches attributed to hacking, according to the nonprofit Identity Theft Resource Center, more than double the number reported in 2012. A 2015 Ponemon Institute study found that each cybercrime attack cost victim organizations an average of $7.7 million.
Sources: “ITRC Breach Statistics 2005 - 2015,” “HPE Security Research: Cyber Risk Report 2016,” “2015 Cost of Cyber Crime Study: Global (October 2015).”
And the attacks are getting broader. While hackers still mainly target computers running the Windows operating system, 2015 saw a spike in attacks on computers running Linux, Android, OS X, and iOS operating systems, according to HPE’s 2016 Cyber Risk Report.
A needed reboot
One of the Labs team’s guiding principles is that software meant to detect compromises to an operating system shouldn’t run on that operating system. About three years ago, computer chip manufacturers such as ARM (with TrustZone) and Intel (with Trusted Execution Technology) started adding separate “execution environments” to their products, designed specifically to address security.
The Labs team wrote software for these secure execution environments that can monitor the operating system, which runs as usual in the normal environment. The connection is only one way: the normal environment can’t access the secure one, preventing any malware on the operating system from compromising the monitoring code Labs developed.
When the computer first boots up, the software in the Labs-designed secure environment gathers around 1,000 pieces of information on how the operating system is performing. It stores these measurements and uses them as the baseline for a safe state. Each time the software detects a change from the baseline in a new measurement, it raises an alarm.
In addition to these boot-time measurements, Labs is incorporating a technique called Midasu (Japanese for “to find out”). Midasu exploits malware’s need to modify the parts of the computer’s memory that execute commands in order to hide itself. The Labs code scans this executable memory, using an efficient algorithm known as a “rolling hash” to create a digital fingerprint of the operating system. It then uses statistical analysis to compare the fingerprint with past results, looking for an unusual amount of variation.
Labs recently ran a test in which it infected 36 computers with 16 variants of malware, including Zeus, a Trojan horse malware package that was used to steal data from Bank of America and the U.S. Department of Transportation, among others. It used Midasu to examine those computers, as well as 25 that hadn’t been infected.
Midasu turned up dozens of suspicious behaviors on the infected computers—hundreds in some cases—while the uninfected computers turned up just a few.
“We’ve been able to show that there’s a reliable difference between uninfected systems and those that have the malware,” Brown says. The approach also provides more intelligent and robust recovery capabilities, should a system ultimately become compromised.
The secure environment takes and stores regular snapshots of the operating system. If the operating system is compromised, the secure environment can perform memory forensics to determine the root cause of the problem and determine how to repair the system quickly. This makes the computer operational again and helps prevent the malware from spreading.
Labs is winning support from independent observers. “This approach looks more solid,” says Lorenzo Cavallaro, senior lecturer at the Information Security Group of Royal Holloway University in London. “Having hardware-backed solutions could be the way forward.”
Using big data
Much higher up the computing stack, there’s promise in using big-data analytics to identify when a compromise has occurred.
Like ripples that appear after someone throws a pebble into a pond, malware leaves traces on the machines it infects. These traces are often lost amid all the other waves and ripples created every minute on a corporate computer network. There is simply too much data—too many “events,” in security speak—for most systems to sort through.
Two issues compound the challenge: Sophisticated attacks, while happening more frequently, are still relatively rare. And because malware is constantly evolving, the signs of an attack aren’t always clear.
Most companies today log network activity, says Marco Casassa Mont, a Labs principal research scientist in Bristol. But few have the computational horsepower and analytical expertise to find patterns in the data that might suggest a stealthy attack.
One example is security analysis of Domain Name System queries, or events where a computer looks for the IP address of another device on the Web. In a 2015 pilot project that examined network traffic from HPE data centers, Labs researchers counted 16 billion packets per day from DNS queries, which outnumber related data types such as user access logs by an order of magnitude.
The detonation of the virus Sirefef in the malware lab
Sorting through this data can block users from accidentally connecting to malicious sites, or identify a hacked system by its attempts to send stolen data over the Internet. Labs helped develop an approach called Threat Insight that uses statistical models and adaptive rules to quickly and safely discard the 99 percent of DNS log entries that are likely to be safe events. The remaining entries, which are clearly bad or are of an unknown nature, are then analyzed to detect potential attacks.
That’s still a lot of data—160 million packets a day in the HPE case. But modern security event management platforms can handle it comfortably. This method has now been built into Micro Focus’ ArcSight DNS Malware Analytics* product. As analytics algorithms, computer memory, and processing power improve, the data-sorting approach will become increasingly viable.
The upshot: “With a high degree of confidence, we can detect the threat in a matter of minutes and hours rather than in days,” says Casassa Mont.
Computing beyond Moore’s Law
Security professionals must also reckon with the fact that data volumes are growing exponentially. Yet the processing power of today’s computers—which has roughly doubled every two years since the 1960s in accordance with Moore’s Law—is straining to maintain its historic pace. This challenge will only become more acute as more devices connect via the Internet of Things. Handling this coming data deluge securely will require a great leap forward in processing power.
“With a high degree of confidence, we can detect the threat in a matter of minutes and hours rather than in days.”Marco Casassa Mont, Hewlett Packard Labs
To meet this challenge, Labs is currently developing The Machine, a radically new computing architecture that processes data far more quickly and efficiently than traditional computers. The Machine presents an opportunity to build security into the computer’s design. And its raw power gives the security team a chance to find patterns and imagine defense techniques that aren’t possible on today’s computers.
Among its features, The Machine replaces traditional RAM and disk-based storage with vast amounts of fast access, nonvolatile memory that retains data even when the computer is powered off. This design is much more computationally efficient. For example, today’s corporate computer systems can typically analyze about 50,000 DNS events per second and store five minutes’ worth of data, according to Labs research. By contrast, The Machine will be able to process 10 million DNS events per second and store 14 days’ worth of DNS queries.
This quantum performance leap promises to strengthen threat detection and responses, and significantly reduce damage from attacks.
Most computers these days encrypt data “at rest” in storage and data “in transit” to another computer. They don’t typically encrypt data in a third state, when it’s “in use” by a computer, sitting in active memory. Encryption and decryption take more time than is practical for data someone is actively manipulating or analyzing. The performance hit is unacceptable for almost all modern workloads and use cases.
Over the years, hackers have learned how to steal in-use data from memory. For example, the 2013 breach that exposed data from 70 million customer accounts at retailer Target was accomplished via RAM scraping tools that stole data from random-access memory in point-of-sale systems.
The challenge of protecting data in use becomes even more imperative in a computing architecture like that of The Machine, where data is almost always in use. Labs is pursuing several solutions to this problem.
In one technique, Memory Speed Encryption, a unique encryption key protects each part of a computer’s memory. Here again, Labs deploys an execution environment separate from the main computer.
As data is written to a particular node, this separate environment generates a unique cryptographic “seed” that it sends to the node via a secure communications channel. In each node, a memory control unit uses this seed to generate an encryption key.
As a result, the system can encrypt the data as it’s being written. The key is then stored in a separate but associated segment of secure volatile memory, and erased from the control unit.
The Machine’s fast-access nonvolatile memory, coupled with a hardware-based encryption approach, dramatically increases performance, making rapid encryption and decryption of in-use data practical. As a result, if a hacker were able to access the memory—whether by RAM scraping or even by physically stealing the unit on which it’s stored—he would be unable to read the data.
“People have tried doing this before, but nobody has done this at the scale and the speed that we’re trying to do it at,” says Fraser Dickin, a senior researcher at Labs.
Labs is exploring other ways to secure computers, including firewall programming technologies and techniques to ensure the integrity of messaging between system components. These defenses provide security at every level of the stack and promise to keep hackers at bay.
*ArcSight is a trademark that is owned by Micro Focus International PLC or one of its affiliates. All third-party marks are property of their respective owners