One Exploit Should Not Ruin Your Day

Now that the media excitement of the aftermath of Operation Aurora has calmed down and we are all soothing ourselves to sleep by the sound of promptly applying Windows Updates, it is a good time to take a look back and try and figure out what the changing threat landscape means for real-world information security (besides Selling! More! Security! Products!) and what lessons can be learned from it.

First off, the threat landscape has not changed at all, only the perception of it.  If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years.  Nor is it a new development that the attackers used an 0day client-side exploit along with targeted social engineering as their initial access vector.  What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack.  And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.

For the last decade of the information security industry, almost all of the products and solutions have been designed to stop casual opportunistic attackers and mass Internet-scale attacks.  Moreover, these products are absolutely worthless in protecting you from an Aurora-style attack.  Your software vendor doesn’t have a patch for the vulnerability, your anti-virus and/or network intrusion prevention systems don’t have signatures for the exploit or agent it installs, and the 3rd-party software that your business needs to run prevents you from upgrading your desktops to the latest and greatest operating system and/or browser with the most complete exploit mitigations due to a lack of compatibility.  How many of these large security product vendors employ even one full-time person to play the role of a dedicated attacker attempting to bypass or defeat their defensive systems?  Or have even hired one attack-oriented consultant on a contract for an independent assessment of the efficacy of their product or solution?  Don’t let the same product vendors who failed to protect the victims of Operation Aurora turn right around and sell you those same products as a solution to “the APT threat.”

Second, Operation Aurora has no bearing on the vulnerability disclosure debate.  This particular vulnerability was apparently reported to Microsoft in August and scheduled to be patched in February.  Some are arguing that had this vulnerability been reported via full-disclosure to everyone all at once, it would not have been used in these attacks.  They are right.  The reality, however, is that another vulnerability would have been used instead.  These attacks show that the vulnerability disclosure debate and responsible disclosure process is simply a distraction that prevents us from actually improving security.  Remember, a vulnerability never owned anyone — an exploit did.  I am not arguing that vulnerabilities should not be fixed, simply that it is impossible to find and fix every security vulnerability so we should not let that obsession monopolize our efforts and prevent us from implementing more secure application and network designs.

Finally, the larger problem is that it only took one exploit to compromise these organizations.  One exploit should never ruin your day.  Isn’t that why we build DMZ networks with firewalls in front and behind them?  The point of doing that is so that it requires more than one server-side exploit to get into your organization.  Thanks to rich Internet client applications, it now only requires one client-side exploit to get into your organization.  Ideally, it should require around three or four: a remote code execution exploit, a sandbox escape or integrity level escalation exploit, and finally a local privilege escalation exploit in order to be able to install and hide a remote access backdoor on the system.  Also, workstations that receive e-mail and instant messages from strangers, visit random web sites, and download/install whatever software from the Internet should probably not be on the same network as something like your lawful intercept system.

Take this time to review which exploit mitigations such as DEP and ASLR are enabled in your web browser based on your operating system, browser release, and web plugins.  Take ‘/NoExecute=AlwaysOn’ for a spin in your boot.ini and see what (if anything) breaks.  Use this opportunity to get buy-in for placing users’ Internet-enabled workstations onto DMZ-like subnets where you can closely monitor data going in and out.  Give developers remote desktop access to VMs on a separate development network for working on your products (they will be happy as long as you give the VMs more RAM than their workstations so their builds are quicker).  Give everyone access to an external Wi-Fi network to use with their personal Internet-enabled devices.  Get started implementing some internal network segmentation.  Never let a good crisis go to waste.


  1. daniel palacio says:

    Nice to see someone who does not recommend patching as a solution. Truth is patching in this case is useless, the bug is no longer a 0day which means this kind of attacker won’t use it again, they will just use another 0day. So even if you don’t patch, upgrading to IE 8 will actually improve your security, patching won’t.
    One issue though, what to do with Adobe Reader ? With browser’s you’ve got pretty good options as far as defense in depth goes, but is there a PDF reader out there that has a sandbox ?

  2. Hey,

    Lovely article. Though I didn’t understand “Give everyone access to an external Wi-Fi network to use with their personal Internet-enabled devices.”

    Won’t this lead to breach of policy violations on the corporate network??

    • The idea is that you should create a wireless network that is completely separate from the corporate network, even so far as making its outbound link a residential cable modem or DSL connection. This external-Internet only network is good for vendors and sales people who need Internet access to demo products, etc. Employees may be given access to it as well for their smart phones, tablets, and so on. The idea is to keep all mobile (and especially devices not managed by IT) devices off the internal network with no exceptions. Giving more freedom on this network allows IT to apply more stringent controls on the corporate network.

  3. Dominique Brezinski says:

    Great post Dino, and right on with your suggestions. Having actually been on the security engineering team of a large corporation that contemplated these exact targeted, persistent threats back in 2003, many of our remediation techniques are very similar to what you mention. Though we worked to improve the timeliness of our patch cycle, patching was never the primary remediation. We focused on things that would work to reduce the scope of compromise assuming that user’s workstations, and their common authentication credentials, were getting compromised. If you don’t operate under that assumption, your entire security program is an utter failure and wasted money. The only thing Aurora has done is shown that you and I (and our like-minded security brethren) no longer need to really argue that point with everyone else.

  4. Hey Dino,

    Great article.

    Indeed, working with Israeli banks I’ve noticed that their approach to infosec is quite different than what we see on most places. Over there, instead of having users browsing from their business desktops, those allowed to browse the Internet had a secondary CPU, connected to an separate internal network that is connected to the Internet. by doing that, the banks limit the consequences of client side exploits.

    While this approach can be too costly to be widely used by larger organisations, virtualisation and other technologies can present an alternative approach.

    ironically, all of this remind me of an old article about moving to a compartmentalised network, where instead of firewalls, segregation would be conducted by dual home application servers dedicated to certain functions.

  5. Hi Dino,
    Thanks for sharing your knowledge. I have a question about the whole Aurora affair. In your post you focus on the *purely* technical tactics while only mentioning once “targeted social engineering”, from what I’ve read it seems that Google China HQ was physically infiltrated and my modest understanding is that attacker gaining physical access means game over for the defense.
    After the Twitter crack due to bad user policy it seems to me that all the secure designs of the world won’t solve the apparent and general lack of security awareness.
    I understand that (if not in practice at least in theory) we can code applications, design networks that can minimize social engineering casualties but I’m curious about your analysis on the Google China part of the Aurora Attack.

    • Hi Jaime,

      I focused on the technical tactics because those were the aspects of the attack that have been widely publicized. Until other aspects of the attack are made public (hopefully some more light is shed on this eventually), it is difficult to infer what steps firms can reasonably take to protect themselves from similar attacks. A holistic view of security including technological as well as operational measures is surely key to success.


  6. Anton is great🙂

    I wish you would have discussed the details of the ie 7 or 8 flaw in more detail, since i already looked over the code for 6(blah)…. I am just curious what the flaw was there. Maybe you can post it anonymously on milw0rm for me🙂

    Good article, and i like the idea for wireless

    • The exploit for IE7/IE8 is very similar, it just required a few tricks to deterministically trigger the vulnerability, properly craft the replacement heap block, and reliably replace the freed object. I will be releasing more details on it but not for another month or so while I am keeping it under my self-imposed embargo.

  7. “How many of these large security product vendors employ even one full-time person to play the role of a dedicated attacker attempting to bypass or defeat their defensive systems?”

    … and how many companies even listen to that one full-time person after they hire them?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: