One of today’s most widespread cybersecurity principles seems prudent on the surface but has made the enterprise cyber program a bloated, lumbering beast of burden. Defense in depth is simple to intuit; it is as obvious as two heads are better than one. Reality demands, however, that the enterprise optimize. How many are too many? What combination is best, and so on? Clearly, finding that sweet spot depends more on just what mitigates the spectrum of prioritized risks. The following anonymous customer story exposes at least two other major dimensions that matter. These other two are the difference between excellence and mediocrity.
The Customer: a Microcosm of Enterprises with Many Sophisticated Adversaries
Throughout this story, we’ll refer to the customer as Acme. Like many AppGuard customers, anonymity is more than merely preferred.
Acme’s history is like that of many others. Their adversaries have sought what Acme has possessed. This had attracted sophisticated actors using relatively above average attack methods and practices. Their Internet infrastructure and servers had been fairly well secured. The vast majority of their cyber incidents traced back to endpoint compromises, going back over a decade. The chronic failures caused them to lose faith in traditional host-based endpoint protection, so they added one layer after another...for over a decade. The most relevant layers are cited in this story.
Acme learned more than what tools block what. They learned an even more valuable lesson paraphrased from Miles Davis, a very influential jazz music figure: ‘listen for what to leave out’. Bear in mind, no cyber program has only one ‘instrument’. Also, the threat changes every year. So, each year, the cyber program is a new song.
Fast-forwarding from the beginning to a weaponized PDF attack, we find that Acme has the following layers of protection:
- Next-Gen Antivirus with Machine Learning
- Breach Detection System (BDS)
- Intrusion detection
- Network sandbox
- Application Whitelisting
- Endpoint Detection & Response (EDR)
Target Acme, Weaponized PDF Attack
The adversary in this attack targeted a number of Acme’s employees with spear phish, containing a malicious HTTPS link to a compromised web server. All of the employees that clicked on the link did so via Microsoft Outlook. Mozilla Firefox was the default web browser. The compromised website served weaponized PDF’s to the employee endpoints. For the most part, the adversary used in-memory tactics. No artifacts ever landed on the endpoints’ hard drives.
The Adversary’s Tactics Aimed for the Weaknesses of Most ‘Detect & React’ Tools
Generally, the endpoint attack lifecycle spans a three dimensional battlespace: file system, in-memory, and in-utility. The last one refers to non-malware attacks using the legitimate utilities already on endpoints to do harmful actions. Most host-based tools are astonishingly limited to the file system. This is why over half of targeted enterprise attacks employ in-memory and non-malware vectors.
The use of an HTTPS link ensured that all communications between the endpoints and the website were encrypted, reducing what network-based tools might analyze.
The BDS Detected Nothing, Despite its Operational Cost
Encrypted communications between the website and the endpoints effectively blinded the intrusion detection component of the BDS. The use of a legitimate website eluded the BDS’s URL/domain blacklists. Proxy configurations were correct but the sandbox detected nothing because the weaponized PDF was “context-aware”. This means that the malware either behaves differently when it detects a sandbox or that it simply goes dormant to wait-out the sandbox. The vendor did not explain why their sandbox failed. We believe rare events get explained but common ones are not.
During the month of the attack, IT/Sec-Ops personnel had to administer the BDS with maintenance tasks, policy tweaks, and indicator of compromise (IOC) updates. They also had personnel analyzing alerts, checking for and investigating anything suspicious.
The Next-Gen Antivirus with Machine Learning Detected Nothing, Despite its Operational Cost
No file ever landed on the hard drive for this tool to analyze. If it had any means to ‘look’ inside the memory of applications, it was not enabled. Such mechanisms can destabilize applications. You might be interested to know that Google announced changes to Chrome because of this.
This tool’s only contribution during the attack was requiring IT/Sec-Ops personnel to conduct maintenance tasks, policy tweaks, and support model updates as well as have personnel triage, investigate, and react to alerts, including false positives.
The Application Whitelisting Detected Nothing, Despite its Operational Cost
Microsoft Outlook and its many executables were whitelisted, as was the default web browser Mozilla Firefox, which was configured to use Adobe Acrobat, also whitelisted, to render PDF’s found by Firefox. No executable landed on the hard drive for the whitelist to snuff-out.
Regardless, IT/Sec-Ops had to keep the whitelist updated to adapt to the many different endpoint changes that resulted from application updates, security patches, and more. Worse, IT/Sec-Ops personnel had to investigate many false positives due to an imperfect whitelist and other factors.
Even the EDR Detected Nothing, Despite its Operational Cost
EDR is effectively ‘the towel’ that the enterprise has thrown in regarding host-based endpoint protection. It is intended to ‘detect’ what is not blocked and has become a prominent component of the pervasive and costly ‘detect and react’ posture. It detected nothing of this attack.
Acme was very upset and demanded a response from the vendor. The vendor stated that AppGuard had prevented the changes or IOC’s that the malware had attempted, eliminating any IOC for their EDR to detect and report.
As with the other tools, the IT/Sec-Ops personnel had performed routine administration on the EDR as well as required triage and analysis of all EDR alerts. In addition to the obvious observation that EDR detected nothing of this attack despite its operational workload, Acme inferred that AppGuard reduces their EDR workload. Some other customers see likewise, whereas others have ripped out their EDR or never deployed EDR, because of AppGuard.
AppGuard Blocked the Attacks, Despite No Operational Costs
Microsoft Outlook is ‘guarded’ by default by AppGuard. So, too is Mozilla Firefox and Adobe Acrobat. However, even if the latter two had not been, given the manner AppGuard works, the results would have been the same. In short, whatever process results from running Outlook, becomes a ‘guarded’ process, including whatever Acrobat might have spawned, even if it hadn’t been ‘guarded’ per policy.
So when the employees clicked on the malicious links, Outlook spawned Firefox. As Firefox rendered the malicious web page, it found an embedded PDF, which resulted in the PDF loading directly into the memory of Acrobat, due to how Firefox was configured. Acrobat was effectively hijacked by the adversary moments after it processed the weaponized PDF, causing Acrobat to do harmful actions, including creating a trigger so malware would restart whenever the host booted up as well as other changes. AppGuard blocked them. Following these blocked actions, the attack next spawned a fileless process to do the harmful actions. AppGuard doesn’t guess whether a new process spawned by Acrobat or any other legitimate application is ‘good or bad’. Instead, AppGuard blocks any harmful actions by that process. Overall, AppGuard blocked the attacks on all of the targeted employee endpoints.
No IT/Sec-Ops personnel had to deal with any alerts from AppGuard that month. Generally, AppGuard is historic in nature, providing a record of what was blocked. Further, no IT/Sec-Ops personnel had to do any kind of maintenance, administration, or policy tweaking to anything pertaining to AppGuard during the month of that attack. Again, AppGuard typically runs months to years autonomously. This illustrates why Acme and others regard AppGuard as close to ‘set and forget’ as one can hope to see in a real, ever-changing enterprise landscape.
Maximizing Protection is Great; Doing ‘More with Less’ is Far Better
Of all the different layers of protection, only AppGuard made a tangible contribution to Acme’s defense from this sophisticated weaponized PDF attack. Of all these layers, only AppGuard did NOT require administrative, maintenance, policy updates/signatures, or anything else. Of all these layers, only AppGuard did not require hard-to-find, highly paid specialists to sift through alerts and react to them.
Eventually, without AppGuard, Acme’s many layers would have detected and reacted to this attack. Many sophisticated organizations do so every week. But the labor cost of each [other] tool is great. The labor cost of failure is great. The labor cost of cyber hygiene is great. And, the labor cost of executing multiple layers that generate organizational entropy is not just great but it’s extremely difficult to quantify. These many ‘detect and react’ layers represent a huge tax to the enterprise. How might that tax be otherwise spent; how might those personnel be better utilized? Clearly, doing ‘more with less’ is far better than ‘security at any cost’.
We are NOT asserting that AppGuard poses no IT/Sec-Ops costs ever. We ARE saying that they are radically less than alternatives. The IT/Sec-Ops comparisons are for that month of the attack. Acme did not share any labor hours actuals with us, only qualitative observations. This is not unusual. Very few organizations systematically track their cyber program via a labor breakdown structure (LBS) to quantify the actuals of their different layers as well as to find correlations among different elements (i.e., cause and effect). Sadly, doing so might be the single most important process an enterprise might add to its cyber program to achieve meaningful transformations.
The ultimate value proposition of AppGuard is not simply that it blocks all forms malware attacks at the endpoint. It’s that AppGuard enables the enterprise to ‘listen for what to leave out’ and to avoid future ones into those ‘shiny objects’ vendors claim will end world hunger. By blocking malware attacks at the endpoint in real-time without assistance from IT/Sec-Ops personnel, the ‘reactive’ can become ‘proactive’; the ‘impossible’ can become ‘practical’.
What Did Acme Choose to ‘Leave Out’ after the Attack?
Acme shares information with us on a ‘need to know’ basis. They still have EDR because of a mandate for ‘monitoring’. We have inferred that their other choices mirror other AppGuard customers that have phased out their BDS, replaced their machine learning antivirus with a generic one (regulatory mandates for scanning periodically), and burned their application whitelisting software license before it expired.