Embed Size (px)
Citation preview
Abatis HDF and Control Management Console
Providing Proactive & Efficient Protection from
A d v a n c e d C y b e r T h r e a t s
Zero Day Malware attacks - IntroductionThe aim of the attack is to covertly set up a Command & Control (C&C) channel and then to exfiltrate data out of the target system(s) over a period of time. This is normally achieved by the user opening up an email attachment or visiting a website that is able to deposit a malware load, known as drive by websites. To prevent detection the malware needs to be unknown.
Methodology1. The attacker performs some kind of reconnaissance to gain an understanding of the organisation.
2. The target (user) is tricked into opening an attachment which contains the payload malware.
3. The malware remains dormant until some point in time when it communicates through the C&C channel to the attacker.
4. The malware also traverses the target network to infect other machines.
5. Data can exfiltrate out of the network under the C&C channel.
Countermeasure techniquesNetwork LevelNetwork appliances that inspect every port entering the network. They can drill down into every file inspecting attachments for embedded code. i.e. An attached Powerpoint slide, in PDF format, and in the Powerpoint there is a Java script.
These appliances are expensive. They need to be updated with Cybersecurity feeds, because they do use some form of white/grey/black listings. They require IT security to set security policy, and the professional services to implement are expensive.
End user levelTraditional Anti-Virus is a good example of the end user level security. An established and accepted method.
Needs client software running on the end point. Low cost and easy to deploy. Needs constant signature updating
Host Integrity TechnologyA technique for maintaining an end user client to comply with the organisation’s security policy.
Needs client software running on the end point. Low cost and easy to deploy
Introduction – Abatis HDFAbatis HDF is a unique and time-proven effective security tool to help enforce computer and file integrity on Microsoft Windows platforms from Windows 2000 to the latest Windows 7 versions (32 and 64 bit).
Abatis HDF is deployed on all end point workstations and servers and is managed by a Central Management Console, CMC, which enforces corporate security policy and provides detailed analysis and audit information. The Abatis HDF features provide advantages to the organisation such as;
Defeats zero-day malware, rootkits, Trojans, APTs and viruses/worms Protects legacy and new operating systems from Windows NT4 to Windows 7 Small software footprint that requires no ongoing updates Extremely fast in operation Prevents exploitation of Alternate Data Streams (ADS) Prevent exploitation from CryptoLocker RansomWare Protects all permanent storage on the device, thereby ensuring no threats can penetrate Non-signature-based software protection for Windows and Linux Provides anti-malware and anti-hacker protection
This is how Abatis HDF helps users!The situation• Hacking now biggest value crime in the world, No one is safe – targets are individuals, corporates and
governments
• Traditional anti virus is no longer effective protection, does not work for zero day APT attacks.
How Abatis HDF helps users.• Abatis stops 99% of all viruses (according to Symantec 2010 report)
• Very small footprint, imperceptible performance loss, ideal for low power & smartphones
• No more patches on legacy systems and no AV available for SCADA systems
• Abatis can support NT4 through to Win7 and is deterministic – perfect for SCADA
• True/near-forensic logging and CMC make management simple and cost effective
• Potential performance gains, battery life enhancement and data centre energy savings (GREEN AGENDA)
• The only APT Hunter-Killer on the market?
Abatis Hard Disk Firewall
HDF is a kernel level filter driver of less than 100 KB
Prevents malware from becoming persistent on a Windows or Linux device
Blocks the writing of binary executable files to permanent storage
Policy driven so can be configured to allow or block any file type
Granular policy allows safe, automatic updating of selected files as required
Log files stored locally in delimited or syslog form for transfer to SIEM/CMC
HDF is a proactive, non-signature based technology to help enforce system and file integrity protection. By definition, there can be no malware infection or hacking compromise when system integrity is robustly maintained. It is useful to note HDF is not a conventional anti-virus program but a robust technical tool to help system administrators maintain system integrity without complex management overheads.
A Patented technology
Abatis – Technical FeaturesThe following are a list of HDF unique technical features: Integrates seamlessly into the operating system as a kernel module. Microsoft documented implementation and
no backdoor and no rootkit approach. Resists attack attempts to shut down operation, e.g. by hostile malware or user mistakes. Small application footprint (30KBytes for Standard, 60KBytes for Advanced), no system performance
degradation. Identify and block executable files with a generic approach and without signatures-based pattern matching. Operates autonomously irrespective to the system privileges of the logged-on user and system processes. Totally transparent to users and applications. No user interaction and all applications run as normal without
modification. Support local and networked drives, plug-and-play mounted devices and removable storage devices, e.g. USB
drives. Audit logs HDF operations, e.g. blocking or non-blocking actions are logged for audit trail purposes. Compatible with antivirus programs, personal firewalls and file encryption tools. No day-to-day user maintenance and reliable operation.
HDF has three modes of operation: Normal (or Protect) – where unwanted executables are blocked from being written to the disk, Learn – which records the unwanted executables that would have been blocked if HDF had been in Protect mode, Audit – which records all write I/O activity.
Control of a system’s Write I/O: Detects and stops all unauthorised software executables from being stored to a protected computer (while not
affecting existing applications ability to run) A proactive security solution to:
Block zero-day, unknown and known malware binaries such as keyloggers, Trojans and spyware persisting on the system
Block rootkits - kernel and user mode variants Defeat zero-day and targeted APT attack Protect against drive-by attacks and hacking
Abatis HDF's main security features are: 1
Blocks unauthorised system and file modification Prevent web defacement attacks (Advanced version only) Protect any files defined by the user from unauthorised modification Prevent protected files from being overwritten
HDF application is resilient against hostile attacks to, HDF kernel binary, e.g. HDF.sys unauthorised shutdown and attempts to disable it HDF start up and configuration settings maintained in the Windows Registry (Advanced version only)
Abatis HDF's main security features are: 2
Maintains system integrity and operational efficiency: Removes the urgency for systems security patches, e.g. Microsoft critical patches, reducing vulnerability
windows during patches testing time (in environment where software patching is a governance requirement) Functions transparently to applications and the user - no user interaction No perceptible performance degradation Reduces system downtime otherwise caused by patching and virus cleaning Stops the installation of unwanted or illegal/unapproved software Protects against accidental and malicious virus/malware insertion
Abatis HDF's main security features are: 3
Abatis video demonstrations
SDBOT with Abatis HDF turned off – 4 minshttps://www.youtube.com/watch?v=b391BcO4w1Y
SDBOT with Abatis HDF turned on – 4 minshttps://www.youtube.com/watch?v=Lu6iuYubHmQ
CryptoLocker defeated by Abatis HDF – 7 minshttps://www.youtube.com/watch?v=MX3e2wc63as
Alternative Data Stream file injection – 7 minshttps://www.youtube.com/watch?v=PKGdXHc4yLA
UPX Open source packer – 6 minshttps://www.youtube.com/watch?v=g0RmclTe7Lo
The following videos show conclusively how Abatis HDF will prevent any program, examplefile.exe, that is not in security policy prevented to execute. It is effectively blocked and recorded into the log file for remediation.
Software Distribution/System Patching Central software deployment
HDF is delivered in a standard Microsoft Installation Package (msi file) – support silent unattended install. Fully supports Window Installer and other software distribution tools such as Microsoft’s SMS, IBM’s Tivoli Configuration Manager, Symantec’s On iCommand /LiveState etc.
Distribute by Microsoft Active Directory Deployment via Central Management Console (CMC) HDF can also be deployed in components to support customised and in-house software distribution
process. Software/System patching
HDF support automated software and system patching. HDF blocking can be controlled by: Command line tool used by scripts or batch files. Static and runtime Policy rules (based on process name, target path and filename and/or system/user
accounts). CMC browser interface API library
Legacy Windows ™ Systems – End of Support PeriodWindows Version Mainstream Support Ends Extended Support Ends Market Share %
Windows NT4 Ended 2001 Ended 2004 0.05
Windows 2000 Ended 2005 Ended 2010 0.06
Windows XP Ended 2009 Ends April 2014 39.51
Windows XP Embedded Ended 2011 Ends January 2016 Included above
Windows Vista Ended 2012 Ends April 2017 5.24
Windows 7 Ends January 2015 Ends January 2020 44.48 **
Windows 2003 Server Ended 2010 Ends July 2015 47.9 *
Windows 2008 Web Server Ended July 2013 Ends January 2020 Included above
Windows 2008 Server Ends January 2015 Ends July 2018 Included above
Abatis protects all of these legacy and obsolete operating systems
Microsoft has over 80% of the desktop operating system market , and nearly half of the server market , yet around 40% of both are using obsolete/unsupported operating systems.
Abatis CMC
Central Management Console that provides facilities to: Install HDF on an estate Retrieve and analyse logs Push policy updates to HDF individually, in groups or globally as required
Web based application providing a SIEM-like dashboard
Simple, clean, easy to use, SQL database back end
Search for identified ‘rogue’ files such as blocked APT updates
Experience shows ‘clean-up’ of an infection reduced from 3 days to 2 hours
HDF Central Management Console is specifically designed tool to monitor all HDF Protected computers for real time HDF ‐logging, status of HDF clients, security trends, security alarm, and to interrogate the HDF Operating parameters as well as system and hardware information. Through CMC, IT Administrator can send runtime commands to the HDF clients, such as turn-on/off protect mode, set the allowed processes etc.
Central Management Console (CMC)
Cost Benefits in deploying Abatis HDF
Saves money by reducing / eliminating incidence of malware infection and associated fix/clean-up costs Low cost, virtually fit-and-forget solution (in certain environments) and importantly does not require
expensive updates and maintenance contracts, Mitigates the risk of losing sensitive data that could attract major fines from the ICO and/or regulators. Prevents the loss of business through downtime of IT systems Single software product can be rolled-out across the estate from servers to desktops to routers to
SCADA which reduces dramatically the operational overhead costs. Potential performance enhancement, savings through reduced power consumption and battery life
improvement - improved GREEN credentials.
In today’s businesses IT costs are being constantly driven down and Cyber security even though is seen as a major requirement is still subject to severe cost scrutiny. This is more so in the often hidden operational and maintenance costs of many Cyber security solutions.
Technical Benefits in deploying Abatis HDF
Single software product can be rolled-out across the estate from Windows and Linux servers to desktops to routers which prevents malware and APT attacks and dramatically improves security.
Improves management oversight and control of the estate (including enforcing the security policy) Can be installed alongside existing security controls – does not ‘fight’ with existing known AV, IPS, etc Provides protection for mis-configured and incorrectly patched systems. Provides protection for Legacy equipment for which patches and AV may no longer be available, Near zero performance hit (potential improvement….) Provides some IP Theft protection and good control over external devices such as USB, DVD, etc. A credible technical defence for real time and safety-critical systems and SCADA environments Small, efficient code allows possibility of use in mobile platforms, low power devices and the Internet
of Things (incl Smart Meters)
In today’s Cyber threat environments, it is essential that a product or system will actually prevent and withstand an attack from these varying threat vectors, does not impede users from their work, and does what it says on the “Tin”
Abatis Technology Roadmap Available Now
Windows HDF Standard Windows HDF Advanced Linux (Red Hat) Central Management Console (CMC)
Future Products Smart-Phones and Tablets
Android Windows Phone Kindle?
Further IP Protection, Formal Evaluation/Certification and Ease of Use Product Improvements Automatic policy generation, device discovery and AV invocation to clean up existing APTs Evaluation under CESG CPA Scheme Certification on various SCADA manufacturers’ equipment Establish community of interest (COI) for policy generation and standardisation
Both available in 32 bit and 64 bit versionsCovering NT4 Win 7, incl. server and embedded
Overall Summary• Traditional anti virus is no longer effective protection
• Hacking now biggest value crime in the world
• No one is safe – targets are individuals, corporates and governments
• 4.2 billion people have a toothbrush: 5.1 billion have a mobile phone; 4 billion smartphones with no effective anti virus
• Abatis stops 99% of all viruses (according to Symantec 2010 report)
• Very small footprint, imperceptible performance loss, ideal for low power & smartphones
• No more patches on legacy systems and no AV available for SCADA systems
• Abatis can support NT4 through to Win7 and is deterministic – perfect for SCADA
• True/near-forensic logging and CMC make management simple and cost effective
• Potential performance gains, battery life enhancement and data centre energy savings (GREEN AGENDA)
• The only APT Hunter-Killer on the market?
Simple & provenEfficient & economicalPerformance enhancingMiniscule footprint
HighQuest Solutions Ltd145-147 St. John StreetLondonEC1V 4PW
Tel: +44 (0) 207 078 4332www.highquestsolutions.com
Ian Wells – Director
