Could Virtualization & HVI Prevent Breaches, Including the Recent DNC Hack? Yes.
The DNC hacking analysis by CrowdStrike reports that two different sophisticated attacks were found to be at play in their network – APT28/APT29 (also known by the ‘friendly’ names of ‘CozyBear’ and ‘FancyBear’).
No matter how intelligent, sophisticated or advanced an attack may be, it still needs a way to get in – an intrusion method. It is via this entry point that an attacker can subsequently drop and execute malicious code on the target systems. There are actually only a handful of reliable methods attackers can use, the most common of which are:
- Spearphishing – An attacker crafts emails to victims on the target network that appear to come from a trusted source, with the hope that the user opens a malicious attachment, or clicks a malicious link. In some cases to make this ‘more realistic’, the attacker may well register similar domains to a trusted one, giving even more credibility to the format of the inbound email.
- Infected webpages – Sometimes used in combination with spearphising, if an attacker has found a zero-day vulnerability in a web browser or browser plugin (such as Adobe Flash), then they may compromise websites known to be visited by their target victims (e.g. a malicious banner advertisement). When the victim next visits this page, the malicious code exploits the vulnerability and runs its malware payload without the user realizing.
Once an attacker has made successful use of an intrusion method, they are then free to progress to the second stage of the attack – downloading further malicious tools – in this case, with the goal of exfiltration data from the target systems.
At this second stage, the tools and approaches used by different attacks will vary a lot, in an attempt to make it extremely difficult to detect, or in fact block. In some cases, the malicious code is assembled from multiple remote sources, then combined to make the final ‘weaponized’ payload.
Could virtualization have helped defend against these attacks?
Security software in the market today generally focuses on detecting and stopping the second stage of such an attack, looking for traces of malware presence and activity. The problem, however, is that because attackers can use lots of different tools, each which behave very differently – identifying common characteristics of such attacks is difficult.
In particular, APT28/APT29 are known to be highly configurable, and also sophisticated enough to adapt depending on the target environment – to a Security Ops team, this can be the equivalent of looking for a needle in a haystack.
So, might it be better to focus on blocking the first stage of the attack?
Unequivocally, yes! This becomes possible because Citrix has something that sits beneath the operating system (in the VM) and securely governs how the hardware can be used. This opens the door to some very interesting technologies that can help bolster the security posture.
Specifically, with the introduction of XenServer 7, Citrix introduced the ‘Direct Inspect APIs’ – a set of APIs to allow security vendors to securely protect each VMs virtual memory.
Using these APIs, Bitdefender have built a solution (currently in tech preview) called ‘HVI’ (HyperVisor Introspection) which is specifically designed to combat advanced attacks such as APT28/APT29 – and it does this by protecting the VM from stage 1 of such attacks.
How does it work?
When the user (inevitably!) clicks on the malicious attachment, or visits the malicious web page, a series of things will happen.
Let’s look at the malicious web page example.
When the user visits the web page, the browser will load the malicious Adobe Flash plugin (perhaps a banner advertisement that the user doesn’t even notice). This banner advertisement will have been crafted to interact with Adobe Flash in a way that causes the flash application to inadvertently execute something the attacker wants it to execute.
Generally there are a handful of techniques that could be used, but all of them rely on manipulating memory in a way it was not planned to do so – whether that be writing to parts of memory that shouldn’t be allowed, or executing parts of memory that were never intended.
If the target (exposed) system has HVI protecting the virtual machines, because it is using the XenServer Direct Inspect APIs, it is able to enforce how memory inside the guest should be used and can therefore detect when an attempt is made to execute something that shouldn’t be allowed.
When this happens, it can stop the application in question and report the administrator of the attack, providing some initial forensic detail around which actions the malware was intending to perform.
In the case of the DNC, this countermeasure would have stopped the APT attack in its tracks, before it had ever landed on the DNC’s systems. Not only that, it would have also alerted them of the presence of an attacker attempting to target their employees.
Check here for more information on the Citrix XenServer & Bitdefender HVI announcement.