How to mitigate 85% of threats with only four strategies

https://securelist.com/blog/software/69887/how-to-mitigate-85-of-threats-with-only-four-strategies/

 

My strategy:

1 Use white-listing (anti-executable)
2 Use a HIPS (behavior blocker)
3 Use a firewall
4 Use a sandbox (isolation)
5 Use anti-exploit
6 Use your brain (be paranoid)

 

I agree with the four basic strategies but you don't even have to use specialized solutions from Kaspersky Lab tech...

1. Employ exploit mitigation features for both OS and apps
- DEP/ASLR are available in Windows Vista and above
- EMET

2. Keep them patched (because exploit mitigation is not replacement for fixing vulnerabilities)
- Windows Update (or use portable offline update tools available)
- Secunia PSI, SUMo, Ninite, etc etc

3. Adopt principle of least privilege
- account with reduced rights (do not disable UAC on Windows)
- browser with it's own native sandbox

4. Application Whitelisting
- SRP/Applocker
- Bouncer, Software Policy, NVT ERP, etc

 

Interesting that they ranked Application white-listing as Rank 1, while HIDS/HIPS as Rank 8.

Where does the other 15% come from if 85% is mitigated by these protocols?

 

And signature based AVs came dead last, #30 on the list. Whitelisting both software and domains and limiting privilege are much more effective. It is much better to use what the OS has to offer first.

 

I find that being careful about what executables you launch, and keeping up with Windows Updates, is all you need to keep you cour computer malware free, about 99.9% of the time.

 

Well agree to that, would running vulnarable aps using windows build-in virtualisation help? IE does enables this by default, but runasinvoker could also pose a risk. Ideas?

 

I like the top four strategies, as well as the #5 strategy. I'm still rather selective about the patches available for Windows O/S, but I always make sure to apply the critical ones.

 

I like how the chart shows the Ranking comparison of 2014 and 2012 to see what has changed for effective strategies and what has not changed. The Top 4 have remained the same. Operating system generic exploit mitigation (DEP, ASLR, EMET, etc.) has gone up significantly from 21st to 7th. There's a lot of interesting strategies in there and I would say that this chart is quite valuable information for anybody new and interested in computer security.

 

Kaspersky merchandising, no more, no less. dropped that nonsense.

reducing users rights on windows system will catch nearly same amount of attack. now 85% of 15% is how much?

dont forget some alu helmets.

 

As far as I know intrusion based on exploits always uses the following elements (in

a) rich content (script) running in browser/pdfreader/flashplayer/office app.
b) exploit changes flow of events/program logic
c) run arbitrary code in memory
e) shell access/run script
d) pull-in/drop additional arbitrary code
f) elevation/survive reboot

Without anti-exploit software there a dozen counter measures you can implement.
1. maximize OS-features (set DEP to permanent, SEHOP for all programs, use only ASLR enabled software)
2. disable risk-ware like remote access/assistance/sharing by disabling services and using registry tweaks
3. use ACL (deny execute) for internet/mail/media folders (the obvious landing/drive by folders)
4. disable plug-ins/add-ons/macro's in office software
5. crank up internet zone security (so outlook and media player which use internet zone are hardened) and don't use IE
6. use Chrome with build in sandbox (no exploit in the wild for years) and build in flash/pdf reader
7. use PDF reader which does not facilitate javascript etc.
8. use Permission to lock user autoruns in registry/startup/tasks
9. run as limited user
10. use the 1806 block download of executables/block execution of programs downloaded from the internet
11. install freebie to enforce default deny in user space (bouncer/securefolders/simple SRP)
12. Add a script blocker to your browser

 

1 I prefer third party apps like MBAE and HMPA, because they are faster, more user friendly, and can stop more attacks than EMET.
2 Patching is important, but you can stay safe even without it, if you use HIPS and practice safe HEX.
3 It's also not really needed, if you know what you're doing (HIPS/sandboxing), UAC is too annoying.

 

We had that conversation at large. A HIPS or Sandbox complicates the chain of events of an intrusion (it provides more thresholds), which might stop the attack, but when the foundation (OS) is exploited those extra walls/thresholds (HIPS or Sandbox) might as well go down also.

 

Correct, I can't really argue with that, everyone should patch their system. I just wanted to point out that in theory, security tools can still keep you safe, especially when the OS itself is not attacked, which is the case most of the time. So with HIPS/sandboxing/anti-exploit it's easy to protect vulnerable apps. I didn't even patch my old Win XP for the last 4 years, mainly because I was afraid it would break stuff, like my security tools.

 

you forgot one to mention - security apps can only protect something they are aware of. why should they still fix a png or jpg flaw which is handled by system? or dns flaw on port 53? many software rely on system routines. its all about patches and i totally disagree with your opinion.

 

@ Brummelchen

I must admit, I didn't really understand the examples that you gave. What I'm saying is that security tools can protect against hackers who try to exploit application flaws. They can not (or not often) protect against OS bugs. So a hacker might try to exploit some bug in the OS, in order to break out of a sandbox or to bypass a HIPS for example. But I don't believe this happens very often.

 

you should believe in a church - the png flaw was used pretty often. not sure, if 3rd-party software contain that flaw too, but windows was pretty vulnerable to it and lot of user are using internet explorer, paint or windows viewer. some programs rely on components which are also used by internet explorer - in general the whole windows system is based on its engine.

ok, the png vulnerability seems to have a new height
https://technet.microsoft.com/en-us/library/security/ms15-024.aspx
http://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html

several serious issues ins the past
http://www.pcworld.com/article/2041...ities-and-actively-exploited-office-flaw.html

judge yourself if your security would have covered all - i wont bet on that...

cheers

 

Png flaw was based on a bug in the meta data of the picture format PNG. Meta data describes and contains information of the picture (e.g. size). In a lot of file formats some code is allowed in meta data section. All this behind the scene processing of code (e.g. javascript in a PDF) or rich content is done for ease of use or facilitate central/remote management or digital rights/IP management.

Where there is code there is an opportunity to exploit code (even as little as the meta data section in a file header). You can enjoy rich content or use third party software which excludes these features (e.g. flash or javascript), like SumatraPDF or the safest browser in the world (not Chrome)

When one does not uses IE, set the internet security settings in the control panel to maximum for all internet zones. With this easy tweak one also hardens Windows Media Player and Outlook for example.

 

I'm sorry, but I did not see anything that could bypass security tools like sandboxes and HIPS. The thing that I was talking about is advanced exploits like the ones developed by Bromium, who try to break out of the sandbox. The question is, how many exploit writers are willing to spend time on writing these advanced exploits.

 

Whitelisting does seem the way to go. Are there any good FREE programs that employ whitelisting?

 

SecureAplus (freemium first year),
VoodooShield (freeware with weekly remind screen)
No Virus Thanks ERP (next version donationware, now in Beta)

NVT-ERP in combination with SecureFolders (also for MSI's and DLL's etc) is a strong and easy combo, see below:

NVT-ERP
Whitelist system processes and your trusted publishers from signed exe's, remove other (non-used publishers) and allow unsigned based on hash will provide a maintenance free whitelist layer. You set it on ask user/alert when you have first installed it, after some time you can lock it because trusted publishers are allowed to update.

SecureFolders
No execution of AppData and Users folders (plus all other data partitions) is an easy to maintain default deny for users folders. When updating trusted programs, just disable SecureFolders protection temporarely.

Add MBAE-free to the mix and you have a pretty solid easy to use defense

 

Oh wow, when did that become free? What is the reminder screen?

 

Here's my 4 ways:

1. Emsisoft Anti-Malware - Behavior blocker plus web shield by blacklisting.
2. Eset Smart Security - Firewall w/IDS and IPS, HIPS w/custom registry and MBR and host file access rules, exploit protection, web shield w/ active browser scanning and custom IP blocking list
3. EMET - with custom app rules plus certificate pinning enabled
4. Use your brain ....................

 

How do you protect MBR with ESS HIPS rules?