How to mitigate 85% of threats with only four strategies

Discussion in 'other anti-malware software' started by Minimalist, May 12, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    333
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    My strategy:

    1 Use white-listing (anti-executable)
    2 Use a HIPS (behavior blocker)
    3 Use a firewall
    4 Use a sandbox (isolation)
    5 Use anti-exploit
    6 Use your brain (be paranoid)
     
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    I agree with the four basic strategies but you don't even have to use specialized solutions from Kaspersky Lab tech...

    1. Employ exploit mitigation features for both OS and apps
    - DEP/ASLR are available in Windows Vista and above
    - EMET

    2. Keep them patched (because exploit mitigation is not replacement for fixing vulnerabilities)
    - Windows Update (or use portable offline update tools available)
    - Secunia PSI, SUMo, Ninite, etc etc

    3. Adopt principle of least privilege
    - account with reduced rights (do not disable UAC on Windows)
    - browser with it's own native sandbox

    4. Application Whitelisting
    - SRP/Applocker
    - Bouncer, Software Policy, NVT ERP, etc
     
  5. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Interesting that they ranked Application white-listing as Rank 1, while HIDS/HIPS as Rank 8.

    Where does the other 15% come from if 85% is mitigated by these protocols?
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    And signature based AVs came dead last, #30 on the list. Whitelisting both software and domains and limiting privilege are much more effective. It is much better to use what the OS has to offer first.
     
  7. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,247
    I find that being careful about what executables you launch, and keeping up with Windows Updates, is all you need to keep you cour computer malware free, about 99.9% of the time.
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Well agree to that, would running vulnarable aps using windows build-in virtualisation help? IE does enables this by default, but runasinvoker could also pose a risk. Ideas?

    Untitled.png
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    I like the top four strategies, as well as the #5 strategy. I'm still rather selective about the patches available for Windows O/S, but I always make sure to apply the critical ones.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    I like how the chart shows the Ranking comparison of 2014 and 2012 to see what has changed for effective strategies and what has not changed. The Top 4 have remained the same. Operating system generic exploit mitigation (DEP, ASLR, EMET, etc.) has gone up significantly from 21st to 7th. There's a lot of interesting strategies in there and I would say that this chart is quite valuable information for anybody new and interested in computer security.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    Kaspersky merchandising, no more, no less. dropped that nonsense.

    reducing users rights on windows system will catch nearly same amount of attack. now 85% of 15% is how much?

    dont forget some alu helmets.
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    As far as I know intrusion based on exploits always uses the following elements (in

    a) rich content (script) running in browser/pdfreader/flashplayer/office app.
    b) exploit changes flow of events/program logic
    c) run arbitrary code in memory
    e) shell access/run script
    d) pull-in/drop additional arbitrary code
    f) elevation/survive reboot

    Without anti-exploit software there a dozen counter measures you can implement.
    1. maximize OS-features (set DEP to permanent, SEHOP for all programs, use only ASLR enabled software)
    2. disable risk-ware like remote access/assistance/sharing by disabling services and using registry tweaks
    3. use ACL (deny execute) for internet/mail/media folders (the obvious landing/drive by folders)
    4. disable plug-ins/add-ons/macro's in office software
    5. crank up internet zone security (so outlook and media player which use internet zone are hardened) and don't use IE
    6. use Chrome with build in sandbox (no exploit in the wild for years) and build in flash/pdf reader
    7. use PDF reader which does not facilitate javascript etc.
    8. use Permission to lock user autoruns in registry/startup/tasks
    9. run as limited user
    10. use the 1806 block download of executables/block execution of programs downloaded from the internet
    11. install freebie to enforce default deny in user space (bouncer/securefolders/simple SRP)
    12. Add a script blocker to your browser
     
    Last edited: May 14, 2015
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    1 I prefer third party apps like MBAE and HMPA, because they are faster, more user friendly, and can stop more attacks than EMET.
    2 Patching is important, but you can stay safe even without it, if you use HIPS and practice safe HEX.
    3 It's also not really needed, if you know what you're doing (HIPS/sandboxing), UAC is too annoying.
     
  14. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    We had that conversation at large. A HIPS or Sandbox complicates the chain of events of an intrusion (it provides more thresholds), which might stop the attack, but when the foundation (OS) is exploited those extra walls/thresholds (HIPS or Sandbox) might as well go down also.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Correct, I can't really argue with that, everyone should patch their system. I just wanted to point out that in theory, security tools can still keep you safe, especially when the OS itself is not attacked, which is the case most of the time. So with HIPS/sandboxing/anti-exploit it's easy to protect vulnerable apps. I didn't even patch my old Win XP for the last 4 years, mainly because I was afraid it would break stuff, like my security tools.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    you forgot one to mention - security apps can only protect something they are aware of. why should they still fix a png or jpg flaw which is handled by system? or dns flaw on port 53? many software rely on system routines. its all about patches and i totally disagree with your opinion.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    @ Brummelchen

    I must admit, I didn't really understand the examples that you gave. What I'm saying is that security tools can protect against hackers who try to exploit application flaws. They can not (or not often) protect against OS bugs. So a hacker might try to exploit some bug in the OS, in order to break out of a sandbox or to bypass a HIPS for example. But I don't believe this happens very often.
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    you should believe in a church :D - the png flaw was used pretty often. not sure, if 3rd-party software contain that flaw too, but windows was pretty vulnerable to it and lot of user are using internet explorer, paint or windows viewer. some programs rely on components which are also used by internet explorer - in general the whole windows system is based on its engine.

    ok, the png vulnerability seems to have a new height
    https://technet.microsoft.com/en-us/library/security/ms15-024.aspx
    http://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html

    several serious issues ins the past
    http://www.pcworld.com/article/2041...ities-and-actively-exploited-office-flaw.html

    judge yourself if your security would have covered all - i wont bet on that...

    cheers
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Png flaw was based on a bug in the meta data of the picture format PNG. Meta data describes and contains information of the picture (e.g. size). In a lot of file formats some code is allowed in meta data section. All this behind the scene processing of code (e.g. javascript in a PDF) or rich content is done for ease of use or facilitate central/remote management or digital rights/IP management.

    Where there is code there is an opportunity to exploit code (even as little as the meta data section in a file header). You can enjoy rich content or use third party software which excludes these features (e.g. flash or javascript), like SumatraPDF or the safest browser in the world (not Chrome)

    When one does not uses IE, set the internet security settings in the control panel to maximum for all internet zones. With this easy tweak one also hardens Windows Media Player and Outlook for example.
     
    Last edited: May 17, 2015
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I'm sorry, but I did not see anything that could bypass security tools like sandboxes and HIPS. The thing that I was talking about is advanced exploits like the ones developed by Bromium, who try to break out of the sandbox. The question is, how many exploit writers are willing to spend time on writing these advanced exploits.
     
  21. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Whitelisting does seem the way to go. Are there any good FREE programs that employ whitelisting?
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    SecureAplus (freemium first year),
    VoodooShield (freeware with weekly remind screen)
    No Virus Thanks ERP (next version donationware, now in Beta)

    NVT-ERP in combination with SecureFolders (also for MSI's and DLL's etc) is a strong and easy combo, see below:

    NVT-ERP
    Whitelist system processes and your trusted publishers from signed exe's, remove other (non-used publishers) and allow unsigned based on hash will provide a maintenance free whitelist layer. You set it on ask user/alert when you have first installed it, after some time you can lock it because trusted publishers are allowed to update.

    SecureFolders
    No execution of AppData and Users folders (plus all other data partitions) is an easy to maintain default deny for users folders. When updating trusted programs, just disable SecureFolders protection temporarely.

    Add MBAE-free to the mix and you have a pretty solid easy to use defense
     
    Last edited: May 20, 2015
  23. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Oh wow, when did that become free? What is the reminder screen?
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's my 4 ways:

    1. Emsisoft Anti-Malware - Behavior blocker plus web shield by blacklisting.
    2. Eset Smart Security - Firewall w/IDS and IPS, HIPS w/custom registry and MBR and host file access rules, exploit protection, web shield w/ active browser scanning and custom IP blocking list
    3. EMET - with custom app rules plus certificate pinning enabled
    4. Use your brain ....................
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    How do you protect MBR with ESS HIPS rules?
     
Loading...