One of the main reasons cyber risk continues to increase exponentially is due to the rapid expansion of attack surfaces – the places where software programs are vulnerable to attack or probe by an adversary. Attack surfaces, according to the SANS Institute, can include any part of a company’s infrastructure that exposes its networks and systems to the outside, from servers and open ports to SQLs, email authentication and even employees with “access to sensitive information.” It can also include user input via keyboard or mouse, network traffic and external hardware that is not protected by cyberhardening technology.
It would be easy to blame the Internet of Things (IoT) for the expanding attack surfaces, as Intel projects two billion smart devices worldwide by 2020. But in reality, the IoT is only part of the attack surface epidemic.
According to Cybersecurity Ventures, there are now 111 billion new lines of code written each year, introducing vulnerabilities both known and unknown. Not to be overlooked as a flourishing attack vector are humans, which some argue are both the most important, but also the weakest link in the cyberattack kill chain. In fact, in many cybersecurity circles there is a passionate and ongoing debate regarding just how much burden businesses should put on employees to prevent and detect cyber threats. What is not up for debate, however, is just how vulnerable humans are to intentionally or unintentionally opening the digital door for threat actors to walk in. This is most evident by the fact that 9 out of 10 cyberattacks begin with some form of email phishing targeting workers with mixed levels of cybersecurity training and awareness.
Critical Infrastructure Protection Remains a Challenge
Critical infrastructure, often powered by SCADA systems and equipment now identified as part of the Industrial Internet of Things (IIoT) is also a major contributor to attack surface expansion. Major attacks targeting these organizations occur more from memory corruption errors and buffer overflows exploits than from spear-phishing or email spoofing and tend to be the motive of nation states and cyber terrorists more so than generic hackers.
“Industrial devices are designed to have a long-life span, but that means most legacy equipment still in use was not originally built to achieve automation and connectivity.” The IIoT does provide many efficiencies and cost-savings benefits to companies in which operational integrity, confidentiality and availability are of the utmost importance, but the introduction of technology into heavy machinery and equipment that wasn’t built to communicate outside of a facility has proven challenging. The concept of IT/OT integration, which is meant to merge the physical and digital security of corporations and facilities, has failed to reduce vulnerabilities in a way that significantly reduces risk. As a result, attacks seeking to exploit critical infrastructure vulnerabilities, such as WannaCry, have become the rule and not the exception.
To date cyber criminals are winning?
To date, critical infrastructure cybersecurity has relied too much upon network monitoring and anomaly detection in an attempt to detect suspicious traffic before it turns problematic. The challenge with this approach is that it is reactionary and only effective after an adversary has breached some level of defenses.
We take an entirely different approach, focusing on prevention by denying malware the uniformity it needs to propagate. To do this, we use a binary randomization technique that shuffles the basic constructs of a program, known as basic blocks, to produce code that is functionally identical, but logically unique. When an attacker develops an exploit for a known vulnerability in a program, it is helpful to know where all the code is located so that they can repurpose it to do their bidding. Binary randomization renders that prior knowledge useless, as each instance of a program has code in different locations.
One way to visualize the concept of binary randomization is to picture the Star Wars universe at the time when Luke Skywalker and the Rebel Alliance set off to destroy the Death Star. The Rebel Alliance had the blueprints to the Death Star and used those blueprints to find its only weakness. Luke set off in his X-Wing and delivered a proton torpedo directly to the weak spot in the Death Star, destroying it. In this scenario, the Death Star is a vulnerable computer program, and Luke is an adversary trying to exploit said computer program.
Now imagine that the Galactic Empire built 100 Death Stars, each protected by RunSafe’s new Death Star Weakness Randomization. This protection moves the weakness to a different place on each Death Star. Now imagine you are Luke, flying full speed toward the weakness in the Death Star, chased by TIE fighters, only to find that the weakness is not where the blueprint showed. The Rebel attack fails, and the Galactic Empire celebrates by destroying another planet. Similar to the Death Star scenario above, code protected with binary randomization will still contain vulnerabilities, but an attacker’s ability to successfully exploit that vulnerability on multiple targets becomes much more difficult.