Chuck Leaver – Ziften Can Assist With Meltdown And Spectre

Written By Josh Harriman And Presented By Chuck Leaver

 

Ziften is aware of the latest exploits impacting practically everyone who deals with a computer system or digital device. While this is a very large statement, we at Ziften are working diligently assisting our clients find susceptible assets, repairing those vulnerable systems, and keeping an eye on systems after the repair for prospective performance concerns.

This is an ongoing investigation by our group in Ziften Labs, where we keep up to date on the most recent harmful attacks as they develop. Today, the majority of the conversations are around PoC code (Proof of Concept) and exactly what can in theory take place. This will quickly change as hackers benefit from these opportunities. The exploits I’m speaking, of course, are Meltdown and Spectre.

Much has actually been written about how these exploits were found and exactly what is being done by the market to discover workarounds to these hardware concerns. To get more information, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Help?

A key area that Ziften helps with in case of an attack by either method is keeping track of for data exfiltration. Given that these attacks are essentially taking data they should not have access to, our company believe the first and simplest techniques to protect yourself is to take this confidential data and remove it from these systems. This data might be passwords, login qualifications or perhaps security keys for SSH or VPN access.

Ziften checks and alerts when processes that typically do not make network connections begin showing this uncommon behavior. From these notifications, users can quarantine systems from the network and / or eliminate procedures connected with these circumstances. Ziften Labs is keeping an eye on the development of the attacks that are likely to become readily available in the real world related to these vulnerabilities, so we can better safeguard our consumers.

Discover – How am I Susceptible?

Let’s look at areas we can monitor for susceptible systems. Zenith, Ziften’s flagship product, can easily and quickly find Operating Systems that need to be patched. Although these exploits remain in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be available will be upgraded to the Operating System, and in other cases, the web browser you use as well.

In Figure 1 below, you can see one example of how we report on the readily available patches by name, and what systems have actually successfully installed each patch, and which have yet to set up. We can also track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be populated on this report to reveal the vulnerable systems.

The same is true for browser updates. Zenith keeps an eye out for software application variations running in the environment. That data can be utilized to comprehend if all browsers are up to date once the fixes appear.

Speaking of internet browsers, one area that has actually already picked up steam in the attack scenarios is utilizing Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not use Javascript any longer and mitigations are readily available for other web browsers. Firefox has a fix offered here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out soon.

Fix – Exactly What Can I Do Now?

Once you have actually recognized susceptible systems in your environment you certainly want to patch and repair them as soon as possible. Some safeguards you have to take into consideration are reports of specific Anti-Virus products causing stability issues when the patches are applied. Details about these problems are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you and then report success / failure and the status of those still requiring patching.

Considering that the Zenith backend is cloud-based, we can even track your endpoint systems and use the needed patches when and if they are not linked to your business network.

Track – How is it all Running?

Last but not least, there could be some systems that exhibit performance degradation after the OS repairs are applied. These problems seem to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. What we want to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help reveal issues such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that start to exhibit high usage compared with the period prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names deliberately removed).

These ‘defects’ are still new to the public, and far more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the circumstance and how we can best educate and secure our clients and partners.

~leaverchuck1


No Responses Yet to “Chuck Leaver – Ziften Can Assist With Meltdown And Spectre”

Leave a Reply