Charles Leaver – Understand About Meltdown And Spectre And How Ziften Can Assist You

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften is aware of the current exploits impacting almost everybody who works on a computer or digital device. While this is a very large statement, we at Ziften are working diligently helping our consumers discover susceptible assets, repairing those vulnerable systems, and keeping an eye on systems after the fix for possible efficiency concerns.

This is an ongoing investigation by our group in Ziften Labs, where we keep up-to-date on the current malicious attacks as they develop. Right now, most of the conversations are around PoC code (Proof of Concept) and what can theoretically occur. This will soon alter as hackers benefit from these chances. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been blogged about how these exploits were discovered and exactly what is being done by the industry to find workarounds to these hardware concerns. To find out more, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Assist?

A crucial area that Ziften assists with in case of an attack by either method is monitoring for data exfiltration. Considering that these attacks are essentially taking data they shouldn’t have access to, we believe the first and most convenient techniques to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security secrets for SSH or VPN access.

Ziften checks and notifies when procedures that generally do not make network connections start exhibiting this uncommon habit. From these notifications, users can quarantine systems from the network and / or eliminate processes connected with these scenarios. Ziften Labs is monitoring the advancement of the attacks that are most likely to become offered in the wild related to these vulnerabilities, so we can better secure our clients.

Find – How am I Vulnerable?

Let’s look at areas we can examine for susceptible systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the fixes that will be readily available will be upgraded to the OS, and in other cases, the internet browser you use too.

In Figure 1 below, you can see one example of how we report on the available patches by name, and what systems have effectively set up each patch, and which have yet to install. We can likewise track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to reveal the susceptible systems.

The exact same is true for internet browser updates. Zenith keeps track of for software application variations running in the environment. That data can be used to understand if all browsers the current version once the fixes appear.

Mentioning browsers, one area that has actually currently picked up steam in the attack scenarios is utilizing Javascript. A working copy is revealed here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not utilize Javascript any longer and mitigations are available for other web browsers. Firefox has a fix readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out this week.

Fix – What Can I Do Now?

As soon as you have actually identified vulnerable systems in your environment you definitely need to patch and repair them very quickly. Some safeguards you have to take into consideration are reports of certain Anti-Virus products causing stability concerns when the patches are applied. Information about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you and then report success / failure and the status of those still needing patching.

Since the Zenith backend is cloud based, we can even monitor your endpoint systems and use the needed patches when and if they are not connected to your business network.

Monitor – How is it all Running?

Lastly, there may be some systems that display performance degradation after the OS fixes are used. These issues appear to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help discover issues such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that begin to display high usage compared to the period prior to the patch was used. An example of this monitoring is displayed in Figure 2 below (system names purposefully removed).

These ‘defects’ are still brand-new to the public, and a lot more will be discussed and found for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and safeguard our customers and partners.

Leave a Reply

Your email address will not be published. Required fields are marked *