By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector
In the second post in our series, Meltdown and Spectre: How They Could Be Targeted, we discussed ways in which cyber adversaries could leverage the Meltdown and Spectre vulnerabilities. Now we will switch focus on addressing what organizations and security operations teams should be doing to help mitigate the risks associated with these vulnerabilities.
There are two first steps an organization should take to assess the potential impact of the vulnerability. Organizations should gain a full understanding of what types of systems are impacted by the vulnerabilities: i.e. Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). Then determine which systems in your network are susceptible to the vulnerabilities. In this case, the scale and scope of impacted systems is much larger than typical vulnerability advisories. These vulnerabilities affect CPUs within systems that were built over the last 20 years and may include mobile devices, servers, desktops, laptops, cloud services and network devices. It’s important to research or keep current on advisories from your vendors and service providers to rapidly deploy patches as they become available. Then deploy (or test and deploy depending on your organizational processes) these patches as fast as your organization can. During your mitigation plan, consider that there is the potential for performance impacts once the patch has been applied.
Next, you need to identify where sensitive customer or business information resides across your enterprise (on/off-premises) and validate or implement a strong level of isolation and a physical separation of critical data and systems from the more public facing systems (e.g. also includes client systems which are used for web/email) that aren’t business critical. If business critical information is found on systems where they shouldn’t be, deleting the information and then rebooting the system to clear out system memory is the best strategy for limiting any potential vulnerability.
Lastly, enhanced monitoring by security teams on the various avenues of attack that we previously discussed. These are a few examples, but each requires prioritization of focus areas in your organization:
A New Breach – Spear phishing and web-based attacks that leverage fileless or polymorphic malware are the key ways an adversary can gain access to systems and begin to leverage these vulnerabilities to gain access to sensitive data, credentials, etc. Heightened awareness and monitoring of malicious content entering your enterprise are critical as this will likely be the initial vector in exploiting the vulnerabilities. Organizations should explore technologies that are designed to rapidly detect unknown malicious content (fileless and file-based). Being able to detect various stages of a new breach greatly increases your ability to respond quickly and limit impact. Leveraging technologies, like BluVector, that can detect unknown threats (file and fileless) is key to mitigating threat attacks that target unpatched systems or where a hardware refresh doesn’t mitigate the vulnerability.
Expanding a Breach – This scenario is more problematic because it means that an adversary already has access to your enterprise, but until the announcement of these vulnerabilities, hasn’t been able to expand their reach/visibility. By adding code that utilizes the vulnerabilities, the adversary could significantly increase their access. An example for focused monitoring is to look for updates to the Remote Access Toolkits (RATs) by an adversary to enable them to leverage Meltdown and Spectre vulnerabilities. This is just one example of where enhanced monitoring can aid in detecting and mitigating these risks.
Credential Monitoring – As these vulnerabilities greatly impact the confidentiality of systems, and thus increases the likelihood of credentials theft. If the Spectre vulnerability was exploited in your cloud provider’s environment, then your information may be susceptible and the attack would never touch your network. In this case, credential and user behavior monitoring would be the only way to detect.
Consumers – The Meltdown and Spectre vulnerabilities also impact the consumer market and require vigilance of patching one’s personal devices. It’s imperative that you (and your household) apply patches and follow sound web surfing and email principles in your routine activities.
The nature of vulnerabilities associated with the complexity of hardware, operating systems, applications and the cloud requires a comprehensive approach to confirm and mitigate today’s vulnerabilities. The emerging threat landscape is ever evolving and there is a real fear of the unknown. BluVector’s technology was purpose-built to address the fear of the unknown to help organizations defend against cyber threats that haven’t yet been seen in the wild.