How Ziften Will Help You With Spectre And Meltdown – Chuck Leaver

Written By Josh Harriman And Presented By Chuck Leaver

 

Ziften knows the most recent exploits impacting virtually everybody who works on a computer system or digital device. While this is a very large statement, we at Ziften are hard at work helping our customers find vulnerable assets, fixing those susceptible systems, and keeping track of systems after the repair for possible efficiency issues.

This is an ongoing investigation by our team in Ziften Labs, where we keep up-to-date on the latest harmful attacks as they progress. Today, most of the discussions are around PoC code (Proof of Concept) and what can theoretically take place. This will quickly alter as attackers benefit from these chances. The exploits I’m speaking, naturally, are Meltdown and Spectre.

Much has been written about how these exploits were found and what is being done by the industry to find workarounds to these hardware issues. To read more, I feel it’s best to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Help?

An essential area that Ziften assists with in case of an attack by either approach is keeping track of for data exfiltration. Given that these attacks are generally taking data they shouldn’t have access to, we believe the first and easiest techniques to protect yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security keys for SSH or VPN access.

Ziften monitors and informs when processes that normally do not make network connections start exhibiting this unusual behavior. From these alerts, users can quarantine systems from the network and / or kill processes related to these situations. Ziften Labs is keeping an eye on the evolution of the attacks that are most likely to become readily available in the wild related to these vulnerabilities, so we can much better secure our clients.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for vulnerable systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits remain in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be readily available will be updated to the OS, and in other cases, the browser you use also.

In Figure 1 shown below, you can see one example of how we report on the readily available patches by name, and exactly what systems have successfully set up each patch, and which have yet to set up. We can also track failed patch installs. The example below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to show the susceptible systems.

The same applies for web browser updates. Zenith keeps an eye out for software application versions running in the environment. That data can be used to comprehend if all browsers are up to date once the repairs become available.

Mentioning internet browsers, one area that has currently gained momentum in the attack situations is making use of Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge web browsers do not use Javascript any longer and mitigations are available for other browsers. Firefox has a fix offered here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome repair is coming out this week.

Repair – What Can I Do Now?

Once you have recognized susceptible systems in your environment you certainly want to patch and fix them very quickly. Some safeguards you have to think about are reports of specific Anti Virus products triggering stability problems when the patches are applied. Details about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the capability to help patch systems. We can monitor for systems that need patches, and direct our product to use those patches for you and after that report success / failure and the status of those still needing patching.

Because the Zenith backend is cloud based, we can even track your endpoint systems and use the required patches when and if they are not linked to your corporate network.

Monitor – How is it all Running?

Finally, there may be some systems that show performance deterioration after the OS fixes are used. These issues seem to be limited to high load (IO and network) systems. The Zenith platform assists both security and operational teams within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help uncover concerns such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that begin to exhibit high utilization compared with the period prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names deliberately removed).

These ‘flaws’ are still brand-new to the public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and secure our consumers and partners.

Leave a Reply

Your email address will not be published. Required fields are marked *