We have seen a steady stream of attacks over the last few years, many of which resulted in monumental losses of data and embarrassment for organizations. But not all breaches are attributed to an organizational mistake. Take for example the recent announcement of the glibc vulnerability (CVE-2015-7547). The vulnerability was discovered in February 2016 almost simultaneously, albeit separately, by both Red Hat and Google Engineers. And although recently discovered, this application-layer vulnerability has actually been around since 2008.
The glibc vulnerability is particularly troubling because it impacts almost all Linux systems deployed worldwide. A patch has been made available, but the full scope and reach of the security vulnerability is still being discovered. It is known to affect the widely used glibc library, which is leveraged by countless applications and programming languages. The glibc vulnerability can be exploited through a DNS query to an attacker-controlled domain or through a man-in-the-middle attack on DNS.
Attackers can take advantage of this wide-reaching vulnerability to target organizations with custom-crafted threats. Attempting to exploit this vulnerability on the Internet would take a sophisticated attacker. But within a data center where an attacker can gain control of a host, it becomes much easier to establish a man-in-the-middle foothold. By spoofing DHCP and DNS and responding to DNS requests, the attacker can place themselves as a man-in-the-middle of sensitive data center traffic flows.
There are many vulnerability-related statistics that show the frequency of cyber attacks, the time to remediation, the cost, and the resulting data loss. On average, an attacker is inside the data center for 146 days before being discovered and it takes 30 additional days to remediate once the breach has been discovered. In this blog, we will cover how vArmour can help you quickly and effectively detect exploitations of vulnerabilities like this one, since gaining monitoring across your data center and cloud, limiting the reach of an attacker and the possible damage they can inflict, and reducing the mean time to remediation are all key elements of becoming a positive statistic in the face of a cyber attack.
Get continuous monitoring for free. Request 60-day trial of vArmour DSS today.
vArmour Insights identifies out of the ordinary events for investigation, including DNS anomalies
DNS Exploit Discovery with vArmour Analytics
vArmour DSS provides application-aware micro-segmentation for all workloads and continuous monitoring for all network, application, and user flows, not just a sampled dataset or a group of consolidated syslogs. Combined with powerful security analytics, you can easily see immediate indicators of compromise for attempted exploits inside the data center and cloud. Full application-layer visibility allows vArmour to assess the format of a DNS response, which is the typical means of exploitation in the case of the glibc vulnerability. This could be a DNS exploit on a VLAN or between VLANs, all of which could prove difficult to identify without the right tools.
NetFlow for example, can be a very useful tool in certain use cases. But looking at sampled NetFlow for IP and Layer 4 port information will not identify advanced, application-layer exploits, like glibc DNS. To be effective, you need to see all traffic between data center workloads. Unsampled NetFlow requires specific hardware and will give you more IP and Layer 4 ports, but it will still not give you full visibility into data center application flows.
Perimeter hardware-based firewalls will also not help. With these, you only see a subset of north-south traffic. All north-south traffic using common ports and protocols such as HTTP, HTTPs, and SSH is allowed to traverse these firewalls. In addition, the internal east-west flows go completely unseen. For example, suppose an exploit occurs on an internal data center workload, and the attacker moves laterally staging for data exfiltration. When the attacker exfiltrates data over a well known port such as SSL (443), the data will be allowed to leave the network because it is seen as valid on the perimeter firewalls.
Simply put, without having full visibility into the specific application-layer traffic traversing your network, you are unable to detect and defend against the myriad of exploits that exclusively target these higher-level protocols.
The ability for the vArmour DSS to see all intra- and inter-hypervisor workload application flows gives you a security tool set not previously available. An analyst is able to see threats at a layer they never could before in a matter of seconds, not in days or weeks. Having this kind of insight would normally require a team of SOC analysts to comb through raw logs, on disparate systems, all requiring lots of time. This not only increases the time it takes to identify the threat, but also increases the time to remediate it after the fact. This gives the attacker more time to accomplish their goal and attempt to cover their tracks.
vArmour Affinity finds and visualizes attacker touchpoints and patient zero
How can vArmour help protect you against application-layer security vulnerabilities?
To prevent sophisticated threats from vulnerabilities like glibc, you must first be able to identify them. Identification starts with continuous monitoring of all networks, applications, and users - you can’t stop what you can’t see! vArmour provides micro-segmentation to isolate each individual workload as well as visibility into all data center and cloud application flows, allowing you to quickly identify suspicious behavior, isolate the source, limit any damage, and perform remediation. In the example of the glibc vulnerability, vArmour provides a detailed view of DNS request and response traffic across multiple systems. This view previously would have meant hours of effort, from multiple analysts, across multiple systems. Having this visibility means seconds, not hours, to identify malicious behavior. This shortens your organization’s response time and limits the potential damage from the attacker. As we all know, you can’t always keep sophisticated threats out of your network, but you can have the right tools to quickly identify and stop them.