Branden Carter â EMET
Microsoft EMET an UPDATED view from the trenches Branden Carter May 14, 2015 Intro A little about ITD… Our Mission: Your Safety Your Mobility Your Economic Opportunity For more information: http://itd.idaho.gov Intro ITD’s Computing Environment Approximately: • 1600 Employees • 2000 PCs • Over 100 locations across Idaho What is EMET? Intro Enhanced Mitigation Experience Toolkit EMET anticipates the most common attack techniques attackers might use to exploit vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques.* * Quoted from EMET 5.1 Users guide Intro Why did ITD start looking at EMET? 1. ITD had a very specific, high caffeine program that was being hammered with zero day exploits that weren’t getting patched by the vendor. (Hint: an oracle couldn’t even tell us when patches were going to be released) 2. ‘Cause a few people who some might consider knowledgeable said it was a good idea for stopping exploits. Exploits and Mitigations What is an exploit? An exploit is a piece of code that uses software vulnerabilities to access information on a computer or install malware. Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on a computer. -Microsoft Security Intelligence Report, Volume 17 What has been done to stop exploits? Nerdy moms choose Exploits and Mitigations DEP Since XP SP2 ASLR 64bits of random goodness Since Vista SP1 And Even Better Together! *Caveat: Unless you have peanut allergies. Exploits and Mitigations Are exploits that big of a problem? Microsoft Security Intelligence Report, Volume 17 (2014) Exploits and Mitigations Are exploits that big of a problem? Cisco 2015 Annual Security Report Exploits and Mitigations Are exploits that big of a problem? 2014 Verizon DBIR Do existing tools offer protection? Exploits and Mitigations • Network Protection (IDS/IPS, Web Filter, NGFW) – Offer some protection but may be limited by encryption – Someone has to take a hit for the team • Endpoint Protection – Patching is most effective, but what about 0 day or patch lag? – AV, although many AV products traditionally focus on just detecting exploit payloads – Tools directly targeting exploit mitigation: • App segregation/virtualization – Bromium, Invincea • Anti Exploit – Malwarebytes AntiExploit, Microsoft EMET, PaloAlto Traps • Host Intrusion Prevention Software *Products listed are just examples - not an endorsement or recommendation on my part Exploits and Mitigations “With a few notable exceptions, endpoint [AV] products are not providing adequate protection from exploits.” – NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection 2013 Where does EMET fit? Exploits and Mitigations • EMET: – EMET uses in-memory application behavior to stop memory based exploits BEFORE a PC is infected – is geared towards disrupting 0-day exploits in Applications – makes it easier to manage built in mitigations like DEP, ASLR, and SEHOP – Provides new mitigations for exploits that bypass DEP/ASLR • EMET is not : – – – – AntiMalware/AV/HIPS signature based Capable of detecting pre-installed malware a program that will prevent a local admin from installing malware attachments in emails (.scr files anyone?) Exploits and Mitigations How does EMET stop exploits? System Mitigations – EMET aids in configuration Application Specific Mitigations – EMET unique protections All Application Mitigation Settings Data Execution Prevention DEP Stop on Exploit/Audit Only SEHOP SEHOP Deep Hooks (ROP) ASLR Null Page Anti Detours (ROP) Certificate Trust (Pinning) HeapSpray Banned Functions (ROP) EAF EAF+ Mandatory ASLR BottomUP ASLR LoadLib (ROP) MemProt (ROP) Caller (ROP – 32 bit) SimExecFlow (ROP – 32 bit) StackPivot (ROP) ASR How is EMET deployed? Managing EMET • Deployed like any other enterprise software – Test first (check out my demo later for some tips!) – Rollout is well covered - Step by Step for Microsoft SCCM and GPO deployments – Configuration can be managed through GPO addons or .xml file pushes and scripts – Strongly recommend configuring reporting services BEFORE deployment – Plan on updating at least once a year What has it done at ITD? Managing EMET • EMET impacts approx. 10-20% of ITD PCs in a given month. Most mitigations are not seen by end users. • On again off again love hate with the metrics: – Indicators of malicious activity – Indicators of user interference (false positives) – What do the numbers mean? Total EMET Hits 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 Unique Machines Reporting EMET Events 1000 800 600 400 200 0 Managing EMET Any negative experiences? • Can crash legitimate appliations (DEP, ASR) – Testing! Testing! Testing! • Technician acceptance • Configuration drift • Something happened with IE starting April 22 that SimExec doesn’t like Any negative experiences? • No central administration console! Managing EMET (rumored to change soon) – Configuration tweaks are a challenge – Challenges with metrics… – …but a federal TLA has made getting them much easier! • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_ windows_event_log_monitoring.pdf • I can’t say enough about the value of this document – write the URL down!!!! Looking Forward What excites me about EMET? • Interesting opportunities for ASR customizations (Ever tried to disable Java in IE? Die old Java, DIE!) • Cert pinning for internal servers annoys the pen testers (SSL/TLS MiTM no more workey) • EMET can protect sever processes (IIS, SMB, RDP) from memory based exploits too • Keeping the watcher web filter/IDS honest Should I install EMET? Looking Forward • Out of the box, EMET seems like a no brainer for: – Home Computers – Smaller organizations with minimal signature based protection tools and/or budget – Computers with old OS and/or software vulnerable to memory exploits • With lots of testing, EMET may be good for: – Medium or large organizations with limited budget and enough time and staff to provide care, feeding, and reporting on EMET activity Looking Forward Final Words • Focus on things like NIST 800-53 or SANS top 20 controls – EMET isn’t a cure all. • That new 0 day just announced – you just might already be protected • If you have a specific piece of old software that you think/know is vulnerable – EMET can help. Mitigations aren’t limited to defaults. • Realize that EMET takes time and management overhead. If you don’t have lots of time, a more enterprise focused anti-exploit solution might be a better option for you. There are 10 types of people in this world… Those who understand binary and those who do not. Resources and Credits -Brian Krebs EMET Overviewhttp://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/ -Cisco 2015 Annual Security Report-Microsoft EMET Mitigations and Guidelineshttp://support.microsoft.com/kb/2909257 -Microsoft EMET Users Guide (Program Files Directory)-Microsoft Security Intelligence Report, Volume 17, 2014-NSA on Windows Event Log Analysis and Reportinghttps://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf -NSS Labs Corporate AV/EPP Comparative Analysis – Exploit Protection, 2013-Verizon Data Breach Investigation Report, 2014And thanks to en.wikipedia.org and Microsoft Technet for datum on several of the specific mitigations! Have questions for me? brandenm at gmail dot com Chuck Norris can get meaningful data from /dev/null Questions?
© Copyright 2024