Massive software vulnerabilities have been surfacing with increasingly high visibility, and the world’s computer administrators are repeatedly thrust into the cycle of confusion, anxiety, patching and waiting for the Next Big One. The list of high profile vulnerabilities in widely used software packages and platforms continues to rise. A recent phenomenon has researchers borrowing from the National Hurricane Center’s tradition, to introduce a vulnerability with a formal name. Similar to hurricanes and weather scientists, security researchers, analysts, and practitioners observe and track vulnerabilities as more details unfold and the true extent of the risk (and subsequent damage) is known.
Take for example the Android vulnerability released at the beginning of August, 20151. This vulnerability, named “Stagefright” after its eponymous application, can lead to remote code execution (RCE) through several vectors including MMS, Email, HTTP, Media applications, Bluetooth, and more. These factors coupled with the fact that at its release there were no approved patches available for upwards of 95% of the world’s mobile Android footprint means the vulnerability is serious — especially to any organization with a significant Android population.
Many issues demand attention when a new high severity vulnerability has been released. Assuming you are aware of an impending vulnerability, you need to have a well-vetted plan in place to protect your organization. This is even more important when you don’t have any advance knowledge of a vulnerability like with a zero-day or an abrupt and unexpected disclosure. As detailed in our book, Crafting the Infosec Playbook, there are four core questions that every security team must ask itself to develop its strategy in dealing with attacks:
- What are we trying to protect?
- What are the threats?
- How do we detect them?
- How do we respond?
To prepare for the vulnerability we need to start by understanding how it works and what platforms it affects. With that information, we can take a closer look at our environment to determine the risk. We understand the formula indicating that threat multiplied by exposure equals the total risk. With Stagefright, to determine what we need to protect we can ask ourselves several more questions. How many Android devices are on the network? How many are running a vulnerable version of software? Do we have ownership or contact details for all devices? Are there any devices internally running embedded versions of Android? How many Android devices are protected with our host based controls, and how many are not?
Once we have an idea about our exposure, we look in closer detail at the threat itself. We know from researching the threat and reading all available material that the vectors for a successful attack require the delivery and execution of a corrupt MP4 file. We know that MMS delivered exploits can occur with zero user interaction. We know that MP4 video files can be shared in a number of ways, and in fact if properly developed, this set of vulnerabilities could evolve into a highly damaging worm that spreads to millions of unpatched android devices. We know that the threats to our organization from successful exploitation of this vulnerability could be data loss, data exposure, surveillance, ransomware, or even more sinister operations like impersonation or fraud. We know that we have visibility and control into some of these vectors, but not all.
Now that we understand both the threat and the exposure, we can start to figure out how to detect when either an Android device is attacked or when an Android device already appears to be compromised. We know that mobile devices can use wifi networks, or mobile carrier networks — each a potential infection vector, but since we control our wifi networks, they offer a finer control over our detection and response capabilities. We can develop custom IDS signatures that match details we uncovered by reversing or observing any exploit behaviors. We can develop custom rules or checks to look for malicious files on managed security agents for all participating Android clients. We can detect and block malware targeted towards Android devices on our external web security gateways. We can also search our data sources for threat intelligence sourced indicators (discovered either internally or externally) to determine if any of our Android devices have fallen victim to exploitation.
Between the vulnerability announcement and exploitation phases, our response process involves notifying our clients of workarounds and patch availability, potentially even deploying patches directly ourselves. Response also entails ensuring there’s a system in place to isolate and remediate devices that become infected and/or start attacking other hosts and resources. We’ll work with IT and mobility subject matter experts to determine our capabilities to block remote and corporate wifi access and limit the amount of potentially sensitive device-resident data like email or documents.
Response also includes elements of communication. Who needs to be made aware of this vulnerability and how it can potentially affect our business? IT and support staff responsible for remediating the devices require a different understanding of the threat than business leaders tasked with prioritizing business functions against security needs. A solid communication plan must be in place to notify as many vulnerable clients as possible.
The idea behind the four questions approach is that it’s easily repeatable. Stagefright is only the vulnerability du jour. Tomorrow may bring another (or multiple) new threats that we as an Incident Response team must consider. Having an emergency response plan in place that allows us to scale laterally as new threats emerge enables us to defend ourselves and quickly recover when we become compromised. We call a large part of that plan the playbook as it describes in prescriptive detail how to detect and respond to particular threats. In Crafting the Infosec Playbook we dive into much greater detail on the many ways to answer the four questions. The Android Stagefright vulnerability is a great example to show how an organization might scramble its defenses in preparation for an attack, and how the playbook strategy applies in almost every manifestation of a security threat. When the next major vulnerability is released, will your organization be ready?