Browser Attacks...
The new trend seems to be growing and growing. Browser attacks are a major threat, and mitigation of this enormous risk is a daunting task. It seems not a month goes by there is not a new 0-day browser attack, and more specifically Internet Explorer (WMF, SWF, VML, WebFolderView Icon) vulnerabilities.
So what can a Security Operations team do? Do you depend on your Intrusion Detection Signatures? What about all the unpublished 0-day vulnerabilities for IE? How do you detect those? Obviously no corporate infrastructure is going to support the disabling of web browsing (even for personnel who have no business use for it). Proxying and blocking blacklisted sites helps but too many new sites are being created to keep up with. What is the solution to mitigating the threat from this attack vector?
Correllation, Correllation, Correllation... It is essential these days for major corporate enviroments to be using Event Correllation tools to detect attacks. The ability to correllate, F/W, Syslog, Proxy Logs, IDS logs and even desktop A/V events provides amazing visibility into the activities of your users. Ensure you have visibility into your desktop enviroment (i.e. NIDS or HIDS). If you don't see the initial attack and you have no visibility into your desktop environment the attacker will make short work of your PC's.
If your not doing, or even considering doing some of these things... Then you are just baking a Security Cake and you are ripe for the picking. Attackers are going to waltz through your network via your users IE sessions and say "Have another pancake...."
So what can a Security Operations team do? Do you depend on your Intrusion Detection Signatures? What about all the unpublished 0-day vulnerabilities for IE? How do you detect those? Obviously no corporate infrastructure is going to support the disabling of web browsing (even for personnel who have no business use for it). Proxying and blocking blacklisted sites helps but too many new sites are being created to keep up with. What is the solution to mitigating the threat from this attack vector?
Correllation, Correllation, Correllation... It is essential these days for major corporate enviroments to be using Event Correllation tools to detect attacks. The ability to correllate, F/W, Syslog, Proxy Logs, IDS logs and even desktop A/V events provides amazing visibility into the activities of your users. Ensure you have visibility into your desktop enviroment (i.e. NIDS or HIDS). If you don't see the initial attack and you have no visibility into your desktop environment the attacker will make short work of your PC's.
If your not doing, or even considering doing some of these things... Then you are just baking a Security Cake and you are ripe for the picking. Attackers are going to waltz through your network via your users IE sessions and say "Have another pancake...."
posted by Jordan at 8:21 AM
0 comments
