Improve Your Readiness To Defeat Meltdown & Spectre

January 11, 2018 | Sacha Dawes
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

You were just getting back into the swing of things after bringing in the New Year, and it happened. Like a huge firework exploding with a thump that you can feel through your body, the news of Meltdown and Spectre hit the media on January 3, 2018.

Since the official disclosure of Meltdown and Spectre, there has been a flurry of news articles, as well as activity by the major processor and operating system vendors, and the community at large, to address these significant flaws. But, just what are these flaws, how are you impacted, and what should you do about them?

About Spectre and Meltdown

Discovered by researchers that include the Google Project Zero, several academic institutions, and some private companies, Spectre and Meltdown exploit design flaws existing in nearly all processors manufactured since 1995 that enable exfiltration of data within the CPU cache. Without getting into ‘too’ much detail:

  • Meltdown (outlined in CVE-2017-5754) impacts Intel and Apple processors, and exploits the Intel Privilege Escalation and Speculative Escalation processor functions to read any memory on the system and execute code on the system.
  • Spectre (outlined in CVE-2017-5715 and CVE-2017-5753) affects chips manufactured by Intel, Apple, ARM and AMD, and exploits the Branch Prediction and Speculative Execution processor functions to allow access to another user’s data within the same application, or even data from another application.

But, “What is speculative execution and branch prediction?” I hear you ask. The quick explanation is that these are functions that were designed to increase the performance of the chip by predicting what the application or system needs next. If it predicts correctly, then the processed information becomes immediately available. It’s similar in concept to a fast food restaurant that prepares your food before you arrive, so that you don’t have to wait in line while they cook it. Of course, if you want a deeper explanation of the technology and the exploits, you can read the technical papers published on Meltdown and Spectre.

A quick summary of the attacks can be seen in the following table, based on information from Daniel Miessler.

Am I At Risk?

More than likely you are at risk, given that the flaws affect nearly every processor manufactured from 1995 through to today. However, both exploits require that code be executed directly on the system, requiring access as a local administrator or user. This typically makes it difficult to exploit these vulnerabilities, although the Spectre flaw was able to be exploited through a JavaScript-based attack though unpatched browsers (noting that patches for many popular browsers have already been issued, so be sure to update them!).

Are There Any Known Attacks That Use Meltdown or Spectre?

So far, Meltdown and Spectre are not known to have been used to steal data. That said, compromise can be difficult to detect. The AlienVault Labs Security Research Team has seen samples of malware attempting to exploit the vulnerabilities, though most are variants of the samples provided by the research teams who discovered Meltdown and Spectre. Chris Doman, one of our lead security researchers, has been updating information within the AlienVault Open Threat Exchange (OTX) on different samples he has discovered, such as the ones on Spectre that he has published HERE.

Are There Fixes Available?

Yes and no.

Typically, whenever reputable researchers report vulnerabilities to technology manufacturers, there is a window of time before the researchers will go public with their findings. With Meltdown and Spectre, updates were released for some variants of Linux and Apple operating systems towards the end of 2017 that started to address the processor flaws. Inquisitive minds questioned the ‘why’ behind those updates, and after mounting pressure, the researchers felt compelled to publish their findings earlier than expected.

The chip manufacturers and vendors of popular operating systems have been hard at work issuing patches for customers to deploy. Public cloud environments, including AWS, Google, and Microsoft Azure, report that they have patched their systems. That said, while a number of patches are available, many are still in development. Even for those that have been released there is still room for optimization, since many who have applied the patches – to both hardware and operating systems – have seen a slowing in system performance, and in some cases even crashing of their system!

What Should I Do About It?

There are a number of steps that you can, and should, put in place to protect yourself against Meltdown and Spectre:

  • Identify systems that are vulnerable. A private project on GitHub has been set up that is currently tracking some of the available patches for Meltdown and Spectre, but you should check with processor and operating system vendors for the latest information on detecting and patching the vulnerabilities on your systems.
  • Evaluate and fully test the available patches for your different systems. While the general recommendation is to apply patches as soon as they become available, check for any potential side effects and weigh them against your business needs. When it makes sense, apply those patches where possible.
  • Implement the same protections for any malware or ransomware. While we are not aware of any attacks that have leveraged the Meltdown and Spectre exploits, there are no guarantees on if or when an attack may surface. As such, follow best practices to defend against any malware attack, including:
    • Evaluate the need for services (e.g. SMB), and disable those that are not required
    • Architect your environment to include network segmentation, and a least-privilege model, to limit ability for any ransomware to traverse the network
    • Train your organization on how to watch for phishing attempts, and how to report and protect your organization if they think they’ve become infected
    • Implement a backup plan with offline backups 

Use AlienVault USM to Detect Systems Vulnerable to Meltdown and Spectre, and Attacks That May Use Their Exploits

AlienVault USM Anywhere unifies the power of asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, SIEM, and log management in one console, giving you complete and centralized security visibility of your on-premises, cloud, and hybrid environments. Specifically as it relates to Meltdown and Spectre, AlienVault USM can help you:

  • Detect new assets that may have been added to your environment, so that you can determine if they are vulnerable to attack.
  • Identify vulnerable systems, automatically scanning and identifying assets that are vulnerable to Meltdown, Spectre, and other discovered vulnerabilities. You can also easily run the PowerShell script provided by Microsoft across your Windows assets directly within the USM platform using the Forensics and Response App, all from within the AlienVault USM console.
  • Detect intrusions and attacks from malware that is exploiting Meltdown or Spectre on unpatched systems, as well as detection of activities that could indicate malware such as network traffic communicating to a known malicious IP address.

In addition, integrated Threat Intelligence makes sure that the USM platform stays up to date with the knowledge to detect the latest vulnerabilities and detect the latest threats. Already AlienVault USM customers have the ability to detect vulnerabilities related to Meltdown and Spectre, and detect attacks using the samples provided by Google Project Zero and other researchers. As we look ahead, this will also ensure that should new vulnerabilities or attacks hit the wild, AlienVault USM customers will receive the latest intelligence from AlienVault Labs or from contributors within the over 65,000 participants of the Open Threat Exchange (OTX).

Ultimately, whether an attack exploits Meltdown or Spectre or leverages other methods, the unified approach delivered by AlienVault USM is the most effective way to combat existing and emerging threats, and gives you all the threat context you need to detect, investigate, and respond to an emerging threat—all in a single pane of glass.

To learn more:

Sacha Dawes

About the Author: Sacha Dawes, AlienVault
Sacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha lives in Austin, TX.
Read more posts from Sacha Dawes ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT