• Support
  • Forums
  • Blogs

Q&A from our webinar, "Meltdown and Spectre – How to Detect the Vulnerabilities and Exploits"

spdawesspdawes

New Life Form

Yesterday (Jan 9, 2018) we ran a webcast on "Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits".



We had a lot of questions that we were unable to get to within the available time, so below is a list of questions and our responses for you to look through. Feel free to comment or ask further questions on these.

Thanks!

Sacha Dawes
Principal, Product Marketing



Are there vulnerability signatures already in USM to detect Meltdown/Spectre-specific vulnerabilities?

There are multiple vulnerability signatures already available within the USM platform to detect hosts / assets that are at risk from the Meltdown and Spectre vulnerabilities, and as updated vulnerabilities and patches become available then these will be made available to AlienVault USM customers immediately via the integrated threat intelligence.

 

You said this can read code that may not have been wished to be read. Is this code that is legitimate that should have other parameters in place to execute or is this hacker coding?

Meltdown and Spectre are codenames given to vulnerabilities within the architecture of Apple, Intel, ARM, and AMD processors. Malicious software (malware) can be written that exploits these vulnerabilities, and that could facilitate sensitive / personal data being read from different applications running on that system.

 

Does this work with SonicWALL or replace?

AlienVault USM Anywhere is not a firewall like SonicWALL.  It is designed to detect threats, help respond to incidents, and support compliance efforts.  We do have the ability to consume SonicWALL data, however, which can then be used as part of the data analysis / correlation part of the solution.

 

Are Intel and ARM working on microcode or bios fixes/patches?

At the time of writing there have been different responses from different processor manufactures on what they recommend to mitigate the risk. Some are working on firmware updates, others recommend installing patches from the operating system vendor. In many cases, processor vendors will have to rethink their design, and more news on this will no doubt be reported in the near future.

 

Can you share IOC details for those vulnerabilities?

Vulnerabilities are detected based on analysis of what is currently installed within the asset (e.g. software version, patches, and so on). Indicators of Compromise (IOCs) are used to detect threats, such as network traffic headed to a known malicious IP address, or file hashes that could indicate known malicious code. We recommend you log in (or create a free account in) the Open Threat Exchange (OTX) to stay abreast of any IOC updates.

 

When scanning servers and desktops, does this application require an agent to be present on those systems?

No.  The AlienVault sensor resides on the network (and cloud environments) and can scan the systems that are in those environments, respectively.

 

For Virtual Machines, do we apply patches both at the Hypervisor and also Guest OS level? 

At this time, the guidance is to both patch the hypervisor and the Guest OS as and where applicable.


Is USM Anywhere a cloud or on-premises solution?

AlienVault USM Anywhere is a SaaS security management solution that delivers threat detection, incident response, and compliance management across your on-premises, cloud, and hybrid environments and applications.


So is USM Anywhere strictly a threat / vulnerability detection system, or does it offer prevention capabilities as well?

AlienVault USM Anywhere allows you to detect and respond to vulnerabilities and threats. Built-in IT security orchestration facilitates automated responses to detected threats, such as isolating a system infected by malware that exploits the Meltdown or Spectre vulnerabilities.

 

Are there any patches that could be applied immediately for Windows or Linux operating systems that have been shown to not affect performance, or is waiting on all patches recommended?

AlienVault recommends that customers test any patch before they apply it to their production environments, to ensure that it performs to their satisfaction.

 

Can you please provide the Github URL for the updates?

The meltdownspectre-patches is a private GitHub project, run by Hanno Böck, that is currently tracking the available patches for different operating systems. It can be accessed at https://github.com/hannob/meltdownspectre-patches.

 

Would OSSIM be able to make these detections?

OSSIM does not ship with our Threat Intelligence Subscription.  That is available through our commercial product only. For more information on the differences between OSSIM and USM, please refer to this product comparison page: https://www.alienvault.com/products/ossim/compare

 

Does encrypting at rest reduce your risk of exploitation? 

Not necessarily, as the state of the data as it is stored in memory is dependent upon the application logic and what is being processed. For example, applications may first decrypt any encrypted data before performing additional processing operations on that data, and may be at risk while in the unencrypted state.

 

We don’t have the cloud version of AlienVault USM. Do we have to update the AlienVault USM Appliance database to detect the vulnerability?

The intelligence required to detect the Meltdown and Spectre vulnerabilities is available to USM Appliance customers with an active threat intelligence subscription. Customers who are running version 5.4 of the USM Appliance have the ability to automatically update threat intelligence within the product. Where an earlier version of USM Appliance is deployed, a manual update of the latest threat intelligence is required. This forum post provides the steps to follow to manually update threat intelligence: https://www.alienvault.com/forums/discussion/4345/how-to-update-alienvault-usm-threat-intelligence


Perhaps a good idea to specify that Spectre attacks only affect Linux, not Windows.

Both Spectre and Meltdown can affect Windows and Linux operating systems. For details on what Microsoft has done to address these vulnerabiliteis on different Microsoft Operating Systems, you can review Microsoft's blog at https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems.

 

Can we identify the compromised machines?

AlienVault USM can help customers identify which of their assets are vulnerable to compromise by Meltdown and Spectre, and help guide what patches are available to install to mitigate the risk.

 

I am a new AlienVault Customer.  Is there further training available on the AlienVault USM Anywhere platform that would show me how to utilize the tools that are available?

Yes! Here's a set of self-paced training modules you can check out: https://www.alienvault.com/training/self-paced-training#usm-anywhere

 

How do we use AlienVault USM in HIPAA and PCI-DSS?

Great question, but one that requires a bit more of a comprehensive answer.  The short version is that USM Anywhere is both HIPAA and PCI DSS compliant and highly applicable for both compliance regulations. You can find more information on our website at https://www.alienvault.com/solutions/it-compliance-management.

 

How can you detect Spectre and Meltdown for customers that have the USM Appliance solution instead of USM Anywhere?

AlienVault USM Appliance customers with an active threat intelligence subscription will receive the content required to detect Spectre and Meltdown vulnerabilities.

 

Does USM support containers? Docker, in particular?

The USM platform does not currently support monitoring of containers, but we are currently investigating a solution.

 

Have there been any examples of Spectre and Meltdown malware in the wild yet?

At the time of writing there are no known examples of successful exploits that have taken advantage of the Meltdown and Spectre vulnerabilities. However, the AlienVault Labs Security Team have seen some test malware samples in the wild that are largely based on the example exploit code provided by the Google Zero Project and other researchers who discovered the vulnerabilities.

 

Are the PowerShell scripts that were demonstrated available in USM Appliance, or only in USM Anywhere?

USM Anywhere includes a new app construct we call AlienApps.  The Forensics and Response App, which allows you to run PowerShell scripts and calls, is something that is only available with USM Anywhere.  We do include the vulnerability signatures and IDS signatures, however, with the USM Appliance product.


Are there any patch management capabilities built into USM that would push patches to vulnerable systems?

We do not have the ability to apply available patches, only run vulnerability assessment to identify which systems are vulnerable.

 

Is Carbon Black included with an AlienVault subscription or is that a separate product that just works with USM?

Carbon Black is a separate product to AlienVault USM that you have to procure independently from your AlienVault USM purchase (you can find Carbon Black’s site at https://www.carbonblack.com/) .  We have built an integration with Carbon Black to facilitate the response actions to isolate an infected endpoint, as was demonstrated within the product demo.

Kotresha

Share post:

Comments

  • edited January 11

    A few of you have called our support team to ask what exactly we have within AlienVault USM to help you detect assets vulnerable to, or under attack from, Meltdown and Spectre.

    Through our integrated threat intelligence, along with intelligence also from the AlienVault Open Threat Exchange (OTX), AlienVault USM customers have the ability to:

     

    • Identify the latest disclosed vulnerabilities relating to Meltdown / Spectre across popular operating systems and applications.

    • Detect malware that leverage the malware examples provided by the researchers (including Google Project Zero) who reported the threat. Fact is that today there is no known malware from malicious actors, although AlienVault Labs and the OTX community continues to monitor the scene.

    • Detect IOCs of malware, such as communication to a known malicious IP address. As such, if/when malware does appear that exploits a Meltdown/Spectre vulnerability there’s a good chance that it’s already in the system, or will be reported / updated quickly by AlienVault Labs or the OTX community.

    Overall, this underscores the value of threat intelligence. As mentioned, today there is no known malware that has taken advantage of these new vulnerabilities. However, as soon as any new threat appears in the wild (whether exploiting Meltdown/Spectre or some other vulnerability) then it will be picked up by AlienVault Labs and the over 65,000 participants of the OTX community, and new IOCs, correlation rules, vulnerability signatures, and more will be available to AlienVault USM customers.



    kratos
Sign In or Register to comment.