Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Download as PPTX, PDF3 likes5,333 views
The document provides an overview of the Meltdown and Spectre vulnerabilities, including their impact on various CPU types and the methods of exploitation. It discusses the importance of detecting these vulnerabilities, available software patches, and recommendations for protecting systems, such as implementing Alienvault's USM Anywhere for continuous monitoring and threat detection. The document also highlights the role of threat intelligence and practical measures organizations should adopt to mitigate risks associated with these vulnerabilities.
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
- 1. Jeff Olen, Senior Product Manager, AlienVault Kate MacLean, Senior Product Marketing Manager, Cisco Sacha Dawes, Principal Product Marketing Manager Meltdown and Spectre – How to Detect the Vulnerabilities and Exploits
- 2. 2 In this Webcast What are Meltdown and Spectre, and their impact? Detecting and Protecting your Environments with AlienVault® USM Anywhere™ USM Anywhere Live Demo Ask Us Questions!
- 3. 3 The News Since Jan 3rd 2018
- 4. 4 Timeline Google informs affected companies of Spectre flaw June 2017 Google informs affected companies of Meltdown flaw July 2017 Vulnerabilities made public Jan 2018 First CPUs susceptible to Spectre/Meltdown shipped Jan 1995
- 5. 5 Comparing Meltdown & Spectre Meltdown Spectre Affected CPU Types Intel, Apple Intel, Apple, ARM, AMD Attack Vector Execute Code on the System Execute Code on the System Method Intel Privilege Escalation & Speculative Execution (CVE-2017-5754) Branch Prediction & Speculative Execution (CVE-2017-5715 / -5753) Exploit Path Read Kernel Memory from User Space Read Memory Contents from Other Applications Remediation Software Patches Software Patches Source: “A Simple Explanation of the Differences Between Meltdown and Spectre (Jan 3 2018)”, Daniel Miessler, https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
- 6. 6 What Have AlienVault Labs Seen? • Meltdown or Spectre are not known to have been used to steal data That said, compromise can be difficult to detect • AlienVault Labs has seen samples of malware attempting to exploit the vulnerabilities Most are variants of the samples provided by the disclosing teams Source: https://otx.alienvault.com/pulse/5a50d6d41f9dd76baa10458c
- 7. 7 Are Software Patches Available? • Yes – Early software patches exist for: Devices: Apple devices, Surface & Surface Book, Android devices OS: Windows, various Linux distributions (CentOS, Red Hat, Fedora and Ubuntu) Cloud providers (AWS, Azure, Google) indicate they’ve patched • GitHub* has the latest status on patches • When applying patches, some have seen System slowdowns System crashes Source: https://medium.com/implodinggradients/meltdown-c24a9d5e254e * https://github.com/hannob/meltdownspectre-patches
- 8. 8 Decrease Your Risk from Meltdown and Spectre • Evaluate and fully test the available patches for your different systems Apply those patches where possible • Apply the same protections for any malware or ransomware Evaluate need for services (e.g. SMB), and disable those that are not required Architect your environment to include network segmentation, and a least-privilege model, to limit ability for any ransomware to traverse the network Train your organization on how to watch for phishing attempts, and how to report and protect your organization if they think they’ve become infected Implement a backup plan with offline backups • Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
- 9. 9 Vulnerability Assessment Know where the vulnerabilities are to avoid easy exploitation and compromise Behavioral Monitoring Identify suspicious behavior and potentially compromised systems Intrusion Detection Know when suspicious activities happen in your environment SIEM Log Management Correlate, analyze, and report on security event data from your network Asset Discovery Know who and what is connected to your cloud or on-premises environments at all times AlienVault USM Anywhere: A Unified Approach to Threat Detection & Response
- 10. 10 Actionable Threat Intelligence Powered by AlienVault Labs Security Research • AlienVault researches emerging threats–so you don’t have to • Continuous Threat Intelligence updates built into your USM Anywhere include: • Correlation directives • IDS signatures • Vulnerability audits • Asset discovery signatures • IP reputation data • Data source plugins & AlienApps • Incident response guidance Supplemented by the AlienVault Open Threat Exchange™ (OTX) • The world’s first truly open threat intelligence community • Collaborate with 65,000+ global participants to investigate emerging threats in the wild • Pulses created within minutes of the first detection of an in-the-wild attack • Subscribe to threat research updates from 73 public groups and other OTX contributors • Leverage the latest OTX threat intelligence directly in your AlienVault USM environment Optimize Threat Detection & Response
- 11. 11 Automate & Orchestrate Containment Cloud InfrastructureProductivity Apps IT VirtualizationIT OperationsIT Security A Growing “Galaxy” of AlienApps Respond Automate and orchestrate your threat responses for efficiency Monitor AlienApps collect and enrich data from your environment Detect USM Anywhere uses that data to detect threats and alerts you
- 13. 13 Decrease Your Risk from Meltdown and Spectre • Evaluate and fully test the available patches for your different systems Apply those patches where possible • Apply the same protections for any malware or ransomware Evaluate need for services (e.g. SMB), and disable those that are not required Architect your environment to include network segmentation, and a least-privilege model, to limit ability for any ransomware to traverse the network Train your organization on how to watch for phishing attempts, and how to report and protect your organization if they think they’ve become infected Implement a backup plan with offline backups • Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
- 14. 888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Test Drive USM Anywhere in our Online Demo: Get instant access, no download, no install https://www.alienvault.com/products/usm-anywhere/demo Try it for Free in your Environment : Start detecting threats in less than an hour https://www.alienvault.com/products/usm-anywhere/free-trial Review Pricing and Get a Quote: Multiple tiers available, low annual subscription pricing https://www.alienvault.com/products/usm-anywhere/pricing Questions?
Editor's Notes
- #4: Petya would typically launch the UAC window. If the user did not give access, Mischa would take on.
- #8: More patches will come Linux KPTI (Kernel Page Table Isolation) patch, originally named KAISER
- #9: AlienVault’s threat intelligence can help pinpoint bad IP addresses of ransomware C2 servers
- #13: Want to see orchestration rules in action – use case example Hybrid coverage
- #14: AlienVault’s threat intelligence can help pinpoint bad IP addresses of ransomware C2 servers