Skip to content
October 10, 2012 / Rahul Kashyap

Introducing LAVA

When I say LAVA I mean the Live Attack Visualization & Analysis automated framework Gaurav and Simon mentioned in their recent vSentry announcement blogs. The intent of this blog is to introduce, at a high level the new enhancements we’ve made to the Bromium Microvisor for the enterprise security SOC teams. In future blogs I will dive deeper into technical specifics. LAVA was built after we received great feedback from our initial customers to address the challenges which they face in large complex enterprise environments. Also how they currently deal with false positives, false negatives and remediation of endpoints. The current industry practice seems to be far from efficient and we want to address this aspect leveraging the advantages of micro-virtualization technology.

Today, it is very complex and time consuming to analyze and confirm attacks on the endpoint. Most of the time it can take days or even months by the time the attack gets identified. Confirmation and remediation of endpoint compromise is yet another painful process for large enterprises. Below is a representation of the typical ‘data theft cycle’ in an enterprise that the adversary takes advantage of.

LAVA was built with the following goals: provide visibility to the actual point of attack and *relevant* information in an actionable manner. We built up an engine that provides relational, temporal and functional {R,T,F} evidence as the attack occurs. Micro-virtualization technology provides unique advantages in analyzing advanced malware targeting endpoints.

Each threat vector, such as rendering a particular website or opening a particular document, is isolated at the hardware layer in its own container (micro-VM), isolated from the underlying system, network and other websites and documents open (for more information check out the vSentry whitepaper).  Due to the use of hardware level virtualization technologies (VT and EPT) all CPU, memory, disk and network activity related to the threat vector pass through the Microvisor, thereby giving it perfect visibility of the attack. Unlike traditional detection engines that run within the compromised system, micro-virtualization uses micro-VM introspection to provide “outside in” detection of even advanced threats such as bootkits.

Another benefit provided by this architecture is the ability to analyze post exploitation behavior of an attack. Conventional detection technologies, such as anti-virus, have to stop an attack at the earliest possible stage to prevent infection of the system. Micro-virtualization provides the luxury of allowing an attack to execute safely – as it has already been isolated from the system. This provides view into the typical kill chain of the attack – exploit ->execute -> escalate-> persist -> propagate.  This helps dramatically reduce the attack response cycle for the enterprise.

Our ultimate goal is to make the security ops more streamlined, automated and cost effective.

Let’s take an example of a simple drive by download attack leveraging a Java exploit which then drops and executes the infamous Win7 x64 bootkit – Xpaj from a publicly available sample. There are already enough technical details available from our friends in the security community on this bootkit. Xpaj was taken just as an example to illustrate one of the capabilities of VM introspection and taint analysis post exploitation; this can be reproduced with any other real world (root|boot) kits.

Here is how this attack plays out:

Internet Explorer 9 (latest SP) –> Java JVM exploited (CVE-2012-4681) –> execute XPAJ post exploitation.

The malicious changes done post exploitation by Java get tagged by the taint analysis graph inside the micro-VM and the Java exploit initialization phase is highlighted as described in the graph.  XPAJ (like many others in this category) tries to bypass PatchGuard on Windows 7 x64 by doing a MBR overwrite at its ASEP (Auto Start Extensibility Point). The Microvisor intercepts this clearly unexpected event inside the micro-VM and provides several response actions like Auto Remediate, DENY or ALLOW – which can be configured based on user defined policies. Also, LAVA in this example highlights an ‘Immutable memory’ event that is a result of in-guest kernel memory introspection (we’ll address this capability in-depth in future blogs).

Below is a screenshot of a simplified attack trace generated by the LAVA taint analysis engine which at one instant can show that a malicious event occurred to the SOC analyst.

Remember, since we’re in a micro-VM container which insures the system is protected, we can choose to allow the attack to fully play out and gather all the live forensics information like the changes to the Registry, various CPU Registers, File System, Network, Process, Memory, API invocations, etc. and provide this to the SOC analyst(s) for detailed investigation. All of this can be enabled via policies from our threat management console.

Full forensics information can be provided with exported data along with the graph as an evidence for the SOC teams to update their enterprise security infrastructure and take remediation measures enterprise wide.

LAVA is a vSentry feature currently in beta and all we look forward to your feedback!

4 Comments

Leave a Comment
  1. Guise Bule / Nov 28 2012 2:38 pm

    This is a beautiful tool, I love your RTF evidence engine.

    I read this “Micro-virtualization provides the luxury of allowing an attack to execute safely” and thought “this is exactly what we are allowing SOC teams to do with non-persistent private cloud DaaS”, except we do not have LAVA. Instead we use a mish-mash of technologies to the same end.

    But I love this tool, I look forward to reading some of the feedback you are getting on this and wish I had this on my DaaS rigs.

Trackbacks

  1. 6 ways big data is helping reinvent enterprise security — Data | GigaOM
  2. R Sloan Design Experiences » 6 ways big data is helping reinvent enterprise security
  3. Are you the victim of a targeted attack? « A Collection of Bromides on Infrastructure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 15,501 other followers

%d bloggers like this: