Target: ICS Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day

Protecting critical infrastructure has never been more important in today’s interconnected world. Cyber threats are becoming increasingly sophisticated, targeting essential services and facilities that societies rely on daily. To mitigate these risks, a proactive approach to cybersecurity is necessary. Two key strategies in this approach are Isolation and Content Disarm and Reconstruction (CDR). Organizations can significantly reduce attack vectors and minimize disruptions by implementing these methods within the Perdue model.

Understanding the Perdue Model

The Perdue model, also known as the Purdue Enterprise Reference Architecture (PERA), is a widely adopted framework for organizing industrial control systems (ICS) and IT infrastructure. It categorizes systems into different levels, each representing a distinct layer of operation:

1. Level 0: Physical processes (sensors, actuators)
2. Level 1: Basic control (PLC, DCS)
3. Level 2: Process control (SCADA, HMI)
4. Level 3: Manufacturing operations (MES)
5. Level 4: Business logistics systems (ERP, office networks)

Isolation and CDR can be strategically applied across these levels to enhance security, especially in layers 3-5, which are vulnerable and targeted by attackers as the entry point to the lower levels.

Isolation: Segmenting the Network

Isolation involves segmenting the network and devices to prevent unauthorized access and lateral movement by attackers. Isolation can be obtained by the following methods:

1. Network Segmentation: Dividing the network into smaller, manageable segments, each with its security policies. For example, isolating Level 2 SCADA systems from Level 4 business networks ensures that a breach in the office network does not compromise industrial control systems.
2. DMZ Implementation: Creating a Demilitarized Zone (DMZ) between the corporate and ICS networks. This buffer zone helps to control and monitor traffic between the two networks, preventing direct access from one to the other.
3. Micro Segmentation: Using software-defined networking (SDN) to create dynamic and granular segments within the network. Segmentation allows for real-time adjustments to security policies based on evolving threats.
4. Application Isolation (Prevention): The solution enables users to isolate specific applications and hardware devices within a virtual container. This isolation allows users to securely open web browsers and use removable media such as USBs, CDs, and DVDs to access files, links, and attachments without the risk of Ransomware, data wipers, and data stealers. This solution simplifies IT and ICS by effectively isolating external threats while protecting Layers 3-5 and preventing USB and file-based attacks.

Content Disarm and Reconstruction (CDR): Neutralizing Malicious Content

CDR is a cybersecurity technology that removes threats from incoming files and data streams. It works by breaking down incoming content into discrete components, eliminating anything that does not meet predefined safe standards, and reconstructing the file in a secure, usable format. This process eliminates malicious code embedded in files before it can cause harm.

Implementing CDR in critical infrastructure involves:

1. Email Security: Applying CDR to email attachments and links, a common attack vector. Organizations can prevent phishing and malware attacks that often target employees by disarming potential threats.
2. File Transfers: Using CDR for files transferred between different levels of the Perdue model. For instance, applying CDR to files moving from Level 4 (business systems) to Level 3 (manufacturing operations) ensures that malicious content is stripped away before it reaches sensitive systems.
3. Web Security: Employing CDR for web downloads and uploads, protecting against drive-by downloads and malicious web content.

Prevention First Approach for ICS
To defend against new threats, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, a set of zero-trust solutions including Safe Mail, NoCloud® Artificial Intelligence (AI) Anti-Phishing, SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser.

Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise resources, providing isolation and protection.

Safe Removables efficient isolation of USB, CD and DVD while enabling to open files in a secure virtual container.

Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® to open links and attachments safely within a secure virtual container. This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the isolated zone, adding extra layers of protection.

Applying Safe Workspace® in the Perdue Model

Consider a critical infrastructure facility such as a water treatment plant. By applying isolation and CDR across various levels, the plant can bolster its cybersecurity posture:

1. Level 4 to Level 3: Use the entire Safe Workspace® offering to prevent evasive threats from email, browsing, file transfer, and removable media.
2. Level 2: protect HMI by isolating the device from external threats and using SafeBridge® CDR to secure file transfer from the isolated environment to the trusted network.

By implementing these measures, the water treatment plant can reduce its attack surface, prevent lateral movement by attackers, and ensure the continuity of its critical operations.

Conclusion

Application Isolation and Content Disarm and Reconstruction are potent tools in the fight against cyber threats targeting critical infrastructure. By strategically applying these techniques within the Perdue model, organizations can minimize attack vectors and disruptions, ensuring the safety and reliability of essential services. As cyber threats evolve, adopting a prevention-based approach to infrastructure protection is imperative.

Target: IT Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day, Protection by containment™

Small Office/Home Office (SOHO) environments face significant cybersecurity challenges in today’s digital landscape. With limited resources and often needing more dedicated IT staff, SOHOs are prime cyberattack targets. Managed Security Service Providers (MSSPs) play a crucial role in safeguarding these environments. By leveraging advanced technologies such as Application Isolation and Content Disarm and Reconstruction (CDR), MSSPs can offer robust protection to SOHOs, ensuring their data and operations remain secure.

Understanding Application Isolation

Application Isolation is a security technique that involves running applications in a controlled and restricted environment. This approach prevents malicious software from accessing critical system components and data. By isolating applications, any potential threat is contained within the isolated environment, minimizing the risk of widespread damage.

The Benefits for MSSPs managing SOHOs:

1. Containment of Threats: Isolating applications ensures that any malware or exploitation is confined, preventing it from affecting the broader network.
2. Reduced Attack Surface: Limiting the interactions between applications and the underlying system minimizes the potential entry points for attackers.
3. Simplified Management/Higher margins: MSSPs can manage isolated environments more effectively, reducing the complexity and cost of operating and maintaining the security technology stack.

Introduction to Content Disarm and Reconstruction (CDR)

Content Disarm and Reconstruction (CDR) is a proactive security technology that removes potential threats from incoming files. It works by analyzing and stripping away potentially malicious code from files while preserving their usability. CDR ensures that any content entering the network is free from hidden malware.

Benefits for MSSPs managing SOHOs:

1. Eliminating Hidden Threats: CDR ensures that all files entering the network are cleansed of potential malware, reducing the risk of zero-day attacks.
2. Maintained Functionality: Unlike traditional antivirus solutions that may block files entirely, CDR allows files to remain usable after disarming any threats.
3. Automated Protection: CDR processes can be automated, providing continuous protection without requiring manual intervention.

Introducing Safe Workspace® for MSSP

BUFFERZONE® Safe Workspace® application isolation technology is designed to simplify the security process for MSSP. Based on patent technology, BUFFERZONE® Protection by containment™, isolates external attack vectors from the organization. For MSSP, the BUFFERZONE® Management server simplifies the management of different SOHOs intuitively.

The Safe Workspace® MSSP edition, featuring the BUFFERZONE Management Server (BZMS), streamlines centralized policy management and agent deployment. It offers multi-tenancy architecture for tailored policy customization, fast onboarding, and an intuitive licensing mechanism for customer upgrades. MSSPs benefit from enhanced visibility into user activity, easy
policy configuration, control over application installations from contained browsing, and management of application network communications.

BUFFERZONE® Safe Workspace®, that  it’s strategic concept is Protection by containment™, is a set of zero-trust solutions including Safe Mail, SafeBridge® Content Disarm and Reconstruction (CDR),
and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise resources, providing isolation and protection.

Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® that is based on Protection by containment™, to open links and attachments safely within a secure virtual container. This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the isolated zone, adding extra layers of protection.

Safe Workspace® provides high flexibility to MSSP and the ability to pick the prevention features that the specific SOHO customer needs and maintain a high profitability balance.

Conclusion

For SOHOs, it is crucial to have strong cybersecurity measures due to the ever-changing threat landscape. Managed Security Service Providers (MSSPs) can offer advanced protection against cyber threats by adopting Application Isolation and CDR technologies. These technologies improve security, simplify management, and decrease the likelihood of major disruptions. By utilizing these solutions, MSSPs can assure SOHOs that their digital assets are well-protected.

This approach not only secures SOHOs but also demonstrates the value of MSSPs in delivering advanced and adaptable security solutions. As cyber threats evolve, MSSPs must stay ahead by integrating the latest technologies into their security offerings. Application Isolation and CDR are powerful tools in this ongoing battle, ensuring that SOHOs can effectively withstand cyber threats.

Target: IT Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day, NoCloud®, Anti-Phishing, Protection by containment™

In the ever-evolving landscape of cyber threats, a new phishing campaign has surfaced, leveraging the Windows search protocol to distribute malicious scripts. This campaign uses HTML attachments that exploit the search-ms [1] URI scheme to push batch files from remote servers, ultimately delivering malware to unsuspecting users.

Understanding the Windows Search Protocol

The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches using specific parameters. While typical Windows searches are conducted on the local device’s index, the protocol can also be configured to query file shares on remote hosts. Additionally, it supports the use of custom titles for the search windows, enhancing its flexibility.

This functionality, however, can be a double-edged sword. As highlighted by Prof. Dr. Martin Johns in a 2020 thesis, attackers can exploit this feature to distribute malicious files hosted on remote servers.

The Evolution of the Attack

In June 2022, security researchers devised a sophisticated attack chain that combined this URI exploitation with a Microsoft Office vulnerability. This method allowed attackers to initiate searches directly from Word documents, marking a significant escalation in the threat landscape.

Recently, researchers [2] have uncovered real-world instances of this technique being employed by threat actors. These cybercriminals are now using HTML attachments to launch Windows searches on servers they control, pushing malware to users’ devices.

Anatomy of the Recent Attacks

The latest attacks [2], begin with a phishing email. The email carries an HTML attachment, cleverly disguised as an invoice document, within a small ZIP archive. This ZIP archive serves a dual purpose: it makes the attachment appear legitimate and helps evade detection by security and antivirus (AV) scanners that may not thoroughly inspect archived files.

Upon opening the HTML attachment, the embedded script abuses the search-ms[1] protocol to direct the Windows Search feature to a remote server controlled by the attacker. This action triggers the download of a malicious batch file, which is then executed on the victim’s system, leading to the installation of malware.

Protecting Against Such Threats

To mitigate the risks associated with this type of phishing attack, users and organizations should adopt preventative solution such as BUFFERZONE® SafeWorkspace® comprehensive suite of cybersecurity solutions, each designed to address the most significant attack vector targeting the endpoint:

1. Safe Mail: To disarm emails and isolate attachments to block phishing emails with malicious attachments from accessing the registry, file system, memory/processor and network.
2. Safe Browser: Secure web browsing and file downloads.
3. Safe Removables: Secure USB/CD/DVD and auto-execution prevention.
4. SafeBridge®: Ensure that all file downloads and email content is Content Disarmed and Reconstruction (CDR) a zero-trust file security to prevent file bornebased attacks.
5. NoCloud® Anti-phishing: Detect and block users from visiting malicious websites phishing for user login credentials.

Conclusion

The abuse of the Windows search protocol in phishing attacks underscores the constant need for vigilance and proactive security measures. By understanding how these attacks operate and implementing robust defenses that combine dynamic AI phishing detection and smart endpoint isolation technology, users and organizations can better protect themselves from these sophisticated cyber threats. Stay informed, stay cautious, and stay secure.

References

[1] https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-qryidx-searchms

[2] https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/

Target: IT Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day, Protection by containment™

In the evolving landscape of cybersecurity, Endpoint Detection and Response (EDR) systems have become crucial in identifying and mitigating threats at the endpoint level.
However, despite their advanced capabilities, EDR solutions are not infallible [1,2]. Cyber attackers continuously develop sophisticated techniques to bypass these defenses,
making it imperative to enhance endpoint security with additional measures like isolation technology. This blog will delve into common EDR bypassing techniques and explain
how isolation technology can significantly reduce your endpoint risk.

Attackers [2] employ various techniques to bypass Endpoint Detection and Response (EDR) systems. One such method involves using direct syscalls [4], where attackers directly
call assembly instructions to interact with the OS kernel. This approach bypasses EDR monitoring, which typically tracks specific syscall functions executed by programs.

Another notable technique involves using SysWhispers[3], an antivirus and EDR evasion tool. Despite its initial success and surprise effectiveness, EDR systems can detect the
attacks facilitated by SysWhispers.

Additional bypass strategies include command-and-control frameworks employing the Fork&Run method [4]. This technique spawns sacrificial processes to perform malicious
actions, then terminates them, allowing attackers to retrieve the output and move on. However, creating and injecting tooling into new processes generates numerous indicators,
and EDR tools are adept at detecting remote process injection, which is crucial for this attack method to succeed.

The Role of Isolation Technology in Enhancing Endpoint Security

Due to these bypass techniques’ advanced nature, relying on EDR solutions is inadequate, and an innovative approach is needed. Utilizing isolation technology can provide a significant
advantage in minimizing the attack surface for users. By segregating critical applications and processes from the rest of the system, isolation technology adds an extra layer of defense that decreases endpoint risk.

Isolation technology comes with the following benefits:

1. Containment of Threats: Isolation technology isolates potentially harmful activities from the enterprise network, containing any malicious activity so that the EDR can actively
   scan the isolated area without being bypassed.
2. Reduced Attack Surface: By isolating applications like browsers, removable media, office files, email links, and attachments, you minimize the pathways for attackers to reach
   critical system resources. Isolation limits the attack’s surface, making it more challenging for malicious actors to gain a foothold in your network.
3. Protection Against Zero-Day Exploits: Zero-day vulnerabilities pose a significant risk as they are unknown and unpatched. Isolation technology can mitigate this threat by
   ensuring that even if a zero-day exploit is used, the attack is confined to a controlled environment, preventing it from spreading or accessing sensitive data.
4. Simplified Management and Response: Isolated environments can be quickly reset to a known good state in one click after an attack or suspicious activity is detected. This simplification in remediation efforts allows for faster recovery and minimizes downtime and disruption to business operations.

Staying Safe in the Digital World Through Isolation

To defend against new browser threats, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with
zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, that  it’s strategic concept Protection by containment™ is a set of zero-trust solutions including Safe Mail, NoCloud® Artificial Intelligence (AI) Anti-Phishing,
SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise
resources, providing isolation and protection.

Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® to open links and attachments safely within a secure virtual container.
This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to
penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the
isolated zone, adding extra layers of protection.

 Conclusion

While EDR solutions are essential for detecting and responding to endpoint threats, they are not a silver bullet. Attackers are continually evolving their techniques to bypass these
defenses, necessitating additional layers of security. Isolation technology offers a robust complementary approach, containing threats, reducing the attack surface, and providing
enhanced visibility and control. By integrating isolation technology with your EDR strategy, you can significantly reduce your endpoint risk and bolster your overall cybersecurity
posture.

References

[1] https://www.csoonline.com/article/2142372/cisos-may-be-too-reliant-on-edr-xdr-defenses.html

[2] https://www.techtarget.com/searchsecurity/feature/The-reality-behind-bypassing-EDR-attempts

[3] https://github.com/jthuraisamy/SysWhispers

[4] https://nostarch.com/evading-edr

Target: IT Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day, Protection by containment™

In today’s digital landscape, the dangers posed by browser exploits are more pressing than ever, highlighting the critical need for sophisticated application isolation as a preventive solution. On Thursday, Google released updates to fix a high-severity security flaw (Zero-day) in its Chrome browser, which has been exploited in the wild.

The vulnerability, CVE-2024-5274, is rooted as a bug in the V8 JavaScript and WebAssembly engine.

The vulnerabilities occur when a program accesses a resource using an incompatible type, leading to severe consequences such as out-of-bounds memory access, system crashes, and arbitrary code execution by attackers.

This incident marks the fourth zero-day vulnerability that Google has addressed since the beginning of the month, following fixes for CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.

These frequent and critical patches underscore the need for robust application isolation strategies to safeguard against such sophisticated threats since detection cannot alert in time to prevent this initial attack phase.

Staying Safe in the Digital World

To defend against new browser threats, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, that  it’s strategic concept Protection by containment™, a set of zero-trust solutions including Safe Mail, NoCloud® Artificial Intelligence (AI) Anti-Phishing, SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise resources, providing isolation and protection.

Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® (Protection by containment™) to open links and attachments safely within a secure virtual container.
This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the isolated zone, adding extra layers of protection.

 Conclusion

Browser threats are hazardous, and attackers always find innovative ways to bypass detection. By isolating threats and adding prevention capabilities to your existing detection solution with an intelligent phishing detection solution, the organization achieves the highest level of security and keeps IT simple.