I love watching reality shows about paramedics. It is thrilling to see the EMTs rush to a scene and take immediate action to save the life of some unfortunate victim. They are often forced to guess the trauma or ailment of the patient and hope that the treatment they administer is the correct one.
In cybersecurity, we often work the same way, and that is not necessarily a good thing. We are often required to make snap decisions about which files are safe and which are potentially toxic, and we are constantly rushing and responding to alerts about something bad that has already happened. As defenders, it feels as though we never have the time to take a measured, thoughtful approach.
Wouldn’t it be great if we could spend more time acting like the doctors and surgeons who work away from emergency rooms and ICUs? Doctors are afforded adequate time to assess the situation and run tests so that they can fully understand the details of the problem, and plan their response before administering treatment.
The need to decide and act in real time is one of the biggest problems for our security systems. A network gateway device has only milliseconds to decide if an observed file is safe or not and many protocols, including HTTP, cannot tolerate significant delays. As a result, we are forced to use fast but unreliable indicators to decide which files to ignore, and which to block. Like the EMT, we are up against the clock and working without enough information. Inevitably, we will allow infected files through, and wind up blocking files that are clean. False positives create a usability problem, and false negatives let malware penetrate our networks.
In emergency medicine, doctors often order tests where the results will not be known until treatment has been underway for some time. If the doctor’s diagnosis of the condition is wrong, the situation could go from bad to worse. For example, if a patient is treated for a drug overdose, and they are actually suffering from a stroke, there could be a lot of damage to the patient’s brain before they realize the error and change course on the therapy.
Similarly, many security architectures provide a second level of screening where files that originally passed the quick scan are examined more carefully. This can involve static analysis, detonation, and other approaches which are much more reliable but can take up to a couple of minutes to complete. By the time the tests indicate that a file should have been blocked it has had plenty of time to infect the endpoint. The defenders are forced to respond and recover to clean up the infection before it causes damage or spreads.
Email security is a great example of the advantages of being able to take your time. Over the last few years, email gateways have gotten really good at scanning for malware attachments. Why? Because email is a store and forward protocol. The gateway can take as much time as it needs to analyze any file. Most users will hardly notice their mail arriving in their inbox a minute or two late.
Does that mean organizations are not getting attacked through email anymore? Not at all. Just as bacteria evolved to resist antibiotics, attackers have evolved to avoid email scanners. Rather than sending malware in attachments, criminals now send links which will deliver the files through the web, pushing the defensive team back in the position of trying to make decisions in real time.
The next move is to shift web scanning from real time to at leisure. The first opportunity for this is at the email gateway itself. The scanner could check the suspicious URL to see if it delivers a file and it could then scan that file before delivering the email. Unfortunately. that strategy is easy for the attacker to counter. The attacker can make the website complex by using active content and multiple links. The scanner will find it difficult to know what will happen when the URL is opened by the user. Even worse, it is not difficult for a website to recognize a scanner and show it a different, and clean, version of the page. As a result, the malware filled version of the file will be delivered only when a human clicks that link in the email.
It would be great if we could keep the user’s web connection real time, scan at leisure, and still not let anything dangerous through to the desktop. It would be like having a stasis chamber in the ambulance so the EMTs could stop time for the patient while they do tests to be certain of the best treatment.
The trick is to move where the critical testing takes place. Just because an infected file reaches the browser does not need to mean that the user’s desktop will be compromised. You can break up the data flow separating the browsing from the movement of the file to the desktop. If the browser is properly isolated, any malware will be trapped in that tiny container. You can then scan files at leisure before allowing them to move over to the local machine. Although the scanning process might take some time, it will not disrupt their web surfing experience. Another advantage is that the system only needs to scan files that the user wants to save.
While it would not make a good TV show, I would certainly prefer to avoid real time decision making and emergency responses in my job. Moving to a design where I can take my time to do the reliable scanning without increasing risk certainly keeps my blood pressure lower. Maybe that will help keep me away from unpleasant encounters with the real EMTs. As much as I love watching those shows, I don’t want to be on them.