How NOT to do Host Based Security
Unfortunately, there are a number of companies making products that claim to be the Holy Grail: a panacea of security that can defend against both known and unknown threats through 'patented' technology. Most tend not to last very long when they come under the ruthless gaze of the wider security industry but some thrive through a combination of deceptive business practices, aggressive use of NDAs and the 'old boys' network. Some REALLY stand out and deserve special attention.
In this last year I became aware of a Windows host security product that claimed it could:
APT Hunter Killer? Those are quite some claims! I decided to dig a little into the product which is called Abatis Hard Disk Firewall (HDF). I asked for a trial copy from the company and received the following email:
We provide solutions to mission critical servers and SCADA systems worldwide, as policy we do not release our software to unknown entities. A very common trait for malware writers is to attempt to reverse engineer code in their "Labs" in order to find vulnerabilities. All current AV, IDS/IPS, DLP etc. is subject to this type of attack, while our code is hardened an (sic) indeed robust we choose to be selective in our prospect client base to minimise such risk. It is a prudent approach which as a small company we feel on behalf of our large clients are obliged to take. I hope you understand.
That immediately made me suspicious and it wasn't the only thing. Abatis claimed that one of their clients was defense giant Lockheed Martin and by a strange coincidence a report appears on the Abatis website that purports to be written by one Chris Howden, under the Lockheed logo. In bizzare, rambling and highly unscientific prose, Mr. Howden extorts the 'energy saving capabilities' of the HDF software. This is like saying if you put high performance fuel in your car, your stereo will play louder. In one particular 'irony dead' moment, Greenpeace statistics are cited.
I acquired a copy of HDF from Abatis under somewhat false pretenses, even signing an MNDA under the name of Richard Stallman (I was right to assume it would hold no significance for them).
The software proved trivial to bypass using nothing more than Metasploit.
Essentially, it 'works' by hooking calls in processes when they try to write to the hard drive - processes that aren't white listed are not permitted to write. The problem with this approach is this:
I asked Abatis for comment and received the following reply from Christian Rogan:
"Not to denigrate your expertise, we have undergone thorough and extensive testing with very well-known IT security focussed institutions. Amongst a very long list these include defence contractors, BAE, Lockheed Martin, Northrup Grumman along with government appointed pen testers and system integrators from Atos, BT, CJI, CSC to HP and more.
All have found our solution to do exactly as advertised. The attestation orclaims we make are provided by these companies and institutions. The claims are NOT our own.
Even by the selective logic one would expect from a salesman that's sailing pretty close to the wind. I also contacted Lockheed Martin to ask if it would stand behind Mr. Howden's report and I also sent the following questions to Mr. Howden himself:
"I just read your paper on the Abatis HDF software which I found interesting and enlightening. I was wondering if you had five minutes you could possibly address these followup questions.
1. Your document carries the Lockheed Martin logo - can I conclude from this that it is an independent study endorsed by Lockheed Martin and one which they are prepared to stand behind if it is publicly challenged?
2. If your paper is an independent study could you explain why it is only available from the Abatis website? If I am incorrect in this assertion please feel free to provide a Lockheed Martin URL where this paper is publicly available and cited.
3. Was this paper commissioned by an Abatis company officer or employee either as a favour or in exchange for financial inducements?
4. What is your relationship with Abatis "CEO" , D. Kerry Davis?
5. In your paper, the only technology you mention by name when performing comparisons is Abatis HDF. This falls short of the most elemental professional review standards and does not reflect well on the Lockheed Martin brand. Could you please tell me what other software was involved in this study?
6. Could you please supply the metrics you used to arrive at the figures cited in Table 1 in a scientific repeatable format?
7. If only authorised processes may write to the hard drive in an environment where Abatis HDF is deployed, in the absence of malware, why would there be a power saving? You have neglected to mention this in your paper yet it is implied that it is the disk activity that is increasing power usage. You seem to be drawing conclusions without reasoned scientific observation.
8. Your paper is marked as EXECUTIVE SUMMARY implying that it is part of wider documentation. Could you tell me how I can come by this?
9. Was this paper peer-reviewed within a formal framework (such as ISO 9001)? If so, then by whom?"
At time of publication I have received no response. Then again, I wasn't exactly holding my breath.
Be very wary of vendors offering you miracles particularly when they restrict trial versions and claim all functionality has been tested by third-parties such as 'government approved pen testers' - as though such a meaningless claim is a substitute for in-house proving.
Security is a process not a product.