Meltdown & Spectre: What You Need to Know

This post discusses the Meltdown and Spectre vulnerabilities, provides some proactive actions that can be taken to mitigate them, and also discusses the use of behavior-based analysis to detect attacks that take advantage of these or similar vulnerabilities, regardless of their signature.

Meltdown and Spectre are two architecture-based vulnerabilities, affecting aspects of both hardware and software and manifesting as 3 CVEs:

  • CVE-2017-5754 (Meltdown)
  • CVE-2017-5753 (Spectre, Variant 1)
  • CVE-2017-5715 (Spectre, Variant 2)

Attacks could take advantage of these architecture design vulnerabilities of processor execution, combined with side-channel attacks, to bypass the normal security controls surrounding the kernel space of a CPU, which is normally isolated from the user space. The separation of these two memory spaces is a fundamental concept that many other security controls rely on.

Impact

Meltdown Impact

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown. (Horn, Jann, et al.)

Spectre Impact

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches. (Horn, Jann, et al.)

Preventive Action

It is important to emphasize that information and consequences surrounding these vulnerabilities are still being discovered. Currently some proofs of concept (POCs) are available, but there are no weaponized versions in common hacker tools, like Metasploit. Patches have been released for the infrastructures of common cloud providers, and patches for Meltdown have been released for many Linux distribution kernels. Please consult the following security advisories for your cloud providers, and follow their recommendations for patching and mitigation for these vulnerabilities:

How Threat Stack Can Help

Understanding how Threat Stack can help is based on understanding the difference between signature-based detection and behaviour-based detection.

Signature-Based Detection

Based on media coverage of Meltdown and Spectre and feedback from our customers, much of the focus is on attempts to identify possible signatures of possible exploits using traditional malware analysis tools and methods. This is a difficult way of approaching the problem, considering the nature of the attack and the fact that no exploits are currently available from which to create signatures. Even when exploits are developed, it will still be difficult to detect their signatures because “Meltdown and Spectre are hard to distinguish from regular benign applications.” (Horn, Jann, et al.)

Many of the questions we have received at Threat Stack can be summarized as follows: How do we specifically detect Meltdown or Spectre with Threat Stack?

This is easy to answer: You don’t specifically detect exploits targeting the Meltdown or Spectre vulnerabilities with Threat Stack. Instead, you detect the actions an adversary is taking against your infrastructure using behavior-based detection.

Behavior-Based Detection With Threat Stack

Threat Stack takes an alternative, behavior-based approach to addressing attacks related to vulnerabilities such as Meltdown and Spectre. An attack rarely consists of the isolated use of an exploit such as Meltdown or Spectre. Rather, it consists of multiple stages, each having an associated behavior that can be detected and alerted on. The action of running an exploit is just one part of this process. Unless an attacker completes all stages required to carry out an attack, they will not be successful.

By conducting a behavioral analysis of the various stages in the attack lifecycle, instead of focusing on the specific exploit, it is possible to identify and alert on anomalous behavior that surrounds the use of exploits such as Meltdown and Spectre as well as other exploits that have not been discovered yet. This is precisely what Threat Stack does.

Behavioral Detection and the Cyber Kill Chain

The Cyber Kill Chain® (or Intrusion Kill Chain) attempts to identify stages that an attacker must go through in order to achieve their objectives. Detecting these stages is important for defensive activity, so action can be taken to halt their attempts. The following sections outline the relevant steps in the Cyber Kill Chain as well as Threat Stack’s approach to detecting activity within each of these steps.

1. Reconnaissance

Reconnaissance activity attempts to identify and collect information that an attacker can use during the later stages of an attack. Reconnaissance can be separated into two types: Initial Recon and Internal Recon. Initial Recon may include techniques such as social engineering. Internal Recon may include running commands on a system to discover vulnerabilities and exploit possibilities, entrench, or discover paths to move laterally.

Attacker Objective

To discover and collect information to understand the targets, vulnerabilities, and exploits that will allow the attackers to achieve their final objective(s).

Defender Objective

To discover reconnaissance activity and determine the attacker’s objectives.

Threat Stack Approach

Certain behaviors on a host can indicate reconnaissance activity. Threat Stack has the ability to audit system activity and look for anomalous behaviors that would indicate that internal recon activity is occurring. This may include looking for commands that output information to a user, such as ls, find, or locate or commands that are targeted toward a specific type of reconnaissance. For Meltdown and Spectre, this may manifest as listing out system information.

2. Weaponization

This activity usually happens on the attacker side. Threat Stack has no visibility here, unless they are testing an exploit, which is covered below in Section 4. Exploitation.

Attacker Objective

To combine an exploit with malware to form a deliverable payload.

Defender Objective

To infer attacker behavior by analyzing known malware.

Threat Stack Approach

Threat stack has no visibility into weaponization activity because we are looking for behaviors on a host. However, we can use behaviors surrounding the use of known malware to inform our behavioral analysis and associated rules.

3. Delivery

The Delivery Stage consists of conveying a payload to the target host. Depending on the type of host, it may include anything from the insertion of physical media to using remote file tools to retrieve the payload.

Attacker Objective

To convey the malware to the target.

Defender Objective

To detect and block the operation.

Threat Stack Approach

Conveying malware to a target requires that certain actions occur on a system. This may include behaviors such as running a tool like scp or wget to retrieve an exploit from a remote location or using compilation tools to compile code on a system. The Threat Stack platform can detect and alert on these behaviors.

4. Exploitation

The Exploitation Stage consists of using a weaponized exploit to gain access. Examples may include an initial exploit through a network layer to gain local host access or may be an exploit at the local host level to gain elevated privileges.

Attacker Objective

To exploit a vulnerability to gain access. For Meltdown and Spectre, this could mean retrieving a key or password, which could then be used to elevate privileges.

Defender Objective

To detect abnormal process activity that could indicate a running exploit.

Threat Stack Approach

Exploitation requires the execution of a vulnerability. This stage must be preceded by previous stages in the Kill Chain. On execution, Threat Stack has the ability to see associated abnormal process activity if it is originating from an abnormal location on the system, such as the /tmp directory.

5. Installation

The Installation Stage consists of activity that will allow an attacker to maintain persistence on the system, such as creating backdoors or hiding activity.

Attacker Objective

To install a persistent backdoor or implant in the victim environment to maintain access for an extended period of time.

Defender Objective

To detect the installation of malware or a payload.

Threat Stack Approach

Persisting in an environment requires installing webshells, creating services, installing kernel modules, and/or modifying log files. Threat Stack can detect and alert on activity surrounding these behaviors.

6. Command & Control

The Command & Control Stage consists of establishing a channel (C2 channel), which enables the attacker to remotely control the host.

Attacker Objective

To open a command channel to remotely manipulate the victim.

Defender Objective

To detect and alert on anomalous network or system behavior indicating a C2 channel.

Threat Stack Approach

To remotely manipulate the system, a command & control channel needs to be setup. Threat Stack can detect local commands, connections, host events, and threat intelligence activity that would indicate that an attacker has opened a command & control channel, such as attempting to create a remote connection.

7. Actions on Objectives

This stage is where an attacker achieves their intended goals. Attackers have a variety of reasons for carrying out an attack, which may range from “doing it for the lulz” to political or nationalistic objectives.

Attacker Objective

To escalate privileges and collect and exfiltrate data.

Defender Objective

To detect this stage as quickly as possible and limit the duration of access.

Threat Stack Approach

Certain behavior surrounds the activity of carrying out objectives against a target system. Threat Stack monitors for anomalous behavior surrounding things such as privilege escalation or the use of tools that could be used for data collection and exfiltration (e.g., scp or wget).

Conclusion

In this article, we have discussed the Meltdown and Spectre architectural vulnerabilities that affect a wide range of processors. Although they do present risk, you can take proactive steps to mitigate them and also use behavior-based analysis methods to not only detect exploitation related to the Meltdown and Spectre vulnerabilities, but also detect future attacks that take advantage of similar vectors.

As updates on Meltdown and Spectre become available, we will keep you informed.

References

Horn, Jann, et al. “Meltdown and Spectre.” Meltdown and Spectre, Graz University of Technology, 3 Jan. 2018, https://meltdownattack.com/

Wikipedia contributors. “Kill chain.” Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, https://en.wikipedia.org/wiki/Kill_chain