Not new, but interesting HIPS article

New HIPS Technology Takes on Zero-Day Attacks
February 1, 2006
By Drew Robb

First came enterprise-class anti-virus (AV) tools, then desktop firewalls and anti-spyware protection. With each technical advance, however, would-be attackers changed their tactics – or morphed the latest virus or Trojan just enough for it to sail past the defenses.

It’s reached the point where AV and spyware just don’t seem able to cope with the newest threats.

The latest problem is the zero-day attack, which is an exploit that takes advantage of a software vulnerability unknown to security professionals. Because it’s an unknown bug, no virus and spyware signature updates have been issued yet to thwart the malware so it penetrates deep into the enterprise, causing damage for days, if not weeks, before a fix is available.

And that’s where desktop host-based intrusion prevention systems (HIPS) come to the fore.

‘‘HIPS includes a variety of approaches, such as behavior-based systems that sit on the desktop and defend against zero-day attacks,’’ says Natalie Lambert, an analyst at Forrester Research Inc. of Cambridge, Mass. ‘‘It watches for behavior that would indicate the activity of spyware, such as a program opening up something in a temp folder.’’

According to a new Forrester survey of 150 enterprise technology decision makers, HIPS is now firmly on many companies’ radar screens. Lambert reports that 28 percent of respondents plan to purchase desktop HIPS this year. With a mid-2005 estimate by Stamford, Conn.-based Gartner Inc. placing market penetration around 1 percent, it’s clear HIPS is picking up speed.

HomeBanc Mortgage Corp. of Atlanta is a retail mortgage company focusing on the Southeast. It selected San Mateo, Calif.-based Sana Security Inc.'s Primary Response for HIPS-level protection against worms, spyware, Trojans, keyloggers and other threats.

‘‘Threats to today’s Internet-connected business are more complex and challenging than ever,’’ said Michael Ciarochi, senior security engineer at HomeBanc. ‘‘Companies need to be armed with proactive solutions to mitigate new attacks.’’

But while HIPS certainly seems to have an inside track on the proactive angle, there is a debate going on as to its precise definition.

Some think it is really just a regular network-based IPS that you regularly update with virus-like signatures of the latest attacks. Others get into advanced firewall techniques. A few vendors focus on hardening the system so attacks can’t make an incursion into the application core or Windows registry. Another camp conducts a variety of system scanning techniques to detect and isolate suspicious behavior.

‘‘There are multiple approaches to HIPS and they all have their own pros and cons,’’ says Greg Shipley, chief technology officer of security consulting firm Neohapsis, Inc., which is based in Chicago. ‘‘As the technology has yet to fully mature, there is not a current right way to do it.’’

Shipley says he suspects the HIPS market will follow a similar course to that taken by the Intrusion Detection System (IDS) market a few years ago. Back around 2000 to 2001, there was a lot of debate about the best way to accomplish IDS and which technology would come out on top.

Internet Security Systems Inc. (ISS) of Atlanta had a signature-based product known as RealSecure, whereas tools, such as ManHunt (now owned by Symantec Corp. of Cupertino, Calif.) and BlackICE (now part of ISS), were more based upon protocol anomalies. So who won? Today, most successful IDS products have integrated the two models. ISS RealSecure, for example, uses both protocol anomaly and signature-based detection engines. Other vendors offer similar solutions that combine several technology elements into what is now considered standard IDS.

No such standard, however, has materialized in the HIPS arena.

‘‘I do not believe there is an industry standard for desktop HIPS,’’ says Gartner analyst John Girard. ‘‘There just isn’t one definition for comprehensive desktop HIPS.’’

HIPS Elements

What elements comprise HIPS today?

The basic goal is to block inappropriate system activity. According to Pete Lind, an analyst with security consultancy Spire Security LLC of Malvern, Penn., there are a number of techniques that can be simplified as follows:

Allow predefined/known good activity and block everything else;

Deny predefined/known bad activity and allow everything else, and

Block system activity that is anomalous.
The most common activities being monitored are program executions, file system activity, registry reads/writes, and network operations.

Shipley says other key elements of HIPS are system hardening, system-call interception technology, memory firewalling, endpoint firewalls and signature-based IPS systems.

Basically, HIPS takes a variety of routes to achieving the same end – preventing impact from an unknown threat.

When you view HIPS from the vendor perspective, expect a wide divergence in opinion about which method to implement.

Cisco Systems Inc. of San Jose, Calif. assimilated promising HIPS startup Okena into what is now the Cisco Secure Agent (CSA). Cisco avoids the cumbersome signature-based approach. Instead, it makes use of a range of techniques, including protection against buffer overflow attacks, firewall capabilities and application inventorying. In particular, Cisco harnesses system calls and behavioral analysis to locate likely culprits.

‘‘I know organizations that now have thousands of desktop nodes running CSA,’’ says Shipley. ‘‘This technology is great at stopping a wide range of attacks and buying organizations additional time to patch, but there can be a real configuration and maintenance overhead associated with this protection method.’’

Like Cisco, Sana’s Primary Response also avoids IPS signatures. It advocates its own brand of behavioral analysis, along with system hardening and protection against memory-based attacks.

System hardening, for instance, acts as a safeguard against some attacks, particularly those based on privilege escalation. Shipley reports, however, that hardening alone may not be enough to combat many mainstream remote buffer overflow attacks. Similarly, memory firewalling – a term coined by Determina Inc. of Redwood City, Calif. - is good at stopping some zero-day attacks, but not others. According to Shipley, it can also create a performance hit and only prevents certain classes of attacks.

The ability to view the HIPS universe with clarity has been further obscured by a couple of upstarts that also are both firmly opposed to what they term the outmoded IPS signature model – Trlokom Inc. of Monrovia, Calif., and PivX Solutions, Inc. of Newport Beach, Calif.

Trlokom appears to be positioning itself against Cisco. Instead of constantly scanning and analyzing every system call and every single application, it lightens the overhead load and simplifies the threat perimeter by focusing only on the avenue of attack. About 80 percent of current attacks come in via Web browser, so this startup has designed a sandbox to isolate the browser from the rest of the desktop.

PivX, meanwhile, operates differently.

Instead of having a large team of people who constantly analyze the latest attacks to develop the latest signatures for viruses and spyware, PivX points its team in the direction of locating potential exploits and devising fixes before anyone even discovers the vulnerability. This could be regarded as a hybrid form of system hardening.

Vendor Frenzy

Over the past two years, there has been a vendor frenzy to develop or acquire HIPS technology. The big security vendors are starting to roll out HIPS-point solutions, as well as all-encompassing security suites with an added HIPS element.

McAfee Inc. of Santa Clara, Calif., has put HIPS functionality in with its AV and anti-spyware solutions, in what is a combo of the behavioral and signature methodologies. And Symantec is just one of the companies expected to come out with HIPS-inclusive security packages in the coming months.

Analysts say it’s too early to tell what technology will prevail in this sector.

‘‘Desktop HIPS is very immature, still evolving rapidly and so we haven’t come up with an acceptable definition as yet,’’ says Forrester’s Lambert. ‘‘The ultimate point we are heading toward is to prevent all zero-day attacks. No vendor is there quite yet.’’

thanks for this Solo

nice enough article that gives very basic info on what is HIPS etc.

Melih

here is a simple way of putting what HIPS can do for a user from a posting in a different forum:

" I also use HIPS software along with NOD32 (set to ‘seek and destroy everything’ mode), so am becoming less and less dependent on scanning software"

http://www.castlecops.com/postp858588.html#858588

HIPS will remove the dependancy on “scanning software”…

Melih

I totally agree. Prevention is far more improtant than cure. Keep it off your machine and there will be no need to detect it.

That said, I will always have at least one scanning application on my system if for no other reason than to confirm that the HIPS is doing it’s job. And as no security suite will stop 100% of threats, you must be able to remove the malware that does sneak by your suite.

The application that this poster referenced (Spyware terminator) is interesting. I might download it to my mothers machine to try it out. My mom simply will not use any software. So I need to get her computer set up to “set it and forget it”. Prevention will be my total focus on her machine as I know that she won’t use a scanner anyway.

Very nice article, thanks for posting it

I agree, we always need detection, but it won’t be the main weapon in your arsenal… the main weapon will be the HIPS…

Melih

Will it cover everything here?

http://wiki.castlecops.com/HIPS/IDP_programs/services

Well that’s the idea… however, we’ll see what we can do in the first version…
do you have a priority list of features you would like to see first?

cheers
Melih

Melih,

I asked someone much wiser than myself which features a HIPS needs to have. He broke down the features one by one and put them in 3 categories: Essential, Nice but optional, not needed. Here we go:

Process Execution 1…ESENTIAL

The Software alerts you whenever any unknown process (a process not on your whitelist) tries to execute and gives you a choice. For most software you have the choice to

Allow it to start (once)
Allow it to start and add it to the white list of approved applications
Block it from starting (once)
Block it from starting and add it to blacklist
Note: This will not prevent scripts such as WSH scripts from starting if the script interpreter engine is on the white list. This feature is also known as execution control, anti-executable, process firewalling etc.

This feature as you might expect, usually contributes most to the number of prompts you get, though features like whitelists of known safe processes can help reduce the number of prompts.

[edit]Records command line parameters 2…OPTIONAL

Another difference between HIPS with respect to execution control is in their handling of command line parameters. Some HIPS totally ignores the command line parameters when creating rules. This means that for a few processes which are highly dependent on command line parameters e.g rundll32.exe,Microsoft Management Console (mmc.exe) or svchost , the choice is between creating an overly wide permanent rule or being prompted every time it is used.

Examples of HIPS that have the option to record command line parameters in rule sets are SSM, AppDefend and Online Armor. AppDefend in particular allows wildcards in the command line pariemters for increased flexibility.

[edit]Children parent control 3…Optional

Allows you to specify not only which processes can start, but also which processes can be started by which. Can be helpful against leak tests.

E.g You might authorize firefox.exe to execute if it is started by explorer.exe but might disallow the same firefox.exe from executing if it is started by any other process. Some HIPS provide a limited form of this, you can specify which apps can start child processes without generating prompts but you cannot specify specific parent-child rules.

[edit]Dll loading 4…Essential

Many programs rely on dynamic link libraries (dlls) to provide common functionality. Instead of putting all the functionality into the program( typically exe) itself (a process known as statically linking), the executable ‘links’ to a seperate DLL (many of which are common system dlls) which contains the functionality. When the process starts it checks to see if the dll is already loaded in memory and if not it loads the dlls up.

A very few security products with this feature like Prosecurity , Antihook v2.6 and SSM (DLL libraries used for global hooking only), monitors and ask the user for approval of the Initialised DLLs for each application.

Essentially, this feature works just like Execution control, except instead of approving processes you approve the dlls loaded up by each executable.

Given that each process in generally loads up more than one dlls and in some cases dozens of dlls, individually approving each one can be a tedious affair.

This feature is not to be confused with the more common dll injection protection which stops another process from injecting a foreign dll into another process. This is covered under Process Modification.

The difference between the two features is that , if a malware replaces the actual dll file with a trojanised copy (directly copying over the file on the disk) instead of trying to directly inject a foreign dll, HIPS with the first feature will catch it.

[edit]Process Termination 5…ESSENTIAL

One important sign of possible malicious behavior is if a termination attempt of a critical process (typically security software like firewall, antivirus) is attempted. HIPS can offer protection to specified processes from termination attempts (including thread suspension methods) or give you a chance to intercept such termination attempts.

Note: This section does not take into account how well the HIPS resists termination attacks on itself, but whether it stops termination attacks on other processes.

[edit]Process Modification 6…ESSENTIAL

Similar to process termination, this feature protects critical processes from being manipulated and modified. This includes attacks such as code/memory/ injections (protect vm of process from being read, written) as well as protection against remote thread creation/suspension/injection . Many leak tests are based on exploiting trusted processes (processes given network permissions by the firewall) to do their work ,so HIPS with good process modification protection can offer a lot of protection against leak tests.

Some HIPS will protect only processes explicitly listed (e.g ProcessGuard,Prosecurity while others will intercept any termination attempt.

[edit]Access to physical memory 7…ESSENTIAL

Blocks access to physical memory, which allows kernel access.

[edit]Global hook control 8…ESSENTIAL

Provides control of hooking done by windows program, that is often but not always associated with keylogging. Some HIPS also provide blocking of other keylogging polling techniques like GetKeyState, AsyncKeyState.

[edit]Service/Driver control 9…ESSENTIAL

Blocks installs of software that require drivers and services. Such programs if malicious can be dangerous because they work in ring zero (kernel access).

[edit]Network control 10…Not Needed

Allows control of outgoing and sometimes incoming network connections by process. I.e Personal firewall capabilities. Currently, not many HIPS have this feature yet, and most users prefer to rely on their own personal firewall anyway. HIPS typically provide only limited network control. Many like System Safety Monitor provide only outbound network control. Others like DSA provide both but have limited configurable options. Some like Safensec provides both inbound and outbound control though.

[edit]Startup control-registry 11…ESSENTIAL

Monitors and blocks changes to registry relating to auto startups. Note, there are literally hundreds of such locations in the registry and it is impossible to block all of them. Some security software allow you to add new registry keys to monitor, those will be marked as configurable in the table.

[edit]Startup control-files12 …ESSENTIAL
Entries in registry keys are not the only way for malware to register themselves for autostartups. Security software with this feature monitors such file and directory locations as well (e.g startup folder or old style win.ini type files). Some HIPS can protect or monitor any file or folder , these HIPS can obviously provide this protection as well.

[edit]Browser monitor13 …Optional
Monitors browser (mostly Internet explorer) related configurations for changes. This includes areas such as homepage, Activex controls, BHOs, toolbars, trusted zones, hidden internet options, proxy settings etc. Many of these settings are stored in the registry so a good registry monitor will get them too.

[edit]Other registry entries14…ESSENTIAL
Other registry entries that are monitored because changes are fishy. File associations, disabing of regedit, changes to default locations of host files etc

[edit]Web filter15…Optional
Security software filters content before it reaches the browser. Some merely remove all scripts, Java, Activex etc , while the better ones tries to remove only known harmful ones.

[edit]Anti-Phishing16 …Not needed
Provides warning when phishing might be in progress. This can be done by a combination of methods, known blacklists, a heuristic analysis of the url etc. The much rarer anti-DNS spoofing feature is also included in this feature.

[edit]Monitor of sensitive areas17 …Not needed
Provides warning when files (win.ini or hosts, or in a sensitive area (typically the system directory, c:\windows\system32 sometimes c:\program files are being modified/deleted or if new files are being added. HIPS that allows customisable file system control will allow Restrict permissions by directories and/or Restrict permissions by process

[edit]Restrict permissions by processes18…Optional
Allows you to restrict what files/directories a process can read/write/create. Typically used when running some suspect or untrustworthy application. A feature of sandboxes.

[edit]Restrict permissions by directories19…Optional
This typically allows you to set some directories (or files) as ‘secure’ zones so no other process (unless explictly approved) can read/write etc. This can help protect security programs from being neutralised by ‘replacement attacks’ where critical files are replaced by dummy or even trojanised files as well as shielding sensitive files from being read (by restricting read access). Also can be used to provide control over Startup control-files

[edit]Block low level disk access20…Optional
Provides warning when low level disk access e.g access to \Device\Harddisk0\DR0 occurs. This can prevent Killdisk type trojans that trash your hard-disk.

[edit]Password protection21…Optional
Offers password protection to protect changes to your HIPS settings. Password protection is important because it can protect against attempts to shut down your protection via simulated mouse clicks.

Most HIPS, use a password to secure access to the console. Although you need a password to open the console and change the global settings (e.g selectively turning off features) you can still answer prompts and popups without entering any password.

E.g ProcessGuard (assuming block new and changed application is not checked) or Prevx1.

Some HIPS like System Safety Monitor are even more secure. They will not allow any changes at all, any prompts will be suppressed and denied if the console is not connected. Turning this on requires a password.

[edit]Heuristic Algorithm or IDS22 …Optional
In HIPS products this typically refers to some black box anomaly detection system whose rules are not explicitly stated unlike all the features mentioned above or some pattern matching system. Or includes clever algorthims for anti-keylogging (not just detecting hooks to WH_Hook). HIPS with this feature may not alert on each and every system change depending on the expert system rules.

[edit]Configurable IDS23…Optional
Allows you to set your own series of states/behaviors to monitor and warn about. Example, alert me if any process that isn’t in the security software group that deletes X files in Y seconds. Or a system where you can set configurable penalty points for suspicious behavior and flag processes once the process score above some configurable threshold.

[edit]Learning mode24…Optional
In learning mode, the security software will automatically create rules as required without prompting by any process that starts on your computer. Another method would be to scan your system (or the start menu) for executables and approve those immediately. Learning modes can be very helpful to ease setup, however this is advisable only if your system is known to be clean otherwise your system might learn to allow malware to work. It might be wise to check what rules are added by the learning mode.

A similar feature to help reduce popups is the “install mode” of some HIPS. Typically when you start installing a new program it will result in a lot of prompts as the installer drops many temp files, starts off several temp processes etc. Turning off the HIPS completely while installing might be risky, so some HIPS will allow you to app “install mode” to a specific installer, and this will suppress any prompt generated by the specific installer and any other of its child processes. Other products allow you to run new programs in “install mode” which is like learning mode except only for that application instead of system wide. E.g Prosecurity offers this.

[edit]Default whitelist25…Optional
Some security software have a large (typically at least 100) list of known trust worthy software (windows components, well known browsers, utilities and software) and these will automatically be given the proper previlages without borthering you with prompts. Some whitelists automatically give known safe program full previlages (trusted status) without borthering to analyze what previlages are necessary. There is a small risk some other program subverts and works through the trusted program though. Some like Prevx1 are of the later kind, but you can select how such known programs are treated. E.g trusted known programs can start up without an explict rule but are otherwise subject to the same restrictions as any known program.

[edit]Blacklisting26 …Optional
In practice HIPS programs aren’t in the business of telling you which processes are dangerous. However many such products have started adding blacklists of known dangerous processes or have embeded optional antiviruses modules.

[edit]Community database27…Not needed
Given that software is constantly being updated, even a default whitelist that comes with the software can be quickly outdated. A community database, allows users of the product to share their findings of the types of processes they encounter and the decisions they make. Their decisions on whether to allow or not allow can provide some guidance. This information can also help malware analysts to spot fast spreading malware.

[edit]Virtualization/roll back28…Optional
Many virtualization based software can enable you to reverse any changes made to a fixed basic side when required. Typically the virtualization is carried out on a limited scale, e.g on a browser.

I pretty much agree.

I guess there’s a reason why most of the features listed first are also considered by your “wiser friend” to be essential, while the last few ones are optional not needed.