FireEye Stories Blog

Solving the Endpoint Exploit Gap: Intelligence-Based Exploit Detection for Endpoints

Today we announced that FireEye Endpoint Security (HX) 3.1 will be available on March 31st with a major new addition – Exploit Guard – to protect endpoints from the attacks that bypass other endpoint security solutions.

Before diving into the details, let’s define what constitutes an exploit in our world. An exploit regarding computing systems is an action (generally a sequence of actions) employed by an actor in order to take advantage of a bug or vulnerability in a target organizations’ software or hardware systems to gain access or control of those systems. In more simplistic or traditional attacks, so an exploit is conducted by using a piece of software or chunk of data that creates or runs a sequence of commands on the target system. The advanced exploits we see today – bypassing traditional endpoint security solutions and difficult to detect – utilize multi-step processes or proprietary encryption to obfuscate their malicious nature and give attackers access.

Endpoints are one of the most common vectors targeted to exploit vulnerabilities as they’re the most available attack surface and are a key entry point to internal applications and systems. As the meeting spot between an internal network and the external world, they’re readily identifiable point of access, their vulnerabilities are well documented, and attackers have had years to develop ways to outsmart traditional endpoint security.

The sheer number and complexity of endpoint software packages, and the continued reality that new bugs or vulnerabilities are constantly being created gives attackers a leg up against network defenders. Even when an organization has a rigorous patching process for known issues, they can never know or catch every issue. Current endpoint protection (EPP) technologies don’t have the capacity to protect against sophisticated exploit activity, tending to use static technology or monitor only a single point or action in their attempt to determine whether an exploit may be in process. Today, a hacker takes advantage of weakness in EPP by using a series of steps to create an exploit that other solutions ultimately can’t detect.

A more robust protection has the ability to detect not only individual actions, but also employ behavioral monitoring to track a series of action, linking together seemingly disparate events to conclude an exploit attack is in progress. To do this requires a large base of exploits and threat intelligence that drives detection of attackers’ tools, techniques, or procedures (TTP) being utilized in an exploit attempt, thus the exploit itself. A more traditional EPP defense will try to identify an active exploit by using some type of statistical, signature or fixed behavior techniques that may trigger an alert that an exploit may be taking place. Unfortunately, these methodologies tend to have high false positives or simply can’t connect a chain of seemingly dissimilar events that would indicate an exploit is in process. Hackers use this knowledge for their exploit to bypass EPP, as they can’t identify techniques purposely designed by an attacker to fly under their simple detection radar. EPP just doesn’t have the exploit intelligence needed to spot exploits.

A significant difference between FireEye HX exploit detection “Exploit Guard” and EPP solutions is that Exploit Guard has the intelligence to evaluate various activities taking place on an endpoint, not just based on static data to compare in a database. Using this intelligence, it can assign levels of importance to an individual activity, as well as link seemingly individual activities together. As HX is observing various activities, it can proactively link the actions in order to evaluate and score them individually and together, thus compile a base score of the various actions as the linked activities may indicate an exploit is taking place. And, this takes place in real-time, so HX can quickly and confidently makes a determination of the likelihood an exploit is taking place and creates an alert an analyst can quickly act on.

The fact today is that EPP solutions traditional design and lack of exploit intelligence limits their ability to detect exploit activity. Because they can only look at single actions or activities, an attacker will purposely obfuscate their actions, leaving EPP trying to detect an endpoint exploit based on incomplete intelligence. With FireEye intelligence HX can analyze a wide variety of actions that alone may not trigger an alert, but taken into the context HX examination in context allows it to detect an exploit may be taking place. With HX looking at multiple exploit vectors instead of just single ones, it also doesn’t have the issue of false positives that only having a limited exploit criteria causes. HX exploit intelligence eliminates the confusion and over reporting and alerting noise EPP creates due to its lack of exploit intelligence.