Welcome to the first in a series of blog posts in which we’ll review some of the big threat headlines from 2018 and see what we can learn to prepare for 2019. It’s all based on a webcast that I did with Microsoft MVP and Windows security expert Randy Franklin Smith, so be ready for some valuable insights. Let’s start at the beginning of 2018, which blew in with a roar with Spectre and Meltdown.
What are Spectre and Meltdown?
As you’ll recall, early in 2018, research was published revealing that nearly every computer chip manufactured in the last 20 years contains some fundamental security flaws. Blurring the line between hardware and software, these vulnerabilities arise from a feature of modern CPUs called speculative execution, which helps the chips run faster.
Speculative execution works like this: While the CPUs is waiting for one instruction to finish, it actually predicts what it is likely going to have to do next — and goes ahead and does it (that’s the “speculative execution”). The idea is, if things go as expected, the work is done already, and if not, the work can just be rolled back.
But the process introduces some vulnerabilities. One is that code might access data that it’s not authorized to access because the memory cache on the CPU does not get rolled back — that’s Meltdown. The Spectre vulnerability can result in similar “side-channel” leaks of sensitive data, but it relies on specifics of the branch prediction logic in speculative execution. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. In particular, if a multi-tenant hypervisor is running virtual machines from different customers on one CPU, Spectre provides a way for malicious code in one VM to break into another VM — which would be a real horror story for the cloud provider.
Where do we stand with Spectre and Meltdown today?
There are two pieces of good news. The first is that although some proof-of-concept programs have been created, there isn’t any evidence yet that the Spectre and Meltdown flaws have been exploited in the real world (although such exploits would be difficult to detect, and attackers are undoubtedly working on it). The second is that there are patches available for both Spectre and Meltdown; they comprise a combination of operating system patches, firmware patches and microcode updates to the CPU itself. Unfortunately, the patches can limit speculative execution or shut it down completely, which hurts CPU performance. That leaves you in the unfortunate position of having to choose between security and performance.
How can I mitigate the risk of Spectre and Meltdown?
The best way to mitigate the risk of Spectre and Meltdown is to keep your head down and focus on the fundamentals:
- Get visibility into your hardware inventory and software configuration. Proper reporting on the computers in Active Directory will help you know exactly what hardware you have installed so you can assess your risk and weigh the value of the associated patches. Some of the controls are not enabled by default because their performance impact can be so great. Of course, you have no control over hardware in cloud environments, but inventory is a critical part of on-premises Active Directory management.
- Enforce the principle of least privilege. A basic tenet of Active Directory security is to give each user — and especially each admin — only the privileges they need to do their job. This limits the reach of insider threats. Also ensure that admins never use privileged accounts to log on to user workstations; that way, even if attackers get a foothold there, they won’t find any admin credentials to harvest. And put effective Active Directory auditing in place so you can track and alert on changes to user privileges that could break least privilege.
- Restrict website access. Malicious code often gets into the network via phishing attacks. By using Active Directory management tools to limit the websites users can visit, you’re reducing the chances of hackers even having the chance to exploit Spectre and Meltdown on your CPUs.
- Adopt an “assume breach” mindset. Accept that security incidents, outages and other untoward events will happen and make sure that you are prepared to recover. Often, it’s your recovery planning, efforts, testing and rehearsal that defines the extent and cost of an incident, not the incident itself. Be sure you back up Active Directory and are able to recover your entire Active Directory forest.
That’s it for Meltdown and Spectre. Stay tuned for further posts about lessons learned from 2018. In the meantime, you can learn more about best practices for limiting the ability of attackers to move around inside your network by checking out our ebook, “Enhancing Active Directory Security & Lateral Movement Detection.”