Internet Security Tips and Advice

Security Choices, Part 3: Proactive Security Solutions

March 12th, 2008 by Igor Pankov

Introduction

We’ve already covered two corners of the golden triangle of security – firewall and antivirus, and this article addresses the third – proactive protection. By proactive protection, we mean software that attempts to block illegal or unwanted application activity without the need to compare that activity to a set of known “fingerprints” that specifically match a particular threat.

Overview

There is no universal definition of what proactive security really is but the general consensus is that it represents any solution that blocks or otherwise prevents illegal or suspicious activity by applications at a local level. These solutions don’t need signatures to identify a potential attack – what they do is look at the application’s behavior in order to attempt to identify a potentially malicious process and stop an attack before it can infect or otherwise compromise the system.

Let’s take a look at the currently-available categories of proactive security solutions.

HIPS

HIPS stands for Host-based Intrusion Prevention System. The name itself is not very intuitive, but the way HIPS works is this: imagine a solution that monitors every application’s activities and interactions with the Operating System and alerts you whenever a new or unknown event occurs. As soon as such an event occurs, the solution asks you whether the activity should be permitted or blocked, and the resulting rule is added to the database of choices already learned by the program.

Although this approach might seem overly intrusive and distracting, it can provide the best protection against unknown attacks because it’s hard to go wrong when every activity is under your control, or, rather, is dependent on how you treat it. HIPS acts a whistleblower – informing you of incompliant activity and letting you decide whether it is OK to proceed.

Here is a list of activities typically monitored and controlled by HIPS solutions:

  • Application memory integrity and sharing of common components (DLLs)
  • Loading of system drivers
  • Creating or registering new services
  • Changes in the Windows Registry
  • Keyboard and screen interactions, including copy/paste commands
  • Controlling the use of typical Windows applications and services with uncommon parameters
  • Controlling interactions between applications; controlling interface windows
  • Changing Windows and application settings (browser homepage, HOSTS file, etc.)
  • Low-level disk access
  • Other special functions and operations

Although these activities may appear rather ambiguous to most users, keeping a close eye on them does safeguard the computer against the majority of attack techniques used by real-world malware.

To be able to control these activities, HIPS programs use special monitoring and intercepting functions that enable the activity of target processes to be suspended and then resumed or stopped later based on user input.

Examples of classic HIPS solutions are Outpost Firewall Pro and ZoneAlarm firewalls.

The downside of such close monitoring of system operations is the large number of requests for user input. To mitigate this issue, developers of HIPS solutions create and update configuration policies that can be applied automatically in the background without the need for the user to respond to security alerts. The list of predefined policies is, of course, continuously expanding and is regularly distributed to users over the Internet.

When we talk about HIPS, one of the things that come to mind is the leaktest. Leaktests are closely related to HIPS because they test HIPS’ performance and evaluate how good these tools are against real attacks using sophisticated intrusion techniques. While they are somewhat biased towards measurement of outbound network resistance strength, leaktests do serve as a useful tool to record the types of interactions a particular security system can resist. You can read more about leaktests and their use here (“Leaktests as a Measure of Outbound Protection”).

Behavior blockers

Behavior blocking software is a natural evolution from HIPS because it uses analytical processes to assess the legitimacy of operations. Instead of alerting to every single event, behavior blockers evaluate the sequence of events and determine the chances of a particular activity being malicious based on analysis of the observed behavior.

For example, instead of asking whether a new program should be permitted to auto-start with Windows, behavior blockers investigate whether the new program also attempts to infiltrate critical system areas, register new system services, interact with other Windows programs, or otherwise exhibit typical malicious patterns. After sufficient suspicious activities have been observed to conclude that the suspect is “up to something” and the critical threshold is reached, the program is classified as malicious and is either shut down automatically or the user is asked what should be done with it.

Examples of such programs include PrevX and CyberHawk Pro. Although they dramatically reduce the number of user prompts as compared with classic HIPS solutions, these programs are more prone to being bypassed by hackers because the analytical logic may not be as precise as it needs to be. However, for some, that may be a worthwhile trade-off (everything in security is a compromise between efficacy and ease of use).

Sandboxing and whitelisting

Sandboxing is a way to define a list of permitted activities or trusted programs, after which all other activity will automatically be blocked. Products such as DefenseWall use this principle, where you can specify which applications on a computer you consider safe and allow critical operations to interact with, while all other applications have considerable restrictions placed on their activities.

Prevention of unauthorized shutdowns

One key element of proactive security is maintaining active protection even if malware attempts to shut it down. In the past, it was relatively easy to switch off or disable many security products, enabling a security breach to take place. Realizing the need to make their products more resistant to such attacks, many security vendors have added self-protection functionality to prevent this type of unauthorized termination.

Conclusion

Proactive security is valuable for its push to combat threats based on behavior patterns rather than by relying entirely on identifying them according to known samples. This approach can stop new or obscure threats that cannot be identified by an anti-virus or other signature-based product. Proactive protection is a perfect match for the firewall and antivirus, adding another layer of protection against the risks that are always close by in our interconnected world.

Posted in Security Insight

2 Responses

  1. Raymond Juillerat

    Certain sites protect their images or other critical pages against the possibility to refer them from another site. To do this they need to know the referrer to give back the content only it is the awaited one (in the same domain as current one). With PHP programming, it is easy to do this. But on a computer having outpost security suite v6, the referrer is blocked also when it’s domain is the same as the asking one. That is a very strong drawback of your solution. I mean it’s an error to block in that case.
    Any solution ?

  2. Matt

    Perhaps the simplest way to understand what a HIPS is, is to think of it as a firewall between applications and system components.

    Of course there can be issues, something attempting to hook the keyboard input, may be a helpful macro expander tool or an evil piece of spyware, so some understanding by either the user or the protection program of what is reasonable and what is unsafe is needed, as haphazard answers to prompts, can leave security minimal or devastate legitimate operations, neither of which are desirable. Some progress has been made, but not nearly enough.

    At their present state, most forms of HIPS do not score highly on usability.