ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)

S

oftware is ubiquitously and fundamentally in all computing devices. Applications are developed using numerous sorts of programming languages, programmers and software vendors (with diverse training, experience and programming know-how). This creates difficulty in determining and discovering vulnerabilities present in software developed in house, vendor supplied or outsourced. It is very hard to determine the severity of a vulnerability that is or will be present having installed software package in a work environment.

Software Vendor market has become economic weapon as they try to outdo each other. The motivation being to seize software market segments so as to stay dominant. To achieve this, dirty tricks are deployed by competitors and hackers by use of malwares, viruses, Trojans and worms so as to mudsling competitors. The motivation of the attackers and the profile of a victim all play into who ultimately get attacked and who doesn’t. To prevent this, organizations need to deploy tools to deter this kind of attacks; example of this kind of a tool is Enhanced Mitigation Experience Toolkit (EMET). The tool is freely available and downloadable at Microsoft website. The tool plays a very critical role in enhancing the bank network security and detects malicious activities.

EMET is a free mitigation tool that helps system administrators, IT Professionals and developers beef up the security of third-party applications by helping prevent vulnerabilities in software (both Microsoft and third parties) from being successfully exploited. The tool protects through the state-of-the-art security mitigation technologies built into Windows, even in cases where the programmer of the software didn’t include security controls / code hardening so that the software is more resistant to known, zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.

It doesn’t matter which software vendor, programming language, version and release date. The organization might have critical software developed in 1990’s and no longer supported by developers or maybe the vendor of the software no longer exists. EMET comes in handy; “In 2010, if you deployed EMET, you could have blocked 90% of the memory corruption exploits that were found in common productivity applications without ever applying the fixes (although we still of course encourage everyone to apply their updates). By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products.  In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.” windows.com (2010). EMET is not a first-line of defence product such as antivirus programs or firewalls, but steps in when malware manages to sneak by first lines of defence.

One of the new abilities of EMET 4.0 is its “certificate trust” which is intended to wedge so-called “man-in-the-middle” attacks that leverage forged SSL certificates in the browser. The has been banking attacks that impersonated using fraudulent digital certificates obtained by certificate authorities to access critical customer data using mobile or internet banking. The security feature is enabled by providing the list of the websites (internet banking) or the mobile application (mobile banking) that you want to protect and certificate pinning rules that apply to those websites.

  1. 1.        How to deploy EMET across the enterprise

The easiest way to deploy the current version of EMET across an enterprise is by using enterprise deployment and configuration technologies. The current versions have been built-in support for Group Policy and System Center Configuration Manager.

  1. 2.        Risks of using EMET

The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific mitigation.

  1. 3.        EMET features

a)        Using EMET to protect software installed: This is achieved by configuring EMET to provide protection for a piece of software.

b)       Structured Exception Handler Overwrite Protection: Performs Structured Exception Handler (SEH) chain validation and breaks SEH overwrite exploitation techniques.

c)        Dynamic DEP Data Execution Prevention (DEP): Memory defence that marks slices of a process’ memory non-executable by making it more difficult to an attacker to exploit memory corruption vulnerabilities.

d)       NULL page allocation: Blocks attackers from being able to take advantage of NULL dereferences in user mode by allocating the first page of memory before the program starts.

e)        Heap spray allocation: Heap spraying is an attack method that comprises filling a process’ heap with specially crafted content to aid in manipulation.  Many hackers and crackers rely on content placed at a common set of memory addresses.  The tool pre-allocates memory addresses hindering attacks.

f)        Export Address Table (EAT) Access Filtering: To conduct an exploit, attackers initiate call functions exposed by Windows. However, in order to call one of these functions, the exploit must first find where it is loaded. This tool blocks the most common approach used by exploits to look up the location of a function which involves scanning the export address table of loaded libraries. It is highly effective at blocking exploits currently being used.

g)       Mandatory Address Space Layout Randomization (ASLR): The tool uses ASLR to randomize the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations.

h)       Certificate Trust: SSL Certificate Pinning has been added to help detect Man in the Middle attacks that leverage the Public Key Infrastructure (PKI).

i)         Hardening of ROP mitigations: To prevent ROP-based attacks.

j)         Early Warning: This feature helps to respond more quickly to zero day exploits and PKI-related attacks. While EMET works to detect and help prevent exploits related to a new vulnerability or a malicious certificate, thus mobilizing and responding before an issue becomes widespread, resulting in better protection.

  1. 4.        Summary

The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behaviour that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific The Enhanced Mitigation Experience Toolkit 4.0 is one of the must-install programs that Microsoft makes available for its operating systems. It is unobtrusively running in the background protecting your system against exploits and malware that slipped antivirus solution.

The tool is good companion to hardening the bank ICT security posture especially for system developers and application administrators. Send me your views of where the tool can be deployed.

EMET is definitely not a silver bullet. It increases a PC’s security posture by making it very difficult to successfully exploit certain types of vulnerabilities with an easy-to-use interface and simple deployment options that would make a fine addition to any Windows user security arsenal.

References

[1]        Microsoft (2013), Enhanced Mitigation Experience Toolkit (EMET). Retrieved 25th October 2013, from https://www.google.co.ke/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCgQFjAA&url=http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F2458544&ei=q2JqUoiJMZSa1AWMv4GYDA&usg=AFQjCNEnR_asIZ6uX9jPWONW4yz-jnq5gw&sig2=nmBIUAuwj5CQG2K5ioL47Q&bvm=bv.55123115,d.d2k

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s