Exploit Protection
Security teams and IT professionals can use the Exploit protection feature to block exploit attempts on the organization’s endpoints. Cybereason Exploit protection uses various security mitigation techniques to prevent attackers from successfully exploiting software vulnerabilities. Although it is impossible to patch an unknown or zero-day vulnerability, Exploit protection uses known attack patterns and techniques to block exploits before the exploit can be carried out, even when the exploit originates from a zero-day vulnerability.
Exploit protection enables you to ensure that your organization is protected against vulnerabilities without having to wait for additional detection rules or signature updates.
The feature is relevant for security teams and IT professionals.
Note
Exploit protection is disabled by default. To enable this feature, use the System > Policy Management screen.
In this topic:
What are exploits?
A computer exploit refers to a piece of software code that takes advantage of a software vulnerability or bug for malicious use. For example, in a drive-by download, a user clicks a link in an email and is redirected to a malicious website, which takes advantage of browser vulnerabilities to invisibly load malware onto the user’s computer.
Software such as operating systems, browsers, Microsoft Office, and third-party applications is most commonly prone to vulnerabilities and is therefore exposed to potential exploit attacks.
Security mitigations
Cybereason Exploit protection includes several mitigation technologies that disrupt common exploit techniques. These mitigations apply on the system level and the program level:
System-level mitigations refer to security settings that apply to all of the applications or processes on the operating system.
Program-level mitigations refer to security settings that apply to specific processes or programs and that override the system mitigation for that program, if one exists. For example, the system-level “Force randomization for images (Mandatory ASLR)” mitigation might be set to Off for all programs, but the program mitigation might be set to On specifically for Adobe Acrobat.
The Cybereason security team identified the combination of techniques to apply to different operating system features and processes to efficiently prevent exploit attacks. You can choose between the default configuration that uses standard security baselines, and a more aggressive protection option that uses the Cybereason security baselines. For more information, see Set the Exploit Protection Modes.
Important
The Cybereason platform triggers a Malicious exploit attempt MalOp even when an exploit attempt is prevented at the operating system level. It is currently not possible to hide these types of MalOps. For more details, see Analyze blocked exploit attempts.
The following table describes a set of major mitigation techniques that Cybereason Exploit protection applies, and specifies whether each mitigation is a system mitigation, a program mitigation, or both a system and program mitigation. Because of the large number of available mitigations, this list includes the most significant mitigations.
Mitigation |
Description |
System Mitigation |
Program Mitigation |
|---|---|---|---|
Force randomization for images (Mandatory ASLR) |
This mitigation addresses a Windows Address space layout randomization (ASLR) vulnerability that causes old program memory-addresses to become exposed. The mitigation forcibly relocates sensitive images to prevent memory-based attacks. |
✓ |
✓ |
Randomize memory allocations (Bottom-Up ASLR) |
This mitigation addresses an issue with the bottom-up randomization method that exposes application locations. The mitigation randomizes locations for virtual memory to prevent memory-based attacks. |
✓ |
✓ |
Validate exception chains (SEHOP) |
This mitigation addresses one of the most common techniques for exploiting stack overflows in Windows (specifically, Windows Vista), where attackers can direct the operating system toward their shellcode by using an overwrite exception handler function. While Windows Structured Exception Handling Overwrite Protection (SEHOP) protects against such exploits, SEHOP is sometimes turned off due to a Windows Vista vulnerability. The mitigation provides protection even if SEHOP is turned off. |
✓ |
✓ |
Export address filtering (EAF) |
This mitigation addresses exploits where attackers use the export address table of all loaded modules to search for API locations used to run shellcode. The mitigation filters read access to the EAT based on whether the calling code originated from a shellcode. |
✓ |
|
Data Execution Prevention (DEP) |
This mitigation addresses a vulnerability where data-only memory pages are marked as executables, allowing the malicious code to run. The mitigation prevents attackers from running code in sensitive regions that include data-only memory pages, such as the heap or stacks. |
✓ |
✓ |
Block remote images |
This mitigation addresses potential exploit attacks that relate to the use of remote images. The mitigation prevents end users from loading images onto the endpoint from remote devices. |
✓ |
Note about Registry changes
When Exploit protection is enabled, the Cybereason platform overrides any manipulation (manual or programmatic) to the following Registry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This is due to the fact that the Cybereason platform uses the above path for importing Exploit protection mitigations.
To configure Exploit protection, see Set the Exploit Protection Modes.
To learn about supported platforms for exploit protection, see Endpoint machine prevention features.
Topics: