The Microsoft Windows Error Reporting (WER) – that is, Dr. Watson – generates detailed crash telemetry and sends it, when allowed, to Microsoft. Microsoft uses the information to help it understand and correct software flaws, and harden the operating system. But in December of last year it was realized that this data can be, and probably is, intercepted and used for nefarious purposes.
At the end of December 2013, Spiegel reported on a Snowden leak that suggests the NSA uses its XKeyscore system to locate Windows crash reports from within the vast pool of data it collects from the internet. A slide in the relevant document even jokingly demonstrates the reasoning. It is a mock up of a Windows pop-up window: "The system has recovered from a serious error."
It goes on to add, "Please tell Microsoft about this problem. This information may be intercepted by a foreign SIGINT system to gather detailed information and better exploit your machine." There is, however, a more positive use of crash reports. Websense has today published a new whitepaper titled Using Anomalies in Crash Reports to Detect Unknown Threats. The paper has grown out of an earlier report, released almost simultaneously with Spiegel's NSA report, which had noted, "These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration."
This set Websense thinking – where there is a problem, there is also an opportunity. Perhaps the information contained in the error reports could have a beneficial effect: in short, not to enable exploits, but to detect the exploited. The current direction of intrusion detection is based on anomaly detection. Since malware has become adept at hiding itself, modern technology looks for proof of presence rather than just the malware itself; that is, the anomalies created by the malware rather than the malware itself.
"Even the most advanced cyber attacks will create anomalies in network and application telemetry that can be used to detect their existence," explains the Websense whitepaper. The problem with this approach is that the entire network needs to be monitored. But Websense wondered if error reports might provide a direct line to those anomalies.
Many exploits work by forcing an application to perform unexpectedly. This is getting harder to achieve, explains Websense, "largely due to exploit-prevention technologies such as Microsoft’s address space layout randomization (ASLR) and data execution privacy (DEP). When an exploit fails, it often causes the targeted application to crash." So if a crash is caused by the behavior of an exploit, the automatically generated error report might contain clues to its existence even when all other security defenses have failed.
The prize, explains Websense, is that if it can distinguish between normal program crashes and exploit-caused crashes, "we could have a way to both retroactively detect when attacks happened, and detect anomalies indicative of new zero-day attacks."
The question then is simply, does it work? Websense believes, and can demonstrate, that it does. The developed methodology, concludes the whitepaper, "has created a new means of identifying previously unknown threats – attacks that have made it past organizations' defenses – in a manner never before accomplished." The company "discovered a new APT attack on a global telecommunication company and a government entity," and a "previously unreported campaign against point-of-sale (POS ) systems."
It is worth noting that all of this has been achieved in just two months from conceiving the idea to publishing the whitepaper. "We hope this research," explained Alex Watson, director of threat research at Websense, in an associated blog, "encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities. This integration brings the ability to reveal new and targeted threats that pose an incredibly high risk to organizations."