Bracket Computing is releasing a new solution to defend against persistent attackers. The company announced Server Guard, a new security solution that runs outside an operating system and prevents rootkit attacks.
“Traditional perimeter and detection-oriented defenses can’t stop the most persistent attacks. And once they penetrate the OS, they’re undetectable—for months,” the company wrote on its website.
Jason Lango, CTO and co-founder of Bracket, explained hackers achieve long-term persistence by exploiting an application vulnerability or weakness in an Internet-facing data center server and gaining root access. The root access enables them to patch themselves into the OS to avoid detection from user-based security agents. For instance, in the recent case of the Apache Struts software vulnerability, which was at the heart of the Equifax breach, hackers got into the application infrastructure through the vulnerability and then stayed there for a prolonged period of time.
Once a hacker achieves root access, the OS is unable to defend itself, according to Lango.
“To maximize damage, modern cyber attacks use sophisticated techniques to remain undetected for as long as possible,” said John Pescatore, director at SANS, an information security and cybersecurity training organization. “Security controls that can efficiently and effectively reduce both time to detect and time to mitigate advanced targeted attacks are critical for protecting business applications and sensitive data.”
These types of attacks are common in today’s modern, digital world where businesses are moving from behind a firewall to the cloud. “Every new cloud service needs to be thought of having a potential attack surface and so the set of controls you need to think about have to go beyond the network and move into data and compute as well,” said Lango.
Server Guard builds upon Bracket’s Metavisor solution, which is a virtualization technology that doesn’t reside in the OS and talks to the OS like a cloud hypervisor. By running outside the OS, Server Guard can’t be turned off or bypassed by an attacker even if they have root access. This enables the Server Guard to protect servers even when the server is not patched or is running a known vulnerability.
“We like to say that root can’t stop root,” said Lango. “What that means is when an attacker has the highest privilege in a server, the server cannot defend itself from the attack. Our new Server Guard, running in the Bracket Metavisor, can defend the server even when the server can’t defend itself.”
Server Guard is able to prevent attacks such as in-memory privilege escalation, remote code execution attacks, and all known Linux rootkits.
Going forward, the Bracket team plans to enhance the product with a growing set of security policies that can identify new techniques.