FireStorm: Mitigating the Vulnerability That Can Completely Bypass Firewalls and Exfiltrate Data

By A.J. Shipley

A recent discovery by BugSec Group and Cynet (http://www.bugsec.com/news/firestorm/) identified a severe vulnerability in several next generation and application aware firewalls. The vulnerability, code named FireStorm, allows internal network hosts that have been infected with malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs. to “interact and extract data out of the organization, completely bypassing the firewall”.

As a strong advocate for multiple layers of security, including the use of firewalls and other network security appliances to protect an organization or ISP, the FireStorm vulnerability reminds us that even advanced next-gen firewalls (NGFW) cannot protect an organization from sophisticated threat actors 100% of the time. However, other security solutions that are beginning to emerge can prevent data exfiltration exploiting this type of vulnerability.

The FireStorm vulnerability works by “forging messages and tunneling them out to a command and control (C2) server during the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.” Because NGFW’s allow the TCP handshake to complete prior to enforcing policy, there is a window where information can be exfiltrated over that connection.

There is a way to close that dangerous gap. What if the compromised host was never allowed to contact the C2 server to begin with? Even better, what if the compromised host didn’t even know how to contact the C2 server? The infected host or malicious software would never have the opportunity to establish a connection that data could be exfiltrated over.

That is exactly how a DNS firewall, placed between an internal network host and the organizations recursive DNS server, protects an organization from malware, spear-phishing, and unauthorized data exfiltration. Almost all connections that occur over the Internet begin with a DNS resolution request by the client to retrieve the IP address of the server it is trying to reach. A DNS firewall, like LookingGlass DNS Defender® (https://www.lookingglasscyber.com/products/threat-mitigation/dns-defender/), intercepts the DNS resolution request from a compromised host asking for the C2 server’s IP address and either blocks the DNS request or redirects it to an internal sinkhole or other safe location. The infected host never receives the IP address required to contact the C2 server which means the TCP handshake never begins. The FireStorm vulnerability is mitigated through the use of a DNS firewall.

Furthermore, by integrating a DNS firewall, like DNS Defender, with machine readable threat intelligence (MRTI) like that delivered from LookingGlass ScoutVision (https://www.lookingglasscyber.com/products/threat-intelligence-management/scoutvision/) or Cyveillance Phishing & Malicious URL data feeds (https://www.cyveillance.com/home/security-solutions/data/), the DNS firewall is constantly kept up to date with the latest malicious domains and IP addresses of the advanced persistent threats (APTs) and botnet C2 servers controlling the infected hosts and malware resident on corporate networks.

The LookingGlass Dynamic Threat Defense 1.0 (https://www.lookingglasscyber.com/solutions/dynamic-threat-defense/) solution stops malware outbreaks, spear phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. attacks, and drive by downloads by combining machine readable threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... (MRTI) from LookingGlass ScoutVision™ with LookingGlass DNS Defender®, a protocol-specific firewall, delivered as an integrated network security solution.

So far, nobody has been able to figure out a foolproof way to keep malware off of our devices and networks, but that doesn’t mean we should stop deploying anti-virus solutions. Similarly, NGFW’s and intrusion prevention systems (IPS/IDS) cannot protect an organization 100% of the time. In the case of FireStorm, a DNS firewall integrated with machine-readable threat intelligence closes the gap that exists in many organizations existing security posture. It also enhances the investments made in existing security solutions, like NGFW’s and IPS/IDS, by offloading them from malicious traffic freeing them up to focus their limited resources on the things they do best.

Additional Posts

LookingGlass Weekly Phishing Report – December 14, 2015

Phishing Report: Top Targets Week of December 6-12, 2015 Author: Robert McDaniel In this week's ...

CEO Perspective: LookingGlass And Cyveillance Join Forces

On Friday, December 11, 2015, LookingGlass announced the purchase of Cyveillance from QinetiQ Group ...