Don’t Be Haunted by Spectre and Meltdown

Don’t Be Haunted by Spectre and Meltdown

Enabling Proactive Mitigations Through Defense in Depth

It has been a hard-hitting year for hardware-level vulnerabilities. With the discovery of more than two dozen total variants of Spectre and Meltdown, and the August 2018 announcement of Foreshadow (L1 Terminal Fault [L1TF] vulnerability), CPU designers have been scrambling to deliver a comprehensive solution for speculative side-channel attacks.

Now, more than 15 months after the initial discovery of Spectre/Meltdown, many organizations are left with susceptible devices and wondering what to do and what trends to expect in 2019.

What do you do now?

As attackers continue to develop more complex ways to exploit systems, cybersecurity organizations must constantly adapt their defensive strategies to protect their environments. Many organizations spend inordinate resources responding to high-profile exploits such as Spectre/Meltdown, which I’ll call vanity vulnerabilities, or those which garner significant attention from the media and corporate leadership alike. While organizations must address and defend against these threats, it is important to implement proactive mitigations that will support future efforts.

Applying layered security or defense in depth is an effective strategy for developing resiliency and supporting the response to vanity vulnerabilities. It is recommended that organizations build layers of programs, policies and standards, and technical controls so that as new vulnerabilities emerge you don’t have to reinvent the wheel. It is imperative to know your environment’s attack surface and streamline remediation processes for a quick, comprehensive response to threats like Spectre/Meltdown. Revolutionary Security recommends the following defense in depth strategies for implementing proactive mitigations:

ICS-CERT Defense in Depth Strategy Elements*

Revolutionary Security Implementation Recommendations

Risk Management Program

  • Perform risk assessments to inform Disaster Recovery and Incident Response plans
  • Maintain an up-to-date and comprehensive asset inventory
  • Map assets to critical systems
  • Leverage technical testing to validate device susceptibility
  • Perform a Business Impact Analysis (BIA)

Cybersecurity Architecture

  • Utilize industry best practices to build a strong architecture framework
  • Document architectural standards for future implementations
  • Ensure standard configurations have Spectre/Meltdown patches applied

Physical Security

  • Restrict access to field electronics and embedded devices
  • Utilize site video, access controls, and barriers to restrict access

Network Architecture

  • Utilize common architectural zones, Demilitarized Zones (DMZ), and/or Virtual LAN (VLAN) implementation for segmenting ICS devices and protecting critical assets

Network Perimeter Security

  • Configure IT/OT firewalls for restricting network traffic to necessary ports and services
  • Implement remote access and authentication mechanisms
  • Utilize jump servers/hosts for routing cross-network traffic

Host Security

  • Integrate Spectre/Meltdown workflows into patch and vulnerability management processes
  • Implement strong password policies and technical controls
  • Tightly manage admin privileges for general users
  • Utilize virtual machines for inherent security benefits

Security Monitoring

  • Tap intrusion detection systems for indicators of compromise
  • Use security audit logging and SIEM monitoring to develop network baselines and allow for quick reaction to attacks
  • Leverage threat intelligence (internal/external) to inform proactive measures

Vendor Management

  • Manage supply-chain risk
  • Ensure third-parties have implemented Spectre/Meltdown mitigations
  • Leverage managed services, outsourcing, or cloud services

The Human Element

  • Document clear policies and procedures for employee reference
  • Simulate phishing campaigns
  • Conduct cybersecurity training & awareness activities to alert employees of threats
  • Ensure employees know their roles if an incident takes place

Note:  *Defense in Depth Strategy Elements align to ICS-CERT Recommended Practice Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. While this publication is intended for ICS environments, the implementation recommendations have been tailored for general mitigation strategies for Spectre/Meltdown.

 

What trends can you expect in 2019?

Ever since the Spectre/Meltdown discovery there has been no shortage of confusion around patching guidance. Operating system and browser vendors have provided their own direction for Spectre/Meltdown software patching, and there has been a lack of coordination among key players in the space. Because of this, it is crucial that organizations individually assess their exposure to these vulnerabilities and apply software-level mitigations from all applicable vendors for their environment.

Initial reports of patch-related performance degradation of 5-30% have not materialized, other than on those systems with high CPU workload. While this is not quite the green light we’ve been waiting for, it is an indication that most general users will not experience “the great slow down.”

In addition, researchers at Graz University have continued to find new ways to exploit these vulnerabilities. With 13 Spectre variants, 14 Meltdown variants, and the announcement of the Intel Side Channel Vulnerability (L1TF), it is likely the number of potential side-channel attacks will steadily increase in 2019.

You can also expect (hopefully) to see additional solutions from CPU manufacturers in response to the growing number of potential exploits. Intel, AMD, and ARM have promised processors resilient to Spectre/Meltdown-style attacks in 2019, as outlined below. These CPUs are the first efforts to resolve speculative execution vulnerabilities at a hardware-level, which is promising for enterprise application in the near future.

Vendor

Processor

Details

Target Date

Intel

Core i9-9900K

Hardware fixes for Meltdown (Variant 3) and L1TF. All other variants addressed through firmware and software updates.

Currently available

AMD

Ryen 3000 Zen 2

Hardware fixes for Spectre Variant 2 and microcode patches for Variant 1. Not susceptible to Meltdown.

Mid-2019

ARM

"All future processors", including Cortex-A76

While generally less susceptible, ARM promises all future processors will be Spectre/Meltdown-resilient.

2019

 

One thing is for certain, this isn’t the end of the Spectre/Meltdown saga. Even with software patching performance and resilient chipsets, it is still critical for organizations to take these vulnerabilities and their responses seriously. Check out previous Revolutionary Security blog posts Preventing a Meltdown and The Vulnerability That Keeps on Giving for more information on this topic.


Determine your exposure and get started crafting your Spectre/Meltdown remediation plan. We can help!

Request a Meeting

 

Sources

Topics

Preventing a Meltdown: Recommendations for the Meltdown / Spectre Vulnerabilities
The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered