ValueWalk’s Q&A session with Itzik Kotler, the CTO and Co-Founder of SafeBreach. In this interview Itzik discusses the Windows process injection, Microsoft’s defense techniques, and the future of Quantum computers.
Can you tell us about your background?
Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEFCON, BlackHat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware Ltd. (NASDAQ:RDWR).
Amit Klein is a world renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, DefCon, NDSS, InfoCom, DSN, HITB, RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.
What does your company do?
SafeBreach is a leader in Breach and Attack Simulation. The company’s groundbreaking platform provides a “hacker's view” of an enterprise’s security posture to proactively predict attacks, validate security controls and improve security operations center (SOC) analyst response. SafeBreach automatically executes thousands of breach methods from an extensive and growing Hackers' Playbook™ of research and real-world investigative data.
Is this for all versions of Windows?
Process injection at large was practices at least as far back as Windows XP. But our research focuses on the latest versions of Windows 10, since that’s where process injection becomes more challenging (due to additional protections offered by Windows 10).
Our process injection library targets Windows 10 x64, latest versions (1803 and above).
Is Microsoft doing anything to help guard against this issue?
Not directly. Microsoft keeps adding remote exploitation defenses and mitigations. These defense techniques prevent remote attackers from taking over processes such as browsers, email agents, or Office software. Our use case is different - we’re looking at a situation wherein malware is already running on the target Windows machine, and ask how the malware process can pivot into a trusted, non-malicious process - in other words, “process injection”.
However, many remote exploitation defenses introduced to Windows 10 also affect process injection, making it harder or even eliminating some techniques altogether. We discuss this at length in our BlackHat presentation.
Does this impact phones also?
Our research focuses on Windows operating system, so mobile phones running Windows 10 Mobile are in theory affected (we didn’t test this directly). Having said that, Windows 10 Mobile is being discontinued, so the impact on the mobile ecosystem is probably very limited.
What about smarwatches?
We’re not familiar with smartwatches running Windows 10 flavor.
Can Quantum computers breach any defenses we know? Is that something we should worry about?
With respect to process injection, the answer is probably no. Quantum computers can solve some arithmetic/algorithmic problems much faster than classical computers. However, process injection techniques are not based on any such problems, thus quantum computers don’t have any advantage over classical computers.
Blackhat Talk: Process Injection Techniques - Gotta Catch Them All
Itzik Kotler | Co-Founder & CTO, SafeBreach
Amit Klein | VP Security Research, SafeBreach
Location: South Seas CDF
Date: Thursday, August 8 | 11:00am-11:50am
Format: 50-Minute Briefings
Tracks: Malware, Exploit Development
When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? That's what we thought in late 2018, when we started researching this area. Turned out we were way off the mark. We counted 20 techniques (so far…), which we had to collect, extract and analyze from many websites, blogs and papers. This in turn begged the question – where is that ultimate "Windows process injection" collection?
In this presentation, we provide the most comprehensive to-date "Windows process injection" collection of techniques - the first time such resource is available, that really covers all (or almost all) true injection techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique.
And of course – no decent BlackHat presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new "stack bombing" execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action).
Finally, we provide a mix-and-match library of all write primitives and execution methods, so that process injection users can generate "tailor-made" process injections.