Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Security Blog

Unhacked at Black Hat: Symantec Critical System Protection

Created: 19 Aug 2011 • 4 comments
colingibbens's picture
+7 7 Votes
Login to vote

Symantec’s powerful virtual and physical server security solution- Symantec Critical System Protection was recently put to the test at the Black Hatconference. Seasoned hackers from various world renowned groups tried but failed to capture a ‘flag’ that was hidden within an un-patched, vulnerable  Windows XP workstationprotected by Symantec Critical System Protection.

The aim was to have security professionals and hackers help us improve our product by pointing out existing gaps. The flag was secured using Critical System Protection’s strong prevention policies on a Windows XP un-patched workstation. The workstation had 10 known OS vulnerabilities reported by Rapid 7, was vulnerable to attacks and had open shares that allowed external access.

At any given point in time at least 10 different IP’s were attacking the box, with some IP addresses originating from other countries, including people belonging to various hacker groups who kept trying social engineering techniques to get data about the system. The attacks that were being detected by Critical System Protection were exploitation of vulnerabilities on the system to try and get a remote shell or the execution of commands. Some interesting attempts were made.

·         An exploit developer/pentester decided to give it a try by throwing all possible exploits in his toolkit at the system. Before attacking the system he scanned it to find out what was listening and then crafted his attacks. He tried attacks that included Buffer Overflow and Thread Injection against several services including SMB, NetBIOS and RPC. He was trying to get a remote shell to open but was unsuccessful. Several attempts were made to try and get services to execute commands but were blocked by Critical System Protection. He used various password guessing attack tools to try and break into the system but none were successful at guessing the password. The system was strong and he was unsuccessful in getting through.

·         Another veteran pentester asked to do a dumb user attack, wanting the Symantec team to open a browser and point to a web address on the box that held the flag. He tried to perform a browser exploit attack on the system to install a backdoor but the installation of the backdoor was blocked by Critical System Protection. He then requested direct access but the Symantec team explained how that would fall outside a real world scenario. Instead he created an executable and wanted Symantec to launch it on the system, but Critical System Protection blocked its execution. The firewall policy of Critical System Protection was then changed to allow all traffic to and from the system.  He created a document that had Netcat (Backdoor) embedded in it and asked Symantec to launch it at a command prompt. He  provided the command line  and Netcat started. He was able to go to his system and create a remote shell to the system. As a direct result of Critical System Protection, the pentester was unable to capture the flag or access the system without assistance.

By the end of BlackHat, about 20 people tried but failed to capture the flag and no one walked away with the prize. Critical System Protection proved itself as a powerful solution for securing virtual and physical servers. Its security policies protect even un-patched and legacy systems against external threats like zero-day attacks and advanced persistent threats, as well as malicious insider breaches.

Learn more about Symantec Critical System Protection.

Blog Entry Filed Under:

Comments 4 CommentsJump to latest comment

colingibbens's picture

For Black Hat I used the out of the box Strict Policy and removed network restrictions. I than protected the flag using a read resource restriction.

The Hackers tried to exploit the box using different toolkits and exploits. The policy blocked the execution of commands and the modifications to registry keys

+2
Login to vote
Asesh's picture

Great work guys. The only company I trust for the security of my PC is Symantec :)

+1
Login to vote
P4Amdik19's picture

Awesome ...Thank you Symantec .. :)

Thanks & Regards

Pratik Mahadik

-1
Login to vote
AremAref's picture

We run CSP at our data center for our dedicated hosting clients. It's a great solution for buffer overflow detection. A+ SYMANTEC!

+2
Login to vote