APT and malware resistance through non-persistence

In *, Confidentiality, Data at rest, Hacking, Malware, Physical Security, Research, Tutorial by [email protected]

APT and malware resistance through non-persistence
With the rise of advanced persistent threats and really inconvenient malware like CryptoLocker and CryptoWall what can the average user do to protect themselves? Well the good news is if you are an average user the chances of being targeted by an APT attack are pretty low. Sure, you could still be targeted by a foreign government agent if you put on LinkedIn that you work as a manager for a three letter agency. The bad news is that if a foreign government agent wants to compromise your system they probably already have unless you have some out of the ordinary security controls in place. This article is going to describe one such out of the ordinary security control as a way to raise the bar and eliminate the majority of malware from being able to affect your home computer.
First I will go over some background information.
What is a non-persistent desktop?
“A non-persistent desktop is a virtual desktop that does not maintain user data, personalized settings, or any other changes made by the end user”.
While this definition applies to a virtual machine environment this could also apply to a physical machine. So why would I want have non-persistence on my home computer? Well for one it will essentially create snapshot in time of your computer. You get everything set just how you like it and it stays that way… FOREVER, well not exactly you will probably want to create a new snapshot in time occasionally to update the software or to install new software. Any changes that you make during the regular use of this computer will be wiped every time you reboot your computer. It will essentially be like those library computers for use in public areas any changes will be gone whenever the system reboots.
What are the security implications here? Well this security control does not make a system less susceptible for malware. It does make a system less susceptible to the debilitating effects of malware, the persistence of malware, and the loss of trust in your system. Lets say you get a pop-up that says your anti-virus has just caught a virus on your computer. Your AV then removes the threat and all is good right? Well who knows really, you can do some forensic investigation to try to make sure that was the only virus, but really the only way to be sure that the threat is gone is to reinstall your operating system (this is not always even sure http://www.wired.com/2015/02/nsa-firmware-hacking/).
The security benefit here is that most malware is automated. Even those APTs are run through automated C&C so they are expecting a persistent environment. In a non-persistent environment things like CryptoLocker / CryptoWall have no effect (Make sure to not use shared drives, CryptoWall now tries to encrypt those too). If you see that CryptoWall is demanding payment of bitcoins in order to get your files back that it encrypted  in a non-persistent system you just reboot and the system comes back crypto malware free.
Obviously a non-persistent system is not a magic bullet and requires a change in user behavior. Instead of saving files on your desktop you will need to save them elsewhere like a flash drive or one of the many cloud storage services.
Both Windows and Linux operating systems can be set up with non-persistence. On the next post I will provide guidance on setting up a non-persistent Windows system for home use.

Source: New feed