Tailored Cyber Security.

Enhanced Mitigation Experience Toolkit

A  tool that I employ when hardening a system is the Enhanced Mitigation
Experience Toolkit (EMET). First and foremost, EMET is not antivirus
(AV). It doesn’t look for malware on your system or run on signatures
the same way that AV does. What does it do?

EMET leverages multiple different security practices to help prevent
exploitation from happening. Data Execution Prevention (DEP) is not
novel to EMET. It’s also in use on almost every other common operating
system. It helps defend against buffer overflow attacks by limiting what memory can execute code.
While it can be helpful, it may also produce false positives. This
happens when a program executes code from improper memory space by
design. These types of programs tend to be those that are programmed in a sloppy manner. DEP alone has been bypassed by researchers. They found a way to identify memory space that can execute their code.

Enter, Address Space Layout Randomization (ASLR). ASLR randomizes
where execution memory is. It is difficult to find where malicious code
can execute from when ASLR works with DEP. ASLR is also not unique to
EMET or Windows and was first employed in 1997! Math-magicians at Memco
Software developed algorithms to succeed at randomizing executable
memory. They could be interesting to check out if your a math whiz.
The last one I’ll talk about here is Structured Exception Handling
Overwrite Protection (SEHOP). Yet another protection for your memory.
SEHOP protects against a specific memory exploitation method called
Structured Exception Handler (SEH) overwrite. TechNet has a solid article documenting the exploitation method and the protection. It can be found here.

Long story short, EMET is preventative unlike AV. A quick web search will show you EMET’s high level of success.
It won’t be long before you stumble across competitions to beat EMET.
What you will also find is that people have done it. 100% security is an
impossible feat. The goal is to escape “low-hanging fruit” status for
hackers. If EMET is in your defensive arsenal it will help you
accomplish that goal.

Leave a Reply