The Ghost of Spectres Past

• Spectre is a long-standing vulnerability in modern CPUs that exploits flaws in Speculative Execution, making it impossible to fully eliminate and only manageable through mitigation strategies.
• Early patches reduced CPU performance by up to 30%, posing major challenges for datacenters and cloud providers, while ongoing microcode updates remain necessary due to the hardware nature of the flaw.
• Cybersecurity fundamentals like accurate inventory management, strict patching policies and strong endpoint security are crucial in reducing the risks posed by Spectre.
• Tools like Symantec’s Asset Management Suite help organizations track and manage affected hardware, allowing for better mitigation and patching of vulnerabilities.

The recent disclosure of a new Spectre exploit has pushed into the spotlight once more a risk that is impossible to eliminate and can truly only be mitigated. And when it comes to mitigation, the magic wand boils down to fundamentals. 

Spectre is a vulnerability in modern CPU architecture that exploits a flaw in the Speculative Execution part of the CPU. (Think data caches in the CPU that pre-fetch what is likely needed next in the execution chain in an attempt to predictively execute code). 

First disclosed in 2018 (and ably covered here back then), Spectre has roots that go as far back as to 2002. It is present on nearly every CPU dating all the way back to the PowerPC days. (For you kids who don’t remember PowerPC, it was a CPU architecture developed via a 1991 alliance with Apple, IBM and Motorola–or AIM–when the internet literally looked like this.) So while this vulnerability is everywhere, it’s fortunately relatively difficult to exploit. That’s the upside. The downside is that this is a frightening vulnerability because detection and prevention are also very difficult.

Early fixes came at a big cost

Back when Spectre was first disclosed, a pledge by Intel to eliminate some of the paths to vulnerabilities led to some helpful patches. Spectre, however, remained a threat because ultimately, it’s Speculative Execution itself that is operating just as it should. And without things like Speculative Execution, you lose a lot of CPU performance. How much? Well, the first set of microcode patches were estimated to reduce CPU performance by 30%.

Some might look at that number and say, “That’s survivable.” CPUs in this age are rarely maxed out by workload. But consider datacenter and virtualization applications. Consider a cloud provider who just immediately lost 30% of their compute capacity right off the top. That’s not just a problem–it’s a big problem.

Due to this being a hardware flaw, only the individual exploits can be mitigated with a microcode patch to the CPU. This means that there will be patches released for these exploits until Speculative Execution in its current form is no longer a part of CPU design…which is to say, that day may never come. This suggests that mitigation will be the play for this class of exploit for a very, very long time.

Focus on the fundamentals

So, what can we do about it? Many of those reading this may have a handle on deploying updates/patches, but others may not. The answer here is truly two-fold…and it’s part of the unsexy fundamentals of cybersecurity.

First, focus on accurate inventory management, including:

• Establishing policies that enforce that all assets should have endpoint agents, and config management agents required to be installed
• Patching policies and procedures
• Patching tooling that can target specific asset groups

Next, dial into inventory and patching. Cyber-hygiene is a trite concept for security teams, but it’s vital. Spectre is very powerful, but harder to successfully or gainfully exploit, so use in the wild is relatively rare. Yet because it’s hard to detect, it’s still a high risk when it does get used.

The core issue here is unknown assets, the eternal downfall of patching and systems hardening. We most often encounter this in the endpoint security world when no agent has been deployed to an asset that gets exploited. In fact, that’s the most common cause of endpoint breaches we see.

Get greater visibility with Symantec’s Asset Management Suite

Tools like Symantec’s Asset Management Suite allow you greater visibility into what assets are out there, and will also allow enforcement of compliance and patch deployment. This solution offers bonus abilities that provide particular protections against a vulnerability like Spectre. A case in point: Because only certain models or classes of CPUs are affected by Spectre, the road to mitigating that vulnerability can sometimes be unclear.

Fortunately, Symantec’s Asset Management Suite allows you to define asset groups based on specific hardware attributes. To put this in context, do you know how many Intel 12th-gen processors are in your network right now? Chances are the answer is no. But with the Asset Management Suite, that critical characteristic is easy to track and manage, which makes inventory and patching so much easier–and your risk of a Spectre exploit so much lower.

The key to handling a vulnerability that is perennial means you have to adjust your perspective to one of defensive support. Proper inventory, asset grouping and patch cadence–all combined with strong endpoint defense and response capabilities–are the key to a successful mitigation strategy, regardless of the vulnerabilities in question. That goes for vulnerabilities that never quite seem to disappear.

Explore the risks of leaving vulnerabilities unpatched by reading this solution brief.