Cyber Talk
Stopping Hackers: Best Practices for Weathering the Security Storm
By Matt Miller

Since the dawn of the digital age, there has been an ongoing battle between the hacker and the security administrator, who fights to maintain control while the hacker tries to gain control of the network. Both factions have weapons at their disposal to further their cause; and both refine their techniques and try to gain the upper hand. The hacker develops or shares rootkits, attack scripts and knowledge of how to attack networks, while the security administrator has a host of commercially available security products at his or her disposal. This battle continues to rage on with victories and defeats on both sides.

IT Exposure
In some ways, the “security guys” have given hackers easier access to our networks. This is as a result of three major paradigm shifts in the corporate IT infrastructure over the last decade that has made the network easier to breach:

Open Networks: As enterprises establish peering points to trading partners, vendors and other institutions, the attack vectors significantly increase.

Homogeneity of IT Systems: With increasing homogenization of systems, services and vulnerabilities, attacks are becoming more virulent and damaging. Our current IT monoculture pervades common services and applications. This unwittingly provides hackers with an unprecedented opportunity to damage much of the IT infrastructure through attacks that are targeted at a common application or service.

Homogeneity of System Defense: The security posture that many organizations have taken involves the deployment of general-purpose security products and “one size fits all” solutions. Thus, if a common security product or approach is blind to an attack, all sites using this product are essentially blind to that attack.

Attack Velocity
While networks have become more susceptible to attacks, hackers have refined their attacks to be more efficient and damaging. Attack velocity has increased to such a degree that networks with vulnerable systems can suffer widespread infection in minutes. The Slammer worm, for example, infected 90 percent of the vulnerable systems on the Internet within 10 minutes. While signature development and patch management have helped reduce exposure to known vulnerabilities, these techniques simply cannot keep up with the increasing speed at which new vulnerabilities are being exploited. According to Gartner Research, “the ratio of cyber attacks exploiting vulnerabilities where a patch has been available for less than 30 days will increase to 30 percent in 2006.”

The volume of these attacks, the speed at which they propagate, as well as the increasingly criminal intent of their authors require a fundamental shift in defense strategy. Their propagation speed is simply too fast for conventional security practices that depend on human intervention and slow signature and patch deployment.

The Internal Threat
Most network security architectures are predominantly focused on protecting the perimeter against external attack. However, a recent study released by the US Secret Service and CERT indicates that a substantial network security threat actually initiates from within. Whether due to known vulnerabilities, unguarded modems, VPN access, default passwords or accounts that should have been disabled, our virtual castle has criminals in our midst. The US Secret Service/CERT report also indicates that “75 percent of the insider (attacks) were identified through manual procedures only,” meaning that no security device actually detected the attack. Forty-two percent of the attacks were found through system failure.

The Window is Shrinking
A new generation of security threats is emerging with more complex behavior and architecture. Among them, “zero-day” attacks exploit vulnerabilities before patches or signatures are available. These attacks, mostly unrecognized by traditional security products, enter networks undetected and leave no time to prepare a defense.

Another dangerous trend is that attacks -- whether known or zero-day -- are increasingly targeted at specific industries or companies. They can be based on insider information, so that their level of customization makes them almost impossible to detect through traditional security products. These targeted attacks often seek to destroy or steal information. Sometimes they can be politically motivated, and are generally launched by more sophisticated and motivated attackers. Since their intent can be criminal, they provide a much higher risk to profits.

Reactive defenses, such as signature-based scanners and automated patching systems, are still necessary, but they are ineffective against fast-moving worms, zero-day and targeted attacks. The time lag between vulnerability announcement, patch release and payload exploitation is quickly shrinking. Increasingly, attackers are launching worms very soon after a vulnerability has been issued, and faster than systems could conceivably be patched and protected. The Zotob worm, in particular, started spreading only four days after the release of the corresponding vulnerability. WMF was a worm that took Microsoft a week to release a patch. While WMF was not widespread, it was a reminder that product vendors are not winning the patch race.

The Future is Here: Super-Worms
As we have deployed more layers of defense to attempt to limit the scope of possible infections, worm writers are increasingly circumventing modern-day controls. Recent security reports have warned of emerging “super worms” that involve stealthy alternative methods of propagation to avoid detection. Worm authors are turning to more stealthy tactics and we are just starting to see the tip of the iceberg emerge.

Slow speed of propagation: Stealthy worms are often able to evade detection simply by slowing down their speed of propagation. Many security products simply look for virulent scanning behavior that is exhibited by worms that seek to spread as quickly and widely as possible, making them vulnerable to more “patient” attackers that are willing to spread more slowly in the interest of remaining “under the radar.”

Polymorphic worms: Network attacks are becoming increasingly multi-modal in nature. To avoid signature-based detection and confound the defender’s attempts at generating a signature, worm writers may render their payloads in different ways. Random padding of exploit code and permuting code segments, for example, are now common techniques. Even so, malicious code content may be detectable by advanced content analysis. Sensors that are capable of detecting anomalous packet content in network flows, either during the exploitation phase or a later payload download phase, have a far better chance of detecting zero-day events than the previous generation, and commonly used signature-based detectors.

Other attacker tactics will include piecemeal delivery of payloads in otherwise normal-looking content, such as media files. One can also envision fragmented worms with an exploit phase that triggers the assembly of previously stored malcode.

Use of multiple applications and ports: New worms are expected to be delivered within network flows over standard ports. Since many applications can no longer be predictably assigned to a specific port, tunneling techniques can be used to provide ready-made stealth channels for worm delivery.

Exploitation of P2P-Based Services: Just as P2P networking technology can scale services to many users in a relatively cost-effective manner, it can also offer the same advantages in worm propagation. Indeed, attackers may devise a persistent background worm network using P2P services to maintain, upgrade and propagate new versions of worms to ever-growing sets of vulnerable systems.

Exchange of vulnerabilities, tool kits and hacking tools: Worm writers and attackers share vulnerability information, tool kits and hacking tools for rapidly creating new attack exploits. This approach is already employed by spyware applications and may let malware remain unnoticed by traditional security approaches.

How to Weather Your Next Security Storm
As worm authors use an increasing variety of techniques and delivery methods, security products need to broaden the capabilities they offer to fight back. Rapid detection of zero-day worms and targeted attacks, in particular, is critical to minimize the damage from emerging attacks. Various analysts recommend that a response be mounted within seconds of a first infection in order to prevent a worm from saturating other hosts within a network environment and on the Internet.

A defensive strategy against next-generation attacks should meet the following criteria:

Best-of-Breed and Layered Solutions: Any security vendor who claims that a single solution addresses all internal and perimeter threats should be considered with the highest degree of skepticism (at the very least). Security solutions should, for example, interoperate smoothly with other network and security products that have already been deployed. They should also operate without requiring policy configuration or architecture changes to the existing network.

Non-Signature Based Approach: As attacks propagate across networks at breakneck speed, waiting for the production of a signature is out of the question, and suspicious traffic should be stopped immediately, within seconds. Accuracy is also essential; the data gathered from detection devices must be actionable without causing false positives or negatives. A signature-based approach is useless against a true zero-day attack, which occurs before the vulnerability it exploits is even known to patch/signature-writers.

Multi-Factor Detection: A new generation of non-signature based technology monitors normal and abnormal application behavior on the network. While this technology improves detection of some attacks, it often results in false positives and negatives. An effective defense against next-generation malware should therefore never rely on a single detection methodology to determine if a traffic pattern constitutes an attack. Multiple engines that can take the “network pulse” from various vantage points are essential. The correlated data gleaned from these engines yields considerably more reliable and actionable information.

Flexible Response: Security devices must offer a number of response options, including the ability to stop traffic automatically, manually or an as-needed basis. Interacting with the network infrastructure to surgically disable the ports of infected devices is one such effective response. These options empower network administrators to immediately stop traffic without manual intervention, review a response posture and, if the network is identified as under attack, launch a pre-configured emergency response.

Ease of Deployment: The implementation of in-line solutions frequently raises scalability and redundancy issues. It may require major rewiring and routing changes to the network. A good alternative is to look for out-of-path technologies that can interact with the network infrastructure for active response capabilities. This eliminates many headaches associated with the need to reevaluate future throughput requirements, develop a redundancy plan for security devices, and re-architect the network.

The old security response paradigms held by companies must be updated to effectively address the new and extremely virulent attacks such as zero-day and targeted attacks, as well as worm storms. It is no longer sufficient to rely on signature-based technologies to address new security concerns nor plausible to assume that all attacks will come from outside the network. For a company to securely protect its network, it needs to deploy a multi-layered security approach and deploy best-of-breed internal network defense devices. These best practices, combined with a defense-in-depth security strategy, could at last shift the balance of power from worm authors to defenders.

About the Author:
Matt Miller is the Vice President of Engineering for CounterStorm, Inc., a New York City-based network security company. He can be reached at matt.miller@counterstorm.com.

<< Previous Page