How has network security evolved to address the rapidly changing threat landscape?
In the last three or four years there has been a major transformation in the nature of threats in the wild and how they have mutated into an extremely stealthy and hard to detect direction. That's been the most fundamental change in the last few years. [Malware] is not noisy, it's not designed to be obvious. It stays under the radar while it's doing its criminal activity; trying to make money for the criminal or nation state. That's really where the malware and the threat landscape have evolved. Malware is the key part of what the threat landscape is all about today. We have major cybercriminal activity on the Internet today with theft of identities, theft of credit card data, theft of intellectual property and actual theft of money from banks from within their corporate networks. All of this is enabled by this new sophisticated evolved class of malicious software.
Computer worm infections up, scareware antivirus down, Microsoft says: Microsoft's biannual report finds rogue antivirus infections and Trojan and downloader attacks down in the first six months of 2009.
As enterprises deploy data center virtualization more widely and as virtual clients become more ubiquitous, won't this reduce the opportunity for cybercriminals to gain access to sensitive data?
I don't believe so. Malware will adapt to whatever changes take place in the threat landscape. The most important evolution is these scanning worms that found a way in. The desktop evolved to become firewalled. Desktop firewalls made the scanning worms harder to penetrate and they started coming in via Web content. When there's an infrastructure shift they will move. There is ultimately going to be some software that is running somewhere that will be vulnerable because we don't know how to write perfect software. That is the issue at hand. We have hundreds of millions of lines of software in the context of browsers, plug-ins and widgets, and it's exploitable. If it's running on the client, that's not good and if it's running on the server then it's going to get exploited. I don't see a way out of this. What is modern malware? Is this malware that is coded to contact command and control?
How strong are botnets today? When we look at Conficker, it was thought to be very large, but the security community was able to block its command and control.
Conficker is a botnet and most drive-by downloads also create botnets today. I call it a botnet because once they crawl in, they crawl right back out and the machine becomes controllable. So the drive-by is merely an infection vector and Conficker was spreading using traditional services exploits much like the worms of the 2004-2005 era. However, from an overall structure perspective, there's an isomorphism between a Conficker-class of attack and a drive-by class of attack. The only difference is the infection vector. So, botnets are not going away because botnets drive more botnets. Why aren't we doing more to go after these rogue ISPs and holding registrars more responsible for selling, in some cases, tens of thousands of websites at a time to cybercriminals? Why not take a less technological approach and go after some of these cybercriminals?
I think we are going to find it exceedingly difficult to eliminate malware from the Internet. The reason is that not all the people in the business of distributing malware are even aware that they are doing that. For example, drive-by attacks come from a lot of sites, many of which are legitimate. There are Web 2.0 sites that allow you to upload malicious content. It's tough to shut down the Web 2.0 infrastructure because that is where the Internet is headed, but that same flexibility that allows communities to share ideas and content gives the bad guys the vehicle to introduce malware into the Internet. Now you are getting exploited. That is the infection vector side of it. I can find similar, hard to shut down things on the call-back channel side where the registrar doesn't know. It would also be very difficult for the registrar to know it was a malicious forward channel because the technology doesn't exist for them to figure that part out either. So that approach of going after all these parties is a good one because we should be doing that, but the challenges in getting it to succeed in a manner we would hope are very significant.