Security Management Strategies for the CIOSearchSecurity.com:
How has network security evolved to address the rapidly changing threat landscape?
In the last three or four years there has been a major transformation in the nature of threats in
the wild and how they have mutated into an extremely stealthy and hard to detect direction. That's
been the most fundamental change in the last few years. [Malware] is not noisy, it's not designed
to be obvious. It stays under the radar while it's doing its criminal activity; trying to make
money for the criminal or nation state. That's really where the malware and the threat landscape
have evolved. Malware is the key part of what the threat landscape is all about today. We have
major cybercriminal activity on the Internet today with theft of identities, theft of credit card
data, theft of intellectual property and actual theft of money from banks from within their
corporate networks. All of this is enabled by this new sophisticated evolved class of malicious
software.
Modern malware:
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Computer worm infections up, scareware antivirus down, Microsoft says: Microsoft's biannual report finds rogue antivirus infections and Trojan and downloader attacks down in the first six months of 2009.
As enterprises deploy data center virtualization more widely and as virtual clients become more
ubiquitous, won't this reduce the opportunity for cybercriminals to gain access to sensitive
data?
I don't believe so. Malware will adapt to whatever changes take place in the threat landscape. The
most important evolution is these scanning worms that found a way in. The desktop evolved to become
firewalled. Desktop firewalls made the scanning worms harder to penetrate and they started coming
in via Web content. When there's an infrastructure shift they will move. There is ultimately going
to be some software that is running somewhere that will be vulnerable because we don't know how to
write perfect software. That is the issue at hand. We have hundreds of millions of lines of
software in the context of browsers, plug-ins and widgets, and it's exploitable. If it's running on
the client, that's not good and if it's running on the server then it's going to get exploited. I
don't see a way out of this. What is modern malware? Is this malware that is coded to contact
command and control?
That is one of the attributes of modern malware. Modern malware exists for a purpose and in order to accomplish its purpose that malware needs to be able to communicate back to the party that distributed it. The most effective way to do that is via a callback channel or some kind of outbound communications initiated post infection. You used to be able to come in via vulnerable services and open a backdoor for somebody to connect into that. Firewalls and corporate firewalls have made that hard to do. So this has led to the adaptation of malware that we've seen taking into account network security measures and changes. It comes in passively via a Web exploit, a .pdf attack, a JavaScript class of attack and then it's going back out via HTTP or other permissible outbound protocol. That is one of the attributes of modern malware. The other is that it is there for a purpose. It's not there to do mischief. It's there to do real damage in terms of data theft or stealing of financial information.
How strong are botnets today? When we look at Conficker, it was thought to be very large, but
the security community was able to block its command and control.
Conficker is a botnet and most drive-by downloads also create botnets today. I call it a botnet
because once they crawl in, they crawl right back out and the machine becomes controllable. So the
drive-by is merely an infection vector and Conficker was spreading using traditional services
exploits much like the worms of the 2004-2005 era. However, from an overall structure perspective,
there's an isomorphism between a Conficker-class of attack and a drive-by class of attack. The only
difference is the infection vector. So, botnets are not going away because botnets drive more
botnets. Why aren't we doing more to go after these rogue ISPs and holding registrars more
responsible for selling, in some cases, tens of thousands of websites at a time to cybercriminals?
Why not take a less technological approach and go after some of these cybercriminals?
I think we are going to find it exceedingly difficult to eliminate malware from the Internet. The reason is that not all the people in the business of distributing malware are even aware that they are doing that. For example, drive-by attacks come from a lot of sites, many of which are legitimate. There are Web 2.0 sites that allow you to upload malicious content. It's tough to shut down the Web 2.0 infrastructure because that is where the Internet is headed, but that same flexibility that allows communities to share ideas and content gives the bad guys the vehicle to introduce malware into the Internet. Now you are getting exploited. That is the infection vector side of it. I can find similar, hard to shut down things on the call-back channel side where the registrar doesn't know. It would also be very difficult for the registrar to know it was a malicious forward channel because the technology doesn't exist for them to figure that part out either. So that approach of going after all these parties is a good one because we should be doing that, but the challenges in getting it to succeed in a manner we would hope are very significant.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation