Research

It was simpler back then. You know, back in the olden days of 2003. Viruses were predictable, your AV vendor could provide virus signatures to catch malware, and severe outbreaks like Melissa and SQL*Slammer depended on brittle operating systems and poor patching practices. Those days are long gone, under an onslaught of innovative attacks which leverage professional software development tactics and take advantage of the path of least resistance – generally your employees. We have written extensively about battling advanced attackers – the top issue facing many security organizations today. From the original Network-based Malware Detection paper, through Evolving Endpoint Malware Detection, and the most recent Early Warning arc: Building an Early Warning System, Network-based Threat Intelligence, and Email-based Threat Intelligence. Finally we took our message to executives with the CISO’s Guide to Advanced Attackers. But in the world of technology change is constant. Attacks and defenses change, so as much as we try to write timeless research, sometimes our stuff needs a refresh. Detecting advanced malware on the network is a market that has changed very rapidly over the 18 months since we wrote the first paper. Compounding the changes in attack tactics and control effectiveness, the competition for network-based malware protection solutions has dramatically intensified, and every network security vendor either has introduced a network-based malware detection capability or will soon. This makes a confusion situation for security practitioners who mostly need to keep malware out of their networks, and are less interested in vendor sniping and badmouthing. Accelerating change and increasing confusion usually indicate that it is time to wade in again, to document the changes to ensure you understand the key aspects – in this case, of detecting malware on your network. So we are launching a new series: Network-based Malware Detection 2.0: Assessing Scale, Security, Accuracy, and Blocking, to update our original paper. As with all our blog series we will develop the content independently and objectively, guided by our Totally Transparent Research methodology. But we have bills to pay so we are pleased that Palo Alto Networks will again consider licensing this paper upon completion. But let’s not pt the cart before the horse – it is time to go back to the beginning, and consider why advanced malware requires new approaches, for both detection and remediation. Gaining Presence with New Targets Cloppert’s Kill Chain is alive and well, so the first order of attacker business is to gain a foothold in your environment, by weaponizing and delivering exploits to compromise devices. Following the path of least resistance, it is far more efficient to target your employees and get them to click on a link they shouldn’t. That is not new, but their exploitation targets are. Attackers go after the most widely deployed software, for the greatest number of potential victims and the hest chance of success. This has led them to unpatched operating system vulnerabilities. With recent versions of Windows this exploitation has gotten much harder, which is good thing – for us. So attackers went after the next most widely distributed software: browsers. Their initial success compromising browsers forced all browser providers to respond aggressively and better lock down their software. Of course we still see edge case problems with older browsers requiring out-of-cycle patches, but browsers have now largely escaped being the path of least resistance. The action/reaction cycle continues, with attackers shifting their attention to other widely used software – particularly Adobe Reader and Java. And once Oracle and Adobe progress there will be a new target. There always is. The only thing we can count on is that attackers will find new ways to compromise devices. The Role of the Perimeter Once attackers establish a presence in your network via the first compromised device, they move laterally and systematically toward their target until they achieve their mission. Defensive is the attempt to detect and block malicious software – optimally before it wreaks havoc on your endpoints. Because once malware establishes itself on the device you can no longer rely on endpoint defenses to stop it. We talk to many larger organizations that basically treat every endpoint as a hostile device. If it isn’t already compromised, it will be soon enough. They use preemptive measures, such as extensive network segmentation, to make it harder for attackers to access their targeted data. But what these organizations want is to stop malware from reaching endpoints in the first place. There is clear precedent for this approach. Years ago anti-spam technology ran on email servers. But blocking technology evolved out to the perimeter, and eventually into the cloud, to shift the flood (and bandwidth cost) of bad email as far away from your real email system as possible. We expect a similar shift in the locus of advanced malware protection, from endpoints to the perimeter. But that begs the question: how can you detect malware on the perimeter? With a network-based malware detection device (NBMD), of course. As described in the original paper, these devices have emerged to analyze files passing on the wire, and identify questionable files by executing them in a sandbox and observing their behavior. Our next post will revisit that research to delve into how these devices work and how they compliment other controls designed to detect malware elsewhere in your environment. Insecurity by Obscurity In the olden days you could just check a file by matching it against a list of signatures from bad files; matches were viruses and blocked. This endpoint-centric blacklist approach worked well … until it didn’t. Today it is largely ineffective – so endpoint protection vendors have shifted focus to a combination of heuristics, cloud-based fuel repositories, IP and file reputation, and a variety of other intelligence-based mechanisms to identify attacks. But attackers are smart – they have figured out how to defeat blacklists, reputation, and most other current anti-malware defenses. They send out polymorphic files that change randomly – your blacklist is dead. They hijack system files normally exempted from analysis by anti-malware

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office. Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW. The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year. But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago. …application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers. But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often. That’s a good thing – port and protocol policies don’t provide much protection against current attacks. Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds Share:

They say you can’t go home. What a load of garbage. You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time. You can always go home – what you can’t do is go back in time. It doesn’t matter if you live within 15 miles of where you grew up, or run off to distant lands like me – time marches on. People leave, restaurants change, and even culture evolves and adapts. The point isn’t how much home changes, but how much you change – or don’t. I am not the same person I was when I arrived in Boulder back in 1989, and that’s a good thing. I’m not the same person I was 8 years ago when I left for a girl in Arizona. Among other things I have 3 kids and can’t spend my free time running off for mountain rescues. I had an awesome life back then, but it isn’t the life I want now. There is nothing wrong with nostalgia, but there is a fine line between reminiscing for days on the past and trying to live in the past. We all have friends stuck in their own personal glory days, making themselves miserable by refusing to move on. I may miss my kid-free freedom back then, but I am living the life I want now, and I would be missing out on the constant stream of amazing experiences my family gives me. Some stores have changed, some bars have changed, and some buildings were updated, but it’s still Boulder. As much as I miss Tulagis, Potters, and Pearls, I would be pathetic if I tried to hang there now, over 40. There seems to be more money in town, but this was always the national headquarters of the Limousine Liberals of the People’s Republic. It’s just as intolerantly tolerant as ever, and after spending time in Phoenix I really do notice the hippies more. (And the hippies still suck). I’m home and loving it. I may not be hanging with my old friends at the old places but I get to take my kids on my favorite hikes, enjoy the surprising number of local restaurants still here, and sneak off for some favorite rides and runs. I am also learning how much better a place this is to be with children than I thought when living here – there are an amazing range of activities, even without popping down to Denver. On that note, I need to take my bike in for service, pick up a new bike trailer for the baby, decide which organic, sustainably fed and ‘humanely’ slaughtered ground bird I will grill for dinner, and arrange a few post-hike microbrew excursions. Yeah, my life is hard. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian presenting next week on Tokenization vs. Encryption. Favorite Securosis Posts Adrian Lane: Bloomberg Pulls a News Corp on Goldman. We have hypothesized about this type of thing happening for a few years – this is the greatest fear of enterprises about cloud services. Mike Rothman: $45M Heist Used a 5 Year Old (at least) Technique. Rich nails it: what’s old is new. Rich: The Onion hack brings tears to my eyes. What’s not to love? Other Securosis Posts Boundaries won’t help GRC. Incite 5/15/2013: Fraud Hits Close to Home. Favorite Outside Posts Adrian Lane: A Saudi Arabia Telecom’s Surveillance Pitch. “What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.” < That. Governments and enterprise often place more value on your social media communications than you do. Mike Rothman: Warren Buffett: The three things I look for in a person. Adrian and Gunnar are card-carrying Buffett fanboys so I expect them to like this. I love this way to evaluate people: “Intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two.” Rich: Ricky Gervais on the difference between US and UK humor. Actually, there is a lot in here about how we approach writing about security, and the difference between analytical humor and pure trolling. Dave Lewis: Hear Ye, Future Deep Throats: This Is How to Leak to the Press. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Indian companies at center of global cyber heist. Update on last week’s $45M theft. Bloomberg reporters allegedly used financial terminals to spy on Wall Street. Larry Page I/O keynote: Google CEO blasts Microsoft, Oracle, laws, and the media. Chinese internet: ‘a new censorship campaign has commenced’. Apple deluged by police demands to decrypt iPhones. Skype with care – Microsoft is reading everything you write. Boston judge limits access to Aaron Swartz court records < wagons circling. Blog Comment of the Week This week’s best comment goes to Andrew, in response to Boundaries won’t help GRC. I mischievously ask GRC vendors “who is the intended budget holder, G, R or C?” And often as not, the benefits of GRC tools go to audit. Business lines, as we all know, love to make audit more powerful …. Share: