Network-based Malware Detection 2.0: Advanced Attackers Take No Prisoners

It was simpler back then. You know, back in the olden days of 2003. Viruses were predictable, your AV vendor could provide virus signatures to catch malware, and severe outbreaks like Melissa and SQL*Slammer depended on brittle operating systems and poor patching practices. Those days are long gone, under an onslaught of innovative attacks which leverage professional software development tactics and take advantage of the path of least resistance – generally your employees. We have written extensively about battling advanced attackers – the top issue facing many security organizations today. From the original Network-based Malware Detection paper, through Evolving Endpoint Malware Detection, and the most recent Early Warning arc: Building an Early Warning System, Network-based Threat Intelligence, and Email-based Threat Intelligence. Finally we took our message to executives with the CISO’s Guide to Advanced Attackers. But in the world of technology change is constant. Attacks and defenses change, so as much as we try to write timeless research, sometimes our stuff needs a refresh. Detecting advanced malware on the network is a market that has changed very rapidly over the 18 months since we wrote the first paper. Compounding the changes in attack tactics and control effectiveness, the competition for network-based malware protection solutions has dramatically intensified, and every network security vendor either has introduced a network-based malware detection capability or will soon. This makes a confusion situation for security practitioners who mostly need to keep malware out of their networks, and are less interested in vendor sniping and badmouthing. Accelerating change and increasing confusion usually indicate that it is time to wade in again, to document the changes to ensure you understand the key aspects – in this case, of detecting malware on your network. So we are launching a new series: Network-based Malware Detection 2.0: Assessing Scale, Security, Accuracy, and Blocking, to update our original paper. As with all our blog series we will develop the content independently and objectively, guided by our Totally Transparent Research methodology. But we have bills to pay so we are pleased that Palo Alto Networks will again consider licensing this paper upon completion. But let’s not pt the cart before the horse – it is time to go back to the beginning, and consider why advanced malware requires new approaches, for both detection and remediation. Gaining Presence with New Targets Cloppert’s Kill Chain is alive and well, so the first order of attacker business is to gain a foothold in your environment, by weaponizing and delivering exploits to compromise devices. Following the path of least resistance, it is far more efficient to target your employees and get them to click on a link they shouldn’t. That is not new, but their exploitation targets are. Attackers go after the most widely deployed software, for the greatest number of potential victims and the hest chance of success. This has led them to unpatched operating system vulnerabilities. With recent versions of Windows this exploitation has gotten much harder, which is good thing – for us. So attackers went after the next most widely distributed software: browsers. Their initial success compromising browsers forced all browser providers to respond aggressively and better lock down their software. Of course we still see edge case problems with older browsers requiring out-of-cycle patches, but browsers have now largely escaped being the path of least resistance. The action/reaction cycle continues, with attackers shifting their attention to other widely used software – particularly Adobe Reader and Java. And once Oracle and Adobe progress there will be a new target. There always is. The only thing we can count on is that attackers will find new ways to compromise devices. The Role of the Perimeter Once attackers establish a presence in your network via the first compromised device, they move laterally and systematically toward their target until they achieve their mission. Defensive is the attempt to detect and block malicious software – optimally before it wreaks havoc on your endpoints. Because once malware establishes itself on the device you can no longer rely on endpoint defenses to stop it. We talk to many larger organizations that basically treat every endpoint as a hostile device. If it isn’t already compromised, it will be soon enough. They use preemptive measures, such as extensive network segmentation, to make it harder for attackers to access their targeted data. But what these organizations want is to stop malware from reaching endpoints in the first place. There is clear precedent for this approach. Years ago anti-spam technology ran on email servers. But blocking technology evolved out to the perimeter, and eventually into the cloud, to shift the flood (and bandwidth cost) of bad email as far away from your real email system as possible. We expect a similar shift in the locus of advanced malware protection, from endpoints to the perimeter. But that begs the question: how can you detect malware on the perimeter? With a network-based malware detection device (NBMD), of course. As described in the original paper, these devices have emerged to analyze files passing on the wire, and identify questionable files by executing them in a sandbox and observing their behavior. Our next post will revisit that research to delve into how these devices work and how they compliment other controls designed to detect malware elsewhere in your environment. Insecurity by Obscurity In the olden days you could just check a file by matching it against a list of signatures from bad files; matches were viruses and blocked. This endpoint-centric blacklist approach worked well … until it didn’t. Today it is largely ineffective – so endpoint protection vendors have shifted focus to a combination of heuristics, cloud-based fuel repositories, IP and file reputation, and a variety of other intelligence-based mechanisms to identify attacks. But attackers are smart – they have figured out how to defeat blacklists, reputation, and most other current anti-malware defenses. They send out polymorphic files that change randomly – your blacklist is dead. They hijack system files normally exempted from analysis by anti-malware

Read Post

The Perimeter Won’t Be Rebuilt Overnight

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office. Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW. The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year. But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago. …application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers. But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often. That’s a good thing – port and protocol policies don’t provide much protection against current attacks. Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds Share:

Read Post

A Friday Summary from Boulder: May 17, 2013

They say you can’t go home. What a load of garbage. You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time. You can always go home – what you can’t do is go back in time. It doesn’t matter if you live within 15 miles of where you grew up, or run off to distant lands like me – time marches on. People leave, restaurants change, and even culture evolves and adapts. The point isn’t how much home changes, but how much you change – or don’t. I am not the same person I was when I arrived in Boulder back in 1989, and that’s a good thing. I’m not the same person I was 8 years ago when I left for a girl in Arizona. Among other things I have 3 kids and can’t spend my free time running off for mountain rescues. I had an awesome life back then, but it isn’t the life I want now. There is nothing wrong with nostalgia, but there is a fine line between reminiscing for days on the past and trying to live in the past. We all have friends stuck in their own personal glory days, making themselves miserable by refusing to move on. I may miss my kid-free freedom back then, but I am living the life I want now, and I would be missing out on the constant stream of amazing experiences my family gives me. Some stores have changed, some bars have changed, and some buildings were updated, but it’s still Boulder. As much as I miss Tulagis, Potters, and Pearls, I would be pathetic if I tried to hang there now, over 40. There seems to be more money in town, but this was always the national headquarters of the Limousine Liberals of the People’s Republic. It’s just as intolerantly tolerant as ever, and after spending time in Phoenix I really do notice the hippies more. (And the hippies still suck). I’m home and loving it. I may not be hanging with my old friends at the old places but I get to take my kids on my favorite hikes, enjoy the surprising number of local restaurants still here, and sneak off for some favorite rides and runs. I am also learning how much better a place this is to be with children than I thought when living here – there are an amazing range of activities, even without popping down to Denver. On that note, I need to take my bike in for service, pick up a new bike trailer for the baby, decide which organic, sustainably fed and ‘humanely’ slaughtered ground bird I will grill for dinner, and arrange a few post-hike microbrew excursions. Yeah, my life is hard. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian presenting next week on Tokenization vs. Encryption. Favorite Securosis Posts Adrian Lane: Bloomberg Pulls a News Corp on Goldman. We have hypothesized about this type of thing happening for a few years – this is the greatest fear of enterprises about cloud services. Mike Rothman: $45M Heist Used a 5 Year Old (at least) Technique. Rich nails it: what’s old is new. Rich: The Onion hack brings tears to my eyes. What’s not to love? Other Securosis Posts Boundaries won’t help GRC. Incite 5/15/2013: Fraud Hits Close to Home. Favorite Outside Posts Adrian Lane: A Saudi Arabia Telecom’s Surveillance Pitch. “What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.” < That. Governments and enterprise often place more value on your social media communications than you do. Mike Rothman: Warren Buffett: The three things I look for in a person. Adrian and Gunnar are card-carrying Buffett fanboys so I expect them to like this. I love this way to evaluate people: “Intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two.” Rich: Ricky Gervais on the difference between US and UK humor. Actually, there is a lot in here about how we approach writing about security, and the difference between analytical humor and pure trolling. Dave Lewis: Hear Ye, Future Deep Throats: This Is How to Leak to the Press. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Indian companies at center of global cyber heist. Update on last week’s $45M theft. Bloomberg reporters allegedly used financial terminals to spy on Wall Street. Larry Page I/O keynote: Google CEO blasts Microsoft, Oracle, laws, and the media. Chinese internet: ‘a new censorship campaign has commenced’. Apple deluged by police demands to decrypt iPhones. Skype with care – Microsoft is reading everything you write. Boston judge limits access to Aaron Swartz court records < wagons circling. Blog Comment of the Week This week’s best comment goes to Andrew, in response to Boundaries won’t help GRC. I mischievously ask GRC vendors “who is the intended budget holder, G, R or C?” And often as not, the benefits of GRC tools go to audit. Business lines, as we all know, love to make audit more powerful …. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.