Building A Better Toolset

• By Bryan Bain
• Jun 07, 2007

IN the last year, information security researchers have warned black hat activity had shifted from digital vandalism to financially motivated attacks. Once motivated by curiosity or the desire to gain notoriety, attackers are now driven by profit. Today’s most ominous threats are designed to gather financial information. In the last half of 2006, the Symantec security response organization observed increases in adoption of targeted-threat techniques, such as polymorphics and rootkit technologies, and reported 54 percent of the attack code was designed to harvest sensitive or proprietary information.

Hacking isn’t a kid’s game anymore. It’s big business. Professional hackers are now organized career criminals that launch narrowly focused targeted attacks in order to hold for ransom, destroy or steal information—all with financial profit in mind. Security industry research firm Gartner has identified targeted attacks as the top security threat facing businesses in the next two years. In its 2006 Cyberthreats Hype Cycle, Gartner predicts by 2008 nearly 40 percent of organizations will be targeted by financially motivated cybercrime and urges businesses to invest in preventative measures.

Slow to Act
The targeted-attack threat is real, but it has yet to garner serious attention from CSOs. Enterprises face an ever-changing set of computer and information security issues due to the dynamic nature of today’s threats and the increasing dependence on technology as a business enabler. In confronting the cyberthreat challenge, enterprises have been successfully mitigating the traditional threat environment with firewall, anti-virus patching and other practices. The management of these security technologies is providing reasonable safeguards against traditional attacks. But, even a flawless implementation of security will leave an enterprise susceptible to new or unknown vulnerabilities. An organization also can be exposed to external threats—the window of time between a patch’s release and application.

Regrettably, it’s difficult for security officers to justify spending more money on information security. It has been nearly two years since Zotob’s impact prompted industry experts to advocate the use of some form of traffic inspection that filters for illegitimate transactions. Although Zotob’s vulnerability-to-exploit cycle should have been a wake-up call for enterprise security officers. Symantec Research Labs documented 2,249 new vulnerabilities in the first half of 2006, up 18 percent over the second half of 2005. This is the highest number ever recorded for a six-month period.

A review of data illuminates why security officers have not felt compelled to address the targeted attack threat. Targeted attacks are custom-built, narrowly focused exploits that target specific companies or industries. Security research companies have not defined a targeted-attack signature. In spite of record-level vulnerability statistics, there is no identifiable attack behavior to defend against. Targeted attacks are typically the product of social engineering, constructed using insider information, making the level of customization almost impossible to detect with conventional security products. The concept is so vague that security officers have a difficult time factoring the potential of a targeted attack in a risk assessment process.

A Classic Example
Targeted attacks can lead to exposure of mission-critical business data or customer-sensitive information and inflict serious damage to corporate reputation. Perhaps the best illustration of a targeted attack occurred at TJX, the parent company of T.J. Maxx, Marshall’s and HomeGoods stores. On Jan. 17 the retailer said that computer systems storing credit card, check and merchandise return transaction data were compromised. In a recent SEC filing, TJX disclosed that more than 45 million credit and debit card numbers may have been stolen from its systems over an 18-month period, making it the single largest customer data breach to date.

A classic targeted attack example, TJX doesn’t know whether there was one continuous intrusion or multiple, separate breaches of its data security. It is the stealthy nature of targeted attacks that is so dangerous. The attacker employs exploit techniques designed to both evade detection and cover tracks.

Cybercriminals want to operate under the radar. The crimeware programs used in a targeted attack are too valuable to waste on an attention-grabbing event. Major outbreaks get detected too soon, trigger mass patching by users and investigations by law enforcement agencies. Cybercriminals are more apt to craft a slow and stealthy attack designed to install malicious code on a select set of targeted machines.

Evolution of Exploit Frameworks
Cybercriminals increasingly rely on powerful exploitation frameworks to launch attacks. Free tools like Metasploit and commercial tools like CORE IMPACT and Immunity CANVAS have revolutionized attacker methodology. Previously, upon finding a vulnerability, the attacker either had to create custom exploit codes from scratch or scour the Internet to find such codes to exploit the hole. Today, instead of scraping together individual exploits, integrated exploit frameworks include numerous exploits to compromise target systems.

One property of exploit tools is separation of the exploit from the payload. An exploit is the software taking advantage of a flaw, letting the attacker load and execute a program of the attacker's choosing. The code triggered by the exploit is known as the payload. Traditional attacks tightly bundled exploits and payloads together. An attack might exploit a database buffer overflow with the purpose of adding the attacker as a user to the local administrators group. But, with this tight integration, the attacker was stuck with the payload attached to the exploit for the specific vulnerability.

Taking the payload from one attack and embedding it with another exploit required deep technical knowledge and serious coding skills. To remedy the situation, today's exploit frameworks include an arsenal of different exploits and payloads, each offering a different effect. So today, the attacker can use a tool like Metasploit to choose an exploit, such as a buffer overflow in lsass.exe. Then, the attacker can choose from more than a dozen different payloads. Metasploit packages the payload with the exploit and then launches it at the target.

The real effect of these frameworks reverberates through the industry. Developers who create fresh exploits for new flaws don't have to reinvent the payload wheel every time. They can focus their time on perfecting exploits and quick production. Moreover, those developers who focus on payloads can now zoom in on the production of high-quality payloads.

Detecting a Targeted Attack
The problem with commonly deployed security tools is the reliance on signatures or rules. In order for a security tool to stop an attack, it requires specific knowledge about the attack, such as an exploit signature. Customers often have to wait days or weeks to get a working signature for a new exploit, leaving the network exposed to anyone with malicious intent. But in the current threat environment, attackers are often one step ahead of the products designed to thwart them.

The challenges facing information security teams are daunting. Targeted threats can lead to exposure of mission-critical or customer-sensitive data and can inflict serious damage to a corporate reputation. A growing number of data security standards and regulations can result in sanctions, fines and civil liability if a targeted attack is successful. In this gathering storm, where attack activity is motivated by financial gain, security teams need purpose-built tools to combat targeted threats.

Anomaly-based threat detection offers the most effective solution for addressing the targeted threat dilemma. At the core of this new threat detection technology are anomaly-based algorithms used to identify emerging threats. Four types of anomaly detection are used in commercially available solutions.
• Protocol detects packets that are too short, have ambiguous options or violate specific application layer protocols. It is most useful for detecting host-level attacks.
• Rate-based detection shows floods in traffic using a time-based model of normal traffic volumes. Most useful for detecting denial-of-service attacks.
• Relational or behavioral detection shows changes in how individual or groups of hosts interact with one another on a network. For example, a normally quiet host that starts connecting to hundreds of hosts per second on the SQL port indicates a worm. It is useful for a variety of threats, from worms and malware to insider misuse.
• Statistical detection shows changes in normal content usage by identifying deviations in each application traffic, flow direction and packet size. It is most useful for identifying unknown, application-layer exploits.

Not all anomaly-based security solutions are created equal. Capabilities are largely a function of supported algorithms. When evaluating new solutions, it is important to discern the type of threats the products are designed to detect. In order for an anomaly-based detection solution to proactively identify zero-day worms, malware, acceptable-use policy violations and insider misuse, the product should employ a multi-algorithm approach.

There's both an art and a science to applying anomaly detection. Effective use of the technology by security vendors requires deep experience with networks, threats and the appropriate anomaly-detection algorithms for a given threat model. When done well, anomaly detection is effective in finding and foiling network-borne threats and should be part of everyone's security tool set.