Infosecurity 2008 - New defence strategy in battle against e-crime

Opinion

Infosecurity 2008 - New defence strategy in battle against e-crime

E-crime has evolved into a booming business. Viruses, malware and online crime have moved from hacking vandalism into a major shadow economy that closely mimics the real business world, including profit-driven organised cybercrime, writes Yuval Ben-Itzhak, CTO at Finjan.

Money is driving the growth of targeted attacks against financial institutions, enterprises and governmental agencies. The financial damages from security breaches will keep on running into millions of pounds.

Cybercriminals use the web as a highly effective attack vector for a wide range of illegitimate and malicious activities, including identity theft through keylogging, financial fraud, espionage, and intelligence gathering. Their operations function as international organised crime networks which makes it hard to catch them, let alone to prosecute.

In 2008, we have seen the continued development of sophisticated criminal-to-criminal (C2C) business models. These mature business models operate on two levels. Crimeware developers are supplying "crimeware toolkits" to other criminal elements to be used for attacks. These "how to" packages instruct users step-by-step in how to infect a system and then retrieve data for financial gain. But criminals can also go the old-fashioned way: purchasing data collected by Trojans, keyloggers and other types of crimeware. These crime pros use robust and scalable crimeware that gives them maximum flexibility in terms of command and control.

One of the main reasons why e-crime remains so profitable is the success rate of Trojan technologies, using web 2.0 as the main attack vector. By using silent installations and drive-by downloads, PCs and networks have successfully been infected.

These "Trojan 2.0" attacks combine various web services to heighten their infection ratio. At the same time, they substantially reduced their chance of being detected. They use legitimate websites and domains for distributing instructions to botnets, which makes it look like regular web traffic. To make things even more complicated, evasive techniques (such as the use of obfuscated codes) is deployed to bypass security applications. In short, any organisation, company, enterprise or business with Internet access is a potential and prime target - regardless of its size or location.

A striking example is the wave of attacks that came from China in late 2007 and have continued into 2008. Malicious content was distributed using obfuscated code and a network of websites to bypass traditional information security technologies. One of the websites used to distribute the crimeware belonged to a Chinese government office. It illustrates that cybercriminals not only successfully attack government websites, but also turn them into "cyber crime tools". Due to its high success rate, we see more of these kinds of attacks using infected legitimate websites. A recent example is the Forth Road Bridge's website, where cybercriminals deployed the Neosploit crimeware toolkit, using obfuscated JavaScript, for their attack.

It is clear that traditional security solutions, such as anti-virus, URL filtering or reputation services, will become more and more limited in their ability to handle the latest and highly complicated cybercrime attacks. Traditional security technologies are not equipped to deal with, let alone prevent, these threats. To meet the growing demand for more effective protection, the security industry must close the gap between these new attack techniques and the conventional defence strategies.

The optimal way to do this is concentrating on real-time code inspection technologies. These can effectively protect networks against such attacks, since they analyse every piece of content regardless of its source. They are therefore able to detect malicious codes without using signature updates or databases of classified URLs.

With the use of active real-time code inspection, entities can be sure that no malicious content will enter their corporate networks, even if the origin is a highly respectable and trusted website.

>> Computer Weekly Infosec Europe showguide and preview




Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in April 2008

 

COMMENTS powered by Disqus  //  Commenting policy