Malicious attacks are evolving and so security teams need to present a unified approach to anticipate and protect against them.
One of the arguments put forth to support the idea that open source software development is a better model than closed source is that peer review by a multitude of different minds will more rapidly identify the useful and clever ideas and techniques, recombining and applying them into the next release. It is interesting in my mind not because that model may produce the next greatest operating system or application, but rather because that is exactly what is happening in the world of malicious code writing.
Virus writers have always borrowed ideas that have proven their worth from each other. Witness the almost universal adoption of email as a viral vector post ‘Melissa’; the flow of creative juices into the cup of social engineering post the ‘Lovebug’; and the search for exploitable vulnerabilities post ‘Code Red’ – a search that continues unabated today.
Each of these examples represented an ‘Aha!’ moment in the minds of virus writers. This is not to say that the techniques each used were necessarily a brand new idea at the time. Rather, each attack represented the point in time where the technique was demonstrated to be capable of whipping up to a perfect storm.
Last year had its share of apocryphal moments that will serve as similar inflection points. There are three that are useful to examine. Let’s start with the event that closed the year– the Sony BMG DRM debacle. Sony distributed on its music CDs software designed to enforce copyright controls over its music content. The twist was that the software was essentially spyware; worse it used techniques usually reserved for ‘rootkits’ to mask its presence not only from end-users, but, more dangerously, from commercial anti-virus and anti-spyware products.
While Sony may well have considered this a Homer Simpson ‘Doh!’ moment, another set of people will consider this an ‘Aha!’ moment indeed. In very short order we saw the first examples of viruses that exploited the presence of this particular rootkit to try and hide their presence (see www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76345 for more information). The longer term implication of this is not that the Sony spyware will continue to present a problem, but rather that the exercise demonstrated the usefulness and thus attractiveness of ‘rootkitting’ in order to hide the presence of a malicious item of software.
The second incident worth examining occurred in May 2005 when the usefulness of spyware as a means of gathering commercially valuable and saleable information was demonstrated to wide and devastating levels. I refer to the Sumitomo Bank affair, a case of industrial espionage whereby spyware, in the form of keystroke logging software, was widely used in a precision attack motivated by economic gain. If anyone at that point still thought spyware a problem only for the home user paranoid about their privacy, that incident irrevocably changed the game.
Thirdly, according a report published in November 2005 by a US Treasury Advisor, the tipping point was reached whereby attacks motivated by money rather than fame reached such a level that it was reported that more money was made by cyber criminals than by drug runners.
Traditional viruses and worms were designed to target the greatest number of machines in the fastest, most destructive way. An attacker doesn’t care whether a virus is found as long as it gets there ahead of the supplier’s anti-virus patch – it’s a race! Spyware functions entirely differently. Unlike a virus, spyware is designed to go undetected to the anti-virus supplier and to create future, not short-term, damage to the user. Rootkit techniques make this even wilier.
The malcode attack, previously motivated principally by ego, characterised by showy methods of propagation, suddenly has a need to go underground. Whereas yesterday’s attacks shouted ‘I’m here’, tomorrow’s will run silent and deep.
The next logical stage of development is a hybrid between a virus and spyware, which uses the mass infection and propagation techniques of traditional worms/viruses, but where the payload is spyware in nature and therefore principally is intended to lie low and harvest information over a longer period of time. I predict that this will enter the mainstream over the next year.
Thus the security department now needs to anticipate attacks that will combine the stealth of rootkits, with the stickiness of spyware, with the propagation techniques of viruses and worms, with the deeply attractive desire for the attack to afford the means to make money.
All this would be only so much fear, uncertainty and doubt without a practical examination of how to mitigate against such a trend. As we face off against virus writers, spyware writers, scammers and criminals borrowing techniques off each other, and commonly seeking to use additional technology now widely proven to be effective, such as vulnerability exploitation and rootkit techniques; we need to ensure that the security and security management techniques and disciplines that are singularly effective against each threat are combined and managed as one.
The best defence against this new breed of destruction is to have a joined-up defensive strategy. The most urgent action item needs to be to unify the day-to-day operations and strategies of anti-virus management teams, anti-spyware efforts, vulnerability assessment, security information management efforts, and security-related change management teams. Current software that is used by these teams may be adequate to scrape by with, however the trend in the industry is for convergence amongst the various “anti-ware” products. This will only make the job of the security team easier – a single, integrated approach at a tool level will foster co-operation and co-ordination at an operational level.
We need to take security more seriously. The motivational sentence to write on the whiteboard this year, in order to stay focused on last year’s lessons, is ‘Unified attacks require a unified defensive approach’. In that way, we may yet get ahead of the attackers.