Probes and profiles not working, says Cisco

Cisco says common approaches to prevent incoming attacks by analysing files are not as powerful as analysing the source of traffic.

Cisco has never been afraid to take a contrary position to where most of the industry is going. And so it is with the IronPort security system it acquired last year and the SensorBase threat database that came with it. Andy Norton, Threat Response, and Glen Wellby, ANZ Country Manager for Cisco IronPort, talked to SearchNetworking ANZ earlier this week.

Norton explained that in looking to try and stop threats by examining incoming traffic, Cisco believes the security industry is in a no-win arms race.

“Sophistication [of security products] has become part of the problem. ‘How can I develop an algorithm which will by behaviour monitor a file and make sure that no malware will come into my system again? How can I create enough probes that I can profile the whole Internet in five minutes?’

“That approach isn’t working. Let me give you one example – the latest spear-phishing attack that was aimed at 20 companies in January, a Microsoft Internet Explorer zero-day attack that evaded all forms of security.

“The file that ended up communicating to the IP address in China was using the IP address of the two previous zero-day attacks. So instead of trying to make sense of the object or file, look at where it’s come from. It doesn’t have to be that difficult.”

Wellby said “The power of this data anlysis … is around understanding the traffic that’s out there, using standard protocols to assess where the traffic is coming from and where it’s going, and being smart enough to say “last time, this IP address launched a million messages … it’s doing it again.”

To understand how the SensorBase underpins this approach, he explained the product itself.

“First, it is a collection of data. It is the largest security database on the planet,” Norton explained.

After IronPort was acquired by Cisco, he said, the SensorBase got access to massive amounts of data, because of the huge number of points at which Cisco “touches” the Internet.

“We see something like 137 million live attacks at any one time, and we see relationships between various criminals and the infrastructure they use – so we might see a network owner in Western Samoa offering very chap and bullet-proof webhosting, but they don’t much care what appears on that.

“Or we might see someone set up a payment system in Panama, for credit cards to be processed.”

Second, he said, once the feeds are gathered, Cisco correlates them. “The intelligence we have inspects each feed and builds them together. Combined, they change the overall picture.”

This, he explained, is expressed as a score from -10 to +10 (the “Reputation” score applied by the SensorBase), so users can make a decision about the point at which traffic from particular hosts is blocked.

At the same time, Cisco is well aware of the sensitivities that surround any kind of traffic inspection, as Wellby explained.

“Everyone, from the ISPs, the governments, the telecommunications industry – they all want to do the right thing for their customers or citizens, offer better security,” he said.

This, however, “difficult to do without getting embroiled in questions of Big Brother, privacy, censorship. So we want to make it easy for the community in general to offer a lever of protection without getting caught up in ‘who’s watching you do what’.”

If you start by handling traffic questions “from the outside” – blocking an IP address based on its history of hosting attacks, rather than trying to examine the incoming content – also reduces the likelihood of upsetting end users.

It also reduces the amount of content that has to be blocked: if an otherwise benign site or host has been infected, Wellby said, then only the compromised link needs to be identified and dealt with, rather than blocking the whole site.

The problem with a wholesale site-block, he said, is that if the user believes the site to be safe (for example, because it’s a local coffee shop whose site they visit frequently to place orders), the user is likely to try and get around the block; whereas if only the dangerous link is blocked, the user is not aggravated, and the site itself suffers less harm through lost customers.

The SensorBase approach, Wellby said, also gives Cisco a chance to defend against attacks using very short-lived domains. “Even sites with absolutely no history – that’s useful information. Understanding that there’s no history – we know to quarantine and further inspect.”

Attackers are also taking an increasingly “personalised” approach, Norton said, using Google-gaming not only to attract users but also to build profiles of what might attract users next time.

“We see stuff like that with search engine queries – the race to catch the first Google page. When the Andy Gill was hit by the Japanese whaler, that was a hot search item.”

And those hot search items are favoured by online criminals looking for victims.

“We track the results of search terms, [and] if there’s a domain in there that’s less than 3 days old, registered in China, hosted in the Ukraine, with a time-to-live of less than 30 minutes, that starts ringing alarm bells.”

Read more on Network security management