|
Lead
Blended threats, Blended complications
The Internet has become that much more dangerous in recent
months, with several attacks using the Web to launch and spread into the mainstream.
These sophisticated threats make use of more than one attack vector. By Dominic
K
 A
blended threat is often referred to as a ‘blended attack’. Some people
refer to these attacks as ‘combined attacks’ or ‘mixed techniques’.
A blended threat exploits one or more vulnerabilities as the main vector of
infection and may even perform additional network attacks such as denying services
through a Denial of Service (DoS) attack against other systems. The use of multiple
attack vectors increases the likelihood of successful infection and also makes
combating these threats more difficult.
The lethality parameters
Blended threats can be lethal. They scan for vulnerabilities in an enterprise
network, enter via e-mail attachments, shared file folders, wireless devices,
Web pages, laptops, telnet and other entry-points. Once in, they quickly replicate,
flooding and harming the network.
Such threats and attacks can enhance the severity of damage and speed of contagion
by combining various methods. An attack using a blended approach might send
a virus via an e-mail attachment, along with a Trojan horse embedded in a HTML
file that will damage the recipient computer. Blended threats combine the characteristics
of viruses, worms, Trojan horses, and malicious code with desktop, server, and
gateway vulnerabilities to initiate, transmit, and spread an attack.
By utilising multiple methods of attack and self-propagation, blended threats
can spread rapidly and cause widespread damage. In addition to short-term financial
loss, these disruptions can seriously damage an organisation’s brand and
customer goodwill. Network security breaches can trigger expensive legal consequences
as well.
Such attacks usually attempt to infect networks using the techniques of a mass
e-mail virus and also by attempting to find vulnerabilities in software that
have not been plugged, to infect or attack an operating system or application.
Unravelling threat patterns
|
 "A
blended attack will come over multiple ports, such as SMTP or POP as well
as HTTP. Sometimes the only pattern is that the target is the same for
each of the attacks"
- Richard Steinnon
CMO,
Fortinet
|
Blended threats can be any combination of attack and propagation
methods. Many spread as worms—programs that spread through vulnerabilities
in a network. Unlike true viruses, worms do not depend upon other applications
to work.
Network or security administrators may suspect a blended threat
attack if after cleaning and blocking a particular vector, infections return. For
e.g. administrators determine that the initial infection arrived through peer-to-peer
(P2P) protocols, but even after closing that vector and cleaning the systems,
infections continue.
According to Richard Stiennon, CMO, Fortinet, “A blended
attack will come over multiple ports, such as SMTP or POP as well as HTTP. Sometimes
the only pattern is that the target is same for each of the attacks.”
“Initiating, transmitting or spreading an attack through
viruses, worms, Trojans and then exploiting vulnerabilities in a system is yet
another pattern”, adds Sunil Manglore, CEO Datacraft India. Such attacks
have more than one payload such as a backdoor installation and then launch a
buffer overflow or a DOS attack on the system. This propagates through various
channels such as e-mail and file-sharing network.
It is difficult to determine a blended threat because there is no single symptom
of the problem. This is because there are problems occurring in different locations.
For example, if the enterprise has a solution from brand X at its gateway, an
anti-virus solution on each desktop and a network device from some other vendor,
then each device’s administrators will have a view of only his part of
the problem because the console deals with only the specific part. This limits
the administrators’ ability to detect the vulnerability.
Generation Next threats
Nowadays, viruses or other malicious programs are released within a few days
of any vulnerability being discovered. The gap has reduced to as little as one
day. Hence, the patching window gets smaller, within which the malicious program
exploits the system vulnerability and spreads rapidly.
Many Trojans and bots make use of blended threats to infect
and control infected systems. In 2006, backdoor Trojans and bots continued to
comprise a significant percentage of the malicious software detected by Microsoft,
and therefore remain a top threat to consumers and business.
Seemingly every day a new threat emerges, whether through Web attacks, spyware,
malicious mobile code, or phishing. Due to delay in the patching by a few hours,
the impact is devastating. As such malicious programs have immense capability
to propagate and inflict damage. An organisation can be brought to its knees
in a few hours. The MyDoom malware family caused between $73.2 bn and $89.5
bn of damage worldwide.
- Like conventional viruses, blended threats
can damage files, corrupt OS configurations, and overwhelm network resources.
Common damage includes changing registry settings, injecting malicious
code into OS executables, and adding scripts to HTML documents
- Blended threats can include routines that
probe for known vulnerabilities, such as buffer overflows and the use
of default passwords on predefined accounts
- Newer threats are making greater use of
networks to maintain the malware after it has infected a system. Worms
such as Fizzer connect to a Web site to download updates to the virus
- Blended threats might contain basic network
utilities. As noted, the Fizzer virus has its own SMTP engine; the Lovsan
virus has a built-in Trivial File Transfer Protocol (TFTP) utility
- It can plant Trojan horses that erase
hard drives, steal data and launch denial-of-service (DoS) or distributed
DoS attacks
- Embed malicious code in HTML files to
infect visitors to a Web site
- Send unauthorised e-mails with worm attachments
- Inject malicious code into a network’s
.exe files and alter security access levels
|
Difficulties exposed
Blended threats strike with blinding speed. Unfortunately most enterprises are
unprepared to handle these. One of the main problems faced by enterprises is
that they cannot determine that they have been hit by a blended attack.
Many enterprises may not have internal expertise in managing complex blended
threats. If they do have services from system integrators, who have the required
expertise, they would still find it difficult to isolate and fix the problem.
The other issue is that solutions are usually purchased from more than one vendor
and it takes time to correlate and find the root cause of a problem and then
get back to the concerned vendor for support.
For example, in an organisation with multiple vendors, if there is a problem
with a desktop PC, the vendor might try to fix the desktop problem, and then
a problem might arise with the server. If the vendor who sold the security product
for the server is different from the one who sold the PC security tool, he would
disclaim responsibility. So, a lot of time is taken to fix the problem in a
blended attack. This is because there are multiple vendors involved in the organisation
and the entire procedure of trying to find solutions against multiple attacks
becomes quite cumbersome for a large organisation.
“SMBs would typically have neither the skills nor the resources to deal
with blended threats, because of the multiple attack vectors used. Larger companies
with MIS departments may also have difficulties repelling these threats because
it is often difficult to justify the added expense in security products when
they have already invested heavily on existing equipment,” says Stiennon
The worm propagation mechanism has the greatest impact on the health of a network.
The damage stems from a worm’s intense network scanning, which consumes
end-system CPU resources and accessibility, network device processing cycles,
and network bandwidth. The rapid rate of infection and the aggressive scan
rate cause traffic congestion and network instability.
Prabhat Singh, Head – India, Security Response Operations, Symantec says,
“Blended threats are more lethal and dangerous as they blend in rootkit
technology to hide on compromised machines. These threats are utilising spamming
techniques to spread faster and wider. The recent outbreak of Trojan.Peacomm
blended almost everything. It arrived in a machine via a spam mail or it could
be dropped by the mass mailing worm named W32.Mixor.Q. It had the ability to
install itself on machine as a device driver and hide itself. This threat was
aimed at creating a hidden peer to peer network such that each compromised machine
is aware of its peers and such a network can be used effectively for various
destructive activities such as DoS and downloading new threats.”
| Use the latest tools |
Today's products protect the network
from end to end. Security manufacturers now offer comprehensive, system-wide
detection and reporting products that monitor vulnerabilities, manage security
policies and block threats before they enter. This could be used in conjunction
with advanced firewall software or appliances to manage entry of remote
workers via VPNs. |
| Seal unnecessary entry points |
Discover where FTP, telnet and other
potentially unneeded functions can be removed, to further tighten security.
|
| Change passwords regularly |
Create a password policy for remote workers
and enforce the same across the enterprise. Strengthen the plan by requiring
that employees change their VPN and key application passwords routinely,
every six months or so. |
| Update network software |
Enterprises need to ensure that applications
are patched for security and upgraded as soon as updates become available.
Or they can simply outsource network maintenance. |
| Encourage common sense |
Enterprises can instruct the employees
not to open attachments unless they are expecting them. That may be easier
said than done, but the results will save the IT staff some headache. |
Framing a response
Websense Security Labs informs that the number of phishing incidents, on average,
has been about three to six every day. In the current year, Voice-over-Internet-Protocol
(VoIP) phishing has become the latest phenomenon. Blogs, personal Web hosting
and social networking sites are also being utilised to host exploits, phishing,
and fraud.
Cyber-criminals continue to use innovative social engineering techniques to
further their exploits. Of the sites designed to steal credentials, almost 15
percent are derived from toolkits, an emerging tactic from the hacker community.
According to the Websense Security Labs H1 trends report,
a 100 percent increase has been noted in sites designed to install key loggers,
screen scrapers and other forms of crimeware. Conversely, Websense has seen
more than a 60 percent drop in Web sites designed merely to change user preferences,
such as browser settings.
Singh says “In the first half of 2006, we have seen malicious code become
more covert, less recognisable, and motivated more than ever by economic gain.
Not only have codes become more sophisticated, but the infrastructure supporting
its creation and spread has also become more complex. Cyber-criminals are now
more creative, organised and business savvy”
- Money motivated attacks such as banking
Trojans which steal a user’s identity to access his bank account
- Denial of service (DoS) attacks to extort
money from e-commerce Web sites
- Attacks delivered via MMS that cause cell
phone accounts to be charged
- Internal threats from employees and trading
partners. In fact, most of the security breaches emanate from internal
business networks
- Interconnected networks with no clear
boundaries. As boundaries between networks disappear in order to connect
partners and suppliers, multiple vulnerability points are introduced
- Security for Web services has been problematic
and difficult to standardise and enforce across organisational
boundaries, leaving enterprise network boundaries porous and permeable
- Growing use of personal applications such
as Web-based e-mail, instant messaging, and peer-to-peer applications
provide multiple points of entry for viruses, worms, and other
attacks and provide a readily accessible means of disseminating proprietary
and confidential information
- Phishing and pharming attacks: New schemes
for Internet-based fraud are difficult to stop, and they pose the risk
of identity theft to unsuspecting customers and employees
- Spyware on the rise. Two-thirds of computers
are infected with spyware
- Spam and spim: Unsolicited e-mail (spam)
accounts for more than half of e-mail traffic, costing businesses billions
per year. Instant messaging spam (spim) is also on a major rise
|
Striking back
Even with a diligent IT staff, enterprises may need to take a closer look at
network security. There are several reasons why a network may become vulnerable.
Over time employees may inadvertently create vulnerabilities. Remote workers
access the network via laptops and PDAs, which can create potential security
breaches if their entry via a virtual private network (VPN) isn’t fully
protected.
Temporary employees and outside consultants who access the network and lack
familiarity with security procedures may also leave ports unsecured. Traditional
security approaches have become outdated. Anti-virus measures alone can not
stop blended threats. That is because these threats can enter via numerous insecure
ports, and spread so quickly, that an anti-virus application cannot be updated
in time to contain the threat. In some cases, the blended threat infection rate
is hundreds of PCs per second.
Firewall software can be configured to prevent certain types of attacks from
happening in the first place provided it is fine tuned and monitored regularly.
Worms and viruses will continue to be successful as long as computing resources
have security vulnerabilities that can be exploited. To protect itself, an enterprise
must implement a comprehensive, multilayered, enterprise-wide security strategy
that protects against both known and unknown outbreaks, simultaneously.
No single product can protect an organisation from an outbreak. Prevention measures
must be a part of a comprehensive strategy that is properly implemented across
the enterprise to create a complete line of defence.
This strategy must include a combination of solutions and processes, as a part
of an established security policy that mitigates the impact of an outbreak if
an unknown worm or virus does manage to get inside the organisation. Although
most enterprises have put a security policy in place, more discipline is needed
to ensure that these policies are updated on a regular basis based on the company’s
needs, the current environment and threats.
Equally important is for employees of respective organisations to strictly adhere
to and follow the company’s security policy. Finally, the enterprise IT
architects such as CSOs, CIOs and CTOs, must manage and mitigate security and
privacy related risks that dramatically affect their profitability, corporate
governance and compliance imperatives. From simple yet insidious to complex
and pervasive, these security challenges threaten to overwhelm business boundaries
and protection mechanisms, thus requiring an increasing share of management
attention and IT resources.
|
