In the past ten years, the face of information security has changed dramatically, from fending off e-mail viruses to dealing with blended threats that spread across the globe in minutes. According to the March 2004 Internet Security Threat Report, blended threats accounted for 54 per cent of the top 10 malicious code threats submitted to Symantec Security Response for the last half of 2003.
Our society has reached an inflection point where the latest threats now spread faster than organizations can respond. Malicious code has evolved from slow-spreading program viruses to ultra-fast spreading flash worms, making traditional security protection inadequate.
Consider the impact of Blaster, Welchia, Sobig.F and Dumaru, four of the blended threats that spread rapidly over the past year. And more recently, MyDoom, which at its peak infected one out of every 12 emails sent.
The current reactive signature-based paradigm for protection is no longer effective in today’s threat environment, where the speed of propagation is minutes or seconds instead of days. Many would think it absurd if you told them that your strategy was to chase after a speeding bullet with a magnet. However, this is essentially the current security model for stopping fast-spreading worms and blended threats. Security experts must wait until the worm is already spreading, then write a signature and hope they get it out fast enough. This scenario equates to chasing after a bullet in order to stop it.
So how will technology evolve to meet the escalating challenges of information security? Four new technologies, including behaviour blocking, protocol anomaly protection, virus throttling and generic exploit blocking, will change the way organizations protect against Internet security threats.
Considering that at the end of 2003 there were more than 140,000 total known network intrusion attempts and nearly 900 million malicious code infection attempts, these new technologies must be deployed if we are to protect our businesses and critical infrastructure from the complex threats proliferating on the Internet.
Evolution of the threat landscape
Security companies have worked hard to drastically improve their response time on new threats from what used to be days or weeks, to hours. Even with the addition of automation, however, the fastest worms now spread much faster than security companies can respond with traditional fingerprints. Nevertheless, fingerprints will continue to be important for known attacks since they can uniquely identify attacks by name, which simplifies incident management processes.
Many of the fastest-spreading threats exploit known vulnerabilities or “holes” in the operating system which have been publicly announced. The time between the announcement of a known vulnerability and the release of a threat targeting that vulnerability is also diminishing. For example, the Blaster threat was released just 26 days after the associated vulnerability was announced, the shortest such time period witnessed to date.
As the time needed to exploit holes shrinks, and the propagation speed of the threats themselves increases, the industry’s ability to respond will only become more difficult.
Stopping the bullet: A proactive approach
So other than the absurd approach of using a magnet, how do you stop a speeding bullet? Proactive measures, such as a bulletproof vest, or installing a gunlock so that the bullet is never even able to leave the chamber of the gun, are logical options. Another is employing a defence that prevents the attacker from knowing where to fire the bullet.
Security experts absolutely must deploy proactive technologies on clients, servers, and throughout the network fabric. Here are four that are emerging as effective solutions.
Behavior Blocking: Behavior blocking stops malicious operations in real-time, much like prescription drugs stop viral infections. Antiviral medications work by blocking the exposed point on either the human cell or virus, preventing it from connecting to the cell and injecting the malicious genes. Analogously, behavior blocking technology blocks key system application program interfaces (APIs) that an Internet threat needs to use in order to spread and survive. Without these APIs, the lifecycle of the threat is disrupted. Many antivirus solutions have this blocking capability today and have stopped dozens of fast-spreading worms, including the recent Sobig and Norvarg/Mydoom threats.
Protocol Anomaly Protection: Protocol anomaly protection intercepts data streams at the gateway and on hosts, forwarding only data that meets accepted Internet standards. Borrowing an analogy from the physical world, consider an airline that has strict size standards for all carry-on luggage. A bag can only pass through the security checkpoint if it meets the specified standards.
Protocol anomaly protection attempts to stop threats before they can ever infect a machine and cause damage, much like providing a front-line shield against a speeding bullet. All network communication is intercepted, ensuring that all data flowing through an organization’s devices meets widely accepted Internet standards. Code Red, Slammer, and Blaster could have all been stopped with protocol anomaly protection technology.
Virus Throttling: Virus throttling, a technique developed by researchers at Hewlett Packard, works to limit the number of new connections a PC can make per second to computers that it hasn’t talked with before. This strategy can dramatically slow down the speeding bullet.
Most computers have a very small group of computers with which they regularly interact. With virus throttling, all connections to machines that are already part of the circle of regularly used machines are able to go through without delay, but connections to new computers are rate-limited. In its normal form, Nimda established between 300 and 400 new connections per second. Blaster sent 850 packets per second. If appropriately rate limited, those same threats would not be able to send more than, say, one packet per second, radically slowing down the propagation of these threats.
Generic Exploit Blocking: Generic Exploit Blocking provides another proactive shield against the speeding bullet. This technique attempts to protect a new vulnerability against any future attack. Generic exploit blocking can be compared to a padlock and key. Each lock has a set of internal pins that limit the shape of key that can open it. Similarly, when a new vulnerability is discovered, researchers can characterize its “shape”. They can describe the specific stream of data that must be sent over the network to the vulnerable computer to have any chance of exploiting the vulnerability. Once we have such a characterization, we can produce a signature for this shape that can detect and block any attack that has this telltale shape.
Generic exploit blocking is also referred to as “generic patching” because the technology provides protection against new vulnerabilities without requiring users to immediately deploy software patches. This buys time for users to roll out patches according to their normal schedule in accordance with their change control process, without having to worry about the next big threat. The result? No panic, no patching in the middle of the night, and no costly clean up after the fact.
Proactive defences are needed today
The Symantec Internet Security Threat Report found that financial services, healthcare, and power and energy – the same industries that provide our society’s critical services – were among the hardest hit by the most destructive and widespread Internet threats of 2003. Proactive Internet security solutions are needed to effectively protect our businesses, government, and critical infrastructures against the millions of threats spreading through computing networks today.
While not without their unique challenges, the four proactive technologies discussed in this article can provide effective, proactive protection against the proliferation of complex Internet security threats. Private industry, universities, and the government must all work together to build and deploy next-generation Internet security technologies. With all the sectors working together, we can increase our defence mechanisms to win the battle against these devastating threats.
Rob Clyde is Chief Technology Officer for security firm Symantec Corporation.