2008 DOI: Day 5 - Night of the Internet Dead

2007 Incite: You (Mal)ware it well
The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

2008 Incite: Night of the Internet Dead
With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Last year’s malware Incite was about integration, and that has largely come to pass – so I ended up consolidating that topic with the perimeter Incite since both functions are no longer “best of breed” types of functions.

This year I want to focus on the inevitability of compromise. I don’t mean you’ll work out your issues more cordially with your significant other this year. I mean the fact that your users will do something stupid and thus they will get 0wned and that means your environment will be compromised.

Nowadays, it’s just too easy to get nailed. The users don’t have to do anything. The bad guys are now installed drive-by downloads on LEGITIMATE sites. Let me go over that again. The bad guys compromise a legitimate server and have it download a Rootkit or Trojan to all the visitors. It happened to an ISP a couple of weeks ago.

There is no defense against this. Training your users isn’t going to help, since they are going to a legitimate site. But it gets better. Now the bad guys may be specifically targeting YOU or someone in your organization. That’s right. They know your name. They know your email and they want to get something from you. It’s a lot more likely if you are a “C”-level something for a big company or in the news or something like that.

But all the same, this level of targeting is unprecedented.

Since I’m no mathematician (sorry Mr. Calabrese, I probably should have paid better attention in 11th grade), let me do the calculus. Users get nailed going to sites they trust and the bad guys are now specifically targeting them. Crap. What the hell do we do now?

You know what’s coming don’t you? That’s right, you need to REACT FASTER. For long time Incite readers, this is a predictable outcome. I’ve never been one to say that you can “get ahead of the threat.” The best you can do is to make sure you figure out you’ve been compromised before there is too much damage.

Yes, it’s all about containment and incident response. Though we shouldn’t get the cart ahead the horse here. First we need to know something is wrong. We do that by monitoring. So do yourself a favor and get Bejtlich’s book on network security monitoring. That is the bible of how to do this.

I believe that this is a function that needs to be integrated into the security management platform. I talked in the Best of Breed DOA Incite that security management will undergo a fundamental shift towards an integrated platform mentality. Monitoring logs, Netflow, and other stuff (like database logs, applications, transactions) is critical to figure out what you should be focusing on.

Unless you are the one in a million that has so many security resources and budget that you get through your list every day – you need to prioritize. How do you prioritize your activities? By investigating the stuff that looks fishy, and you find that stuff via monitoring.

Here is some math even I understand: Monitor aggressively + REACT FASTER = Live to fight another day.

Photo credit: Drunken_Monkey