Domain: intrinsicsecurity.com
Stories and comments across the archive that link to intrinsicsecurity.com.
Comments · 9
-
exposing == alienating potential clients?My company, Intrinsic Security generates as an artifact of product testing a certain amount of data about botnet and worm infestations on company and government networks. I have always tought that these kinds of public exposures would scare off clients, not only the companies named, but many other companies that would lose respect for a security company publically shaming potential clients. I definitely understand the frustation mentioned in the summary, as many people in IT consider themselves to be malware experts and they always think they have "solved" the "problem" by applying the latest antivirus definitions or tweaking their IDS rules. Most IT managers don't seem to really quite understand that the typical malware today is a radically different threat than they were five years ago. Keystroke logging is routine now, a drop-in module for malware authors.
Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?- 174 private corporations and government agencies
- 48 schools & universities
- 118 telecom companies (these are partly home DSL / cable modem circuits, partly private companies where the ARIN records are not delegated but rather managed by the ISP)
-
AntiVirus scare tactics: why the FUD keeps coming
The reason the AntiVirus vendors keep producing this kind of inflamatory FUD is because it works.
Every time an AntiVirus company issues a fear mongering white paper, press release, or paid article placement in a magazine they get explosive coverage, dozens or hundreds of free articles written about them or their topic of interest, nearly all with links back to their original article. Within limits, bad publicity is publicity and publicity is good.
Meanwhile, companies like mine that are building next-generation network security systems (shameless link to Intrinsic Security AntiWorm) and who try to be good network citizens must work a thousand times harder for links back to our web sites, don't get slashdot stories about us, don't get bazillions of blog entries linking back to us.
Mine is not the only company that suffers this problem. Every time a story by one of these highly bogus AntiVirus FUD spreading companies ticks you off, you should include at the end of your rant about it in your blog a few links to non-bogus internet security companies. We would greatly appreciate it.
Honestly, there are days when I feel like whipping up a FUD press release or scare mongering white paper. It would be easier than taking the publicity high road. -
Innovation may rescue the Windows monoculture
"The software-based solution is using a real OS."
Windows won't be going away any time soon, so there will remain plenty of worm fodder. I am surprised by the number of relatively unsophisticated home users who are switching to Mac OS X or Linux as a result of adware, spyware, and worms, but I haven't seen the same switcher phenomenon occurring in corporations.
Besides, worms probably wouldn't go away even if Windows did. Although conventional wisdom says that a large pool of exploitable systems is required for successful worm propagation, that's not true, demonstrated by the Witty Worm's exploitation of a very small population of vulnerable systems. Although they are not as common, worms have exploited other, non-Windows systems and application software, and certainly buffer overflow exploits are discovered periodically in such systems. Granted, the UNIX architecture makes worm exploitation of application software less likely to result in super-user access, but routers, DNS servers, and others remain vulnerable to the extent that they contain worm-able security defects -- and clearly many do.
Worms are getting more sophisticated all the time. From the starting point of their current capabilities, worms and botnets could easily be extended to automatically harvest particular types of data from particular companies or government agencies, using the chaos of a massive worm outbreak for cover. Their ability to receive arbitrary commands from remote attackers over IRC control channels means that they may already be in use for this purpose.
My company specializes in antiworm technology and consulting. The FireBreak AntiWorm system impedes worm propagation without interfering with normal network operations -- including bit torrent.
There is a tremendous amount of innovation going in in the software security area lately, driven by the relatively recent realization among large corporations that they must now spend money on worm prevention, containment, and recovery if they want their heavy investment in the Windows monoculture to survive.
Opting out of the monoculture simply isn't feasible for most large corporations at this point. It's not just the cost of the desktop PC -- if that's all it was, a bunch of them would have switched en masse to Mac OS X Tiger when it came out. The applications, the developers who write them, the help-desk workers, the system administrators, the managers, the employees -- at this point all they know is Windows.
Switching a desktop is so hard for a large company, that the survival of the Windows monoculture is virtually assured for about as long as one can predict anything in the IT world (5 years, I'm told). The the problems that come with it will be creating market opportunities for a long while to come. -
Too Much Joy
I think you have hit the nail on the head here.
Reverse engineering malware is so much fun, and appeals to techie and tech-savvy manager types so much that it has been a terrific and terrible distraction. I've seen the effect firsthand -- companies waste precious limited mitigation and response talent and time trying to analyze malware when they should be taking immediate action to contain the spread of a worm.
Corporations and government agencies have been so thoroughly trained by the AntiVirus industry that they have a hard time coping in an age of the zero day worm, flash worm, or even the boring ordinary retread worm with 800 variants that do different things and propagate through a dozen different old defects. In fact, in the last year it's become clear that worms targeting many old defects can spread widely, slipping in under the radar of AntiVirus definitions with dozens of daily variants. (It's hard to patch a large network, and the industry hasn't woke up to the fact that it's also hard to keep it patched.)
What does it matter, which of the 800 strains of Spybot or Rxbot is smacking your PC's around? Well, if it were possible to quickly assess exactly what a given strain might do on a computer, it might be. But typically it's not possible.
In fact, it's gotten to the point where the AntiVirus vendors themselves have all but given up on detailed analysis of the many variants emerging each hour. Sometimes critical features of a strain (what ports does it probe, etc.) are missing entirely from the public analysis of the strain for weeks after it was first detected. Sometimes one vendor will describe a feature while others don't. Obvious cut-and-paste errors in the analysis of major vendors can also be observed, if one pays close attention.
The AntiVirus industry can't keep up the analysis of every minor strain, but they do continue the practice because it's a proven effective strategy for keeping mindshare. To their credit, they do a pretty reasonable job of rapid analysis and signature development on quite a few variants every day. Unfortunately, the stakes are pretty high and getting higher.
The bottom line for big networks: focus on prevention and containment. Cleanup is very costly, so do your own analysis if you must, but don't let it delay or sap resources from containment efforts when a worm hits. Other damages might be mounting while the mitigation effort stalls out because an incident response team is bogged down trying to answer the question: "Does the variant that hit your network today have a keystroke logger?"
With several variants of various worms released each day, are you *sure* that you've been hit with only one variant?
Even if you think you are sure, in fact, you typically can't be sure quickly enough. Well staffed, well funded, and highly experienced labs at the major AntiVirus vendors can't keep up with detailed analysis of the zillions of variants. Neither can the overburdened IT staffs of the world. They need to stop trying.
Disclaimer: As the founder of Intrinsic Security I am clearly convinced enough in the limitations of the AntiVirus approach that I started a company and developed an alternative (complementary) approach. All of my opinions, well reasoned and otherwise, are my own, although they may be shared by others. -
Correct, but can be managed for some techniques
Yes, this is a potentially serious issue with any of the active countermeasures. Even simple intrusion suppression techniques like honeypots can fall victim to this kind of redirect attack if exposed directly on the internet.
Fortunately these types of attacks can be detected and modulated. With respect to certain antiworm systems based on honeypot techniques I can safely say that these problems are not insurmountable. -
Re:work work work...
" And this "Something" would be what exactly?? Some mythical piece of software that has not and could never be created."
A little googling turns this amongst others.
So yes there are products out there to prevent this kind of thing. -
The most unsettling thing...
This is really starting to smack of organized crime. A friend of mine forwarded an article to me on this last night.
If you are an end user who just wants to use your computer, it may be time to look at getting a Mac. The bar for information security in the face of this level of organization is getting too tall for your average end user.
If you are in an enterprise situation and have a usage policy that allows users to use corporate equipment for personal banking on breaks, you may want to reconsider that policy.
Oftentimes, computer usage is negotiated by labor unions and you cannot simply change computer use policy out from underneath users. In this case, I wonder what the legal responsibilities of the company are to exercise due dilligence in protecting its end users?
If you haven't already done so, it's time for a lesson in defense in depth. That means IDS, IPS, Firewalls, Antivirus, Spam blockers, AV web proxies, etc. And because perimeter defense is all but a quaint memory in today's more agressive world, you may want to look at host-based firewalls and other AntiWorm systems.
Good luck. We all need it.
-Peter -
Other visualization tools
If people are interested in another take on worm propagation monitoring and containment, have a look at http://www.intrinsicsecurity.com/.
Disclaimer: I did some work with the folks there in past, and they are pretty sharp.
-
Man, this sounds familiar..
As it happens, a friend of mine, (former boss) happens to be doing something very much along these lines.
-jcr