- Email: [email protected]
Beyond zero: analysing threat trends
FEATURE using conventional arguments, so the difficult question facing Western allies is how to subvert these Bluetooth narrowcasts. Unconfirmed reports suggest that Western soldiers have been deploying Bluetooth signal jammers that block the control channels in the 2400-2480MHz waveband. The reality, however, is that without mesh-like coverage in a given area, the effectiveness of this type of jamming is limited, especially given the fact that this approach blocks all types of Bluetooth broadcasts, and not just the FJA al-Qaeda transmissions. In theory, because of the packetdriven nature of the Bluetooth piconets, it should be possible to narrowcast a version of a given FJA magazine that has malformed packets or headers. This would mean that, although the Bluetooth transmission would checksum and ACK/NAK as normal, when recipients try to view the magazine on their smartphones, the data would appear jumbled. In the longer term, given the firmware-updatable nature of modern smartphones, it should be possible to allocate MAC-like identification routines within Bluetooth packet headers – perhaps derived from the International Mobile Subscriber Identity (IMSI) of the smartphone’s SIM card and/or the International Mobile Equipment Identity (IMEI) of the smartphone itself. With most GSM and 3G networks now allowing only local SIM cards that have been identity-verified to use their networks, even if al-Qaeda uses stolen
or reprogrammed smartphones to seed the community with their jihadist narrowcasts, anyone receiving an e-magazine could trace the narrowcast back along its chain of transmission. At the very least, this would allow the intelligence agencies to cross-match the re-transmitters of the al-Qaeda Bluetooth transmissions with a list of known terrorists and, perhaps more importantly, identify probable supporters. In fact, since most cellcos now maintain active lists of the registration details of their pre-pay SIM cards, it is possible to cross-match the SIM cards of the retransmitting smartphones and the time of the re-transmission with the triangulated location of the mobile at the time of the Bluetooth narrowcast. Through careful extrapolation of the available data, it then becomes possible to work out the probable location of the Class 1 Bluetooth alQaeda originator of a given e-magazine, and take action accordingly.
About the author Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
•
•
•
•
•
Resources • Bluetooth used for dating in Dubai. Youtube. Accessed Jul 2011.
. ‘Member Suggests Using Bluetooth to Spread Terrorist Propaganda’. CBS News, 3 Jun 2008. Accessed Jul 2011. < http://www.cbsnews. com/8301-502684_162-4148770502684.html>. Stanley, Nigel. ‘BBC Story on Bloor Research into Jihadists use of Smartphones’. Bloor Research, 26 Apr 2011. Accessed Jul 2011. . Ackerman, Spencer. ‘New Terror Propaganda Tool: Bluetooth’. Danger Room, Wired.com, 25 Jan 2011. Accessed Jul 2011. . ‘Smart terror – terror Bluetooth’. Software. Noeman.org, 25 Sept 2009. Accessed Jul 2011. .
Beyond zero: analysing threat trends Will Gragido, HP TippingPoint DVLabs
Will Gragido
In today’s world of sophisticated and escalating cyber-attacks against vulnerable data, we have entered new and dangerous ground within the Internet threat landscape. In tracing the history of threats over the past decade, we saw a sharp rise in ‘classic’ threats between 2000 and 2005, which targeted systems that were widely
July 2011
distributed across networks – such as the Microsoft Windows operating system. More sophisticated threats emerged in 2005 and 2006, indicating another level
of danger. And in 2008, with the advent of the Conficker worm, there appeared to be a resurgence of the ‘classic’ threat. In fact, Conficker was anything but ordinary or classic – it spread rapidly as variants were released into the mainstream.
Network Security
7
FEATURE • Web applications remain at the forefront of exploit activity. • The sophistication and organisation of cyber-attacks is increasing. • Legacy threats remain an unrelenting element of the modern Internet threat landscape and are experiencing a resurgence.
Figure 1: Overall vulnerability disclosure, 2000-2010.
Figure 2: HTTP client-side attacks by month during sample period.
Following the introduction of the Conficker worm, a dramatic increase in web application vulnerabilities was seen, lasting well into 2010. Research released by HP TippingPoint’s Digital Vaccine Labs (DVLabs) in September 2010 indicated that attacks associated with web application vulnerabilities surpass all other categories in volume.1 These attacks are expected to escalate and remain at the forefront of threat activity. Conversely, more conventional attacks, such as those targeting standard operating systems – will continue to decline. Figure 1 is a graphical representation of vulnerability disclosure from 2000 through to 2010. It is important to note the impact of vulnerable web applications, particularly from 2006 through 2008, and the decline in vulnerability disclosure
from 2008 through 2010. Despite the overall decline in disclosed vulnerabilities, the research confirms that the majority of activity and vulnerabilities were related to web-based applications. Last year was a significant year for cyber-threats as they demonstrated greater sophistication. The report indicates that the proliferation of technology (and its availability in previously untouched markets), along with simple, rapid accessibility, has an unprecedented negative impact on the state of security globally. The research, data collection and findings produced four key points: • The availability and consumption of enterprise computing technologies is growing, leading to the emergence of more sophisticated, next-generation threats.
Figure 3: HTTP server-side attacks by month during sampling period.
8
Network Security
Next-generation threats The research also reflected the impact of enterprise-grade computing technologies on the emergence of next-generation threats. Most significantly, threat capabilities were influenced directly by the availability and consumption of these technologies in modern enterprise environments. Web 2.0 technologies such as Facebook, Twitter, Wordpress and iTunes are increasingly leveraged for business today. They help promote brand awareness and collaboration, and enable organisations to adapt to a changing global business marketplace. However, these technologies also play a large role in enabling cyber-threats to successfully exploit individuals and enterprises. As a result, enterprise security teams and risk officers are challenged to efficiently mitigate these risks without disrupting business operations. The DVLabs research shows that many organisations do not want to expose their companies to greater risk merely on the basis of a business value justification. The research also noted a general lack of security diligence in the management and enablement of Web 2.0 applications of a questionable state. This trend is dangerous to any organisation, especially given the range and types of threats to enterprise environments.
Web applications at the forefront Throughout the DVLabs research efforts, web applications remained a strong focus and at the forefront of exploit activity. Specifically, the research noted a rise in professionally crafted exploit kits with a money-back guarantee designed to capitalise on the weaknesses present in web applications and architectures. Figure 2 provides insight into the number of client-side HTTP attacks
July 2011
FEATURE during the first six months of 2010, most of which were malicious Javascript and file format attacks. Figure 3 provides similar insight into the number of server-side HTTP attacks, primarily cross-site scripting, SQL injection and PHP RFI.
“Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack” Research shows that attacks launched against web servers versus those against clients represent a 50:1 ratio. This suggests that the rate, frequency and nonstructured approach of attacks against web servers are all escalating. Although many attacks fail, the force multiplier approach demonstrates their persistence in establishing a qualified compromise. Research indicated that attackers were more concerned with creating a data exfiltration point or malicious code than seeking ‘shell’ or ‘root’. Low-volume sites were also targeted by attackers to introduce malicious code in a variety of forms. As a result, attackers had greater control over sites to which they could direct unsuspecting victims with the intent of further exploitation.
Increasing sophistication and organisation One of the more alarming trends in the past six months is the growing sophistication of attacks as they evolve to be more organised, subversive and inconspicuous. This trend is by design rather than chance. Many attacks are so subtle that few victims recognise the intrusion until it is too late. Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack. Once the information needed is in hand, the attackers have the ability to develop and launch covert exploits that will have a more significant impact.
July 2011
While preparing the report, researchers invested time in the identification, tracking and analysis of trends within the threat landscape. Equal time was spent on an advanced technical analysis of Adobe’s Portable Document Format (PDF). As previously noted, malicious file formats play a major role in many modern, clientbased attacks. HP research indicated that Adobe’s overall patch speed versus other third-party applications is consistent, yet slow. The report also determined that Adobe Reader v9 performs better than older versions such as v7 and v8. In reviewing the data sets relevant to v9 separately from v7 and v8, the vulnerability patch life cycle was found to be equivalent to that of Microsoft’s patch cycle – approximately 15 days.
Protection against current and emerging threats The DVLabs research shines a light on new areas of concern and emerging threat trends. DVLabs' team, in connection with the SANS Institute, has developed a best practice guide to aid enterprise organisations in mitigating current and emerging threats: 1. Know your software/application inventory. This provides a deeper perspective of what is currently active in your enterprise footprint and enables you to better plan for remediation of unauthorised applications. 2. Ensure your organisation is supported by a defined and mature configuration-management process. If not, you may be opening your company to unnecessary risk. 3. Understand the security requirements associated with moving to a cloud computing model. As DVLabs research suggests that moving to the cloud can introduce certain vulnerabilities, a thorough risk assessment should be performed to ensure safe cloud utilisation. 4. Make sure your web application developers remain current. This will enable you to reduce or eliminate the net effect of many threats. Don’t assume that the behaviour or anticipated behaviour of an application
will align with a given language or design scheme. Encouraging adherence to a sound Software Delivery Life Cycle (SDLC) and other application security software standards of good practice, such as the RUGGED software security model, will yield positive results. 5. Educate your end users. Instances of Cross-Site Request Forgery (CSRF) are high and will continue to grow. A clear understanding of the proper way to log off privileged (authenticationdriven) websites prior to engaging other websites, can pay significant dividends. Enterprises that take the time to invest in security-awareness programmes reap long-term benefits. 6. Invest in efficient patch management. Systems kept up to date with the latest security patches are more likely to be resistant to attacks. 7. Remain vigilant in the ongoing maintenance, monitoring and analysis of your enterprise environment. This includes the systems, people and processes needed to safeguard your organisation.
About the author Will Gragido is the product line manager for HP DVLabs with oversight over various DV-related services and other DVLabs projects. He has expertise in operations, vulnerability and threat analysis, management, professional services and consultancy, pre-sales/architecture and business development within the information security industry. Prior to joining HP, he held various positions at McAfee, Internet Security Systems, International Network Services and the United States Marine Corps. Gragido is a long-standing member of (ISC)2, ISACA, and ISSA. He holds CISSP and CISA certifications, as well as accreditations in the National Security Agency’s Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM).
References 1. ‘2010 Top Cyber Security Risks Report’. HP TippingPoint DVLabs, September 2010. Accessed May 2011..
Network Security
9
or reprogrammed smartphones to seed the community with their jihadist narrowcasts, anyone receiving an e-magazine could trace the narrowcast back along its chain of transmission. At the very least, this would allow the intelligence agencies to cross-match the re-transmitters of the al-Qaeda Bluetooth transmissions with a list of known terrorists and, perhaps more importantly, identify probable supporters. In fact, since most cellcos now maintain active lists of the registration details of their pre-pay SIM cards, it is possible to cross-match the SIM cards of the retransmitting smartphones and the time of the re-transmission with the triangulated location of the mobile at the time of the Bluetooth narrowcast. Through careful extrapolation of the available data, it then becomes possible to work out the probable location of the Class 1 Bluetooth alQaeda originator of a given e-magazine, and take action accordingly.
About the author Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
•
•
•
•
•
Resources • Bluetooth used for dating in Dubai. Youtube. Accessed Jul 2011.
Beyond zero: analysing threat trends Will Gragido, HP TippingPoint DVLabs
Will Gragido
In today’s world of sophisticated and escalating cyber-attacks against vulnerable data, we have entered new and dangerous ground within the Internet threat landscape. In tracing the history of threats over the past decade, we saw a sharp rise in ‘classic’ threats between 2000 and 2005, which targeted systems that were widely
July 2011
distributed across networks – such as the Microsoft Windows operating system. More sophisticated threats emerged in 2005 and 2006, indicating another level
of danger. And in 2008, with the advent of the Conficker worm, there appeared to be a resurgence of the ‘classic’ threat. In fact, Conficker was anything but ordinary or classic – it spread rapidly as variants were released into the mainstream.
Network Security
7
FEATURE • Web applications remain at the forefront of exploit activity. • The sophistication and organisation of cyber-attacks is increasing. • Legacy threats remain an unrelenting element of the modern Internet threat landscape and are experiencing a resurgence.
Figure 1: Overall vulnerability disclosure, 2000-2010.
Figure 2: HTTP client-side attacks by month during sample period.
Following the introduction of the Conficker worm, a dramatic increase in web application vulnerabilities was seen, lasting well into 2010. Research released by HP TippingPoint’s Digital Vaccine Labs (DVLabs) in September 2010 indicated that attacks associated with web application vulnerabilities surpass all other categories in volume.1 These attacks are expected to escalate and remain at the forefront of threat activity. Conversely, more conventional attacks, such as those targeting standard operating systems – will continue to decline. Figure 1 is a graphical representation of vulnerability disclosure from 2000 through to 2010. It is important to note the impact of vulnerable web applications, particularly from 2006 through 2008, and the decline in vulnerability disclosure
from 2008 through 2010. Despite the overall decline in disclosed vulnerabilities, the research confirms that the majority of activity and vulnerabilities were related to web-based applications. Last year was a significant year for cyber-threats as they demonstrated greater sophistication. The report indicates that the proliferation of technology (and its availability in previously untouched markets), along with simple, rapid accessibility, has an unprecedented negative impact on the state of security globally. The research, data collection and findings produced four key points: • The availability and consumption of enterprise computing technologies is growing, leading to the emergence of more sophisticated, next-generation threats.
Figure 3: HTTP server-side attacks by month during sampling period.
8
Network Security
Next-generation threats The research also reflected the impact of enterprise-grade computing technologies on the emergence of next-generation threats. Most significantly, threat capabilities were influenced directly by the availability and consumption of these technologies in modern enterprise environments. Web 2.0 technologies such as Facebook, Twitter, Wordpress and iTunes are increasingly leveraged for business today. They help promote brand awareness and collaboration, and enable organisations to adapt to a changing global business marketplace. However, these technologies also play a large role in enabling cyber-threats to successfully exploit individuals and enterprises. As a result, enterprise security teams and risk officers are challenged to efficiently mitigate these risks without disrupting business operations. The DVLabs research shows that many organisations do not want to expose their companies to greater risk merely on the basis of a business value justification. The research also noted a general lack of security diligence in the management and enablement of Web 2.0 applications of a questionable state. This trend is dangerous to any organisation, especially given the range and types of threats to enterprise environments.
Web applications at the forefront Throughout the DVLabs research efforts, web applications remained a strong focus and at the forefront of exploit activity. Specifically, the research noted a rise in professionally crafted exploit kits with a money-back guarantee designed to capitalise on the weaknesses present in web applications and architectures. Figure 2 provides insight into the number of client-side HTTP attacks
July 2011
FEATURE during the first six months of 2010, most of which were malicious Javascript and file format attacks. Figure 3 provides similar insight into the number of server-side HTTP attacks, primarily cross-site scripting, SQL injection and PHP RFI.
“Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack” Research shows that attacks launched against web servers versus those against clients represent a 50:1 ratio. This suggests that the rate, frequency and nonstructured approach of attacks against web servers are all escalating. Although many attacks fail, the force multiplier approach demonstrates their persistence in establishing a qualified compromise. Research indicated that attackers were more concerned with creating a data exfiltration point or malicious code than seeking ‘shell’ or ‘root’. Low-volume sites were also targeted by attackers to introduce malicious code in a variety of forms. As a result, attackers had greater control over sites to which they could direct unsuspecting victims with the intent of further exploitation.
Increasing sophistication and organisation One of the more alarming trends in the past six months is the growing sophistication of attacks as they evolve to be more organised, subversive and inconspicuous. This trend is by design rather than chance. Many attacks are so subtle that few victims recognise the intrusion until it is too late. Recent research suggests it is more common now for attackers to remain resident within a compromised enterprise environment for extended periods of time, harvesting information to develop new mechanisms for attack. Once the information needed is in hand, the attackers have the ability to develop and launch covert exploits that will have a more significant impact.
July 2011
While preparing the report, researchers invested time in the identification, tracking and analysis of trends within the threat landscape. Equal time was spent on an advanced technical analysis of Adobe’s Portable Document Format (PDF). As previously noted, malicious file formats play a major role in many modern, clientbased attacks. HP research indicated that Adobe’s overall patch speed versus other third-party applications is consistent, yet slow. The report also determined that Adobe Reader v9 performs better than older versions such as v7 and v8. In reviewing the data sets relevant to v9 separately from v7 and v8, the vulnerability patch life cycle was found to be equivalent to that of Microsoft’s patch cycle – approximately 15 days.
Protection against current and emerging threats The DVLabs research shines a light on new areas of concern and emerging threat trends. DVLabs' team, in connection with the SANS Institute, has developed a best practice guide to aid enterprise organisations in mitigating current and emerging threats: 1. Know your software/application inventory. This provides a deeper perspective of what is currently active in your enterprise footprint and enables you to better plan for remediation of unauthorised applications. 2. Ensure your organisation is supported by a defined and mature configuration-management process. If not, you may be opening your company to unnecessary risk. 3. Understand the security requirements associated with moving to a cloud computing model. As DVLabs research suggests that moving to the cloud can introduce certain vulnerabilities, a thorough risk assessment should be performed to ensure safe cloud utilisation. 4. Make sure your web application developers remain current. This will enable you to reduce or eliminate the net effect of many threats. Don’t assume that the behaviour or anticipated behaviour of an application
will align with a given language or design scheme. Encouraging adherence to a sound Software Delivery Life Cycle (SDLC) and other application security software standards of good practice, such as the RUGGED software security model, will yield positive results. 5. Educate your end users. Instances of Cross-Site Request Forgery (CSRF) are high and will continue to grow. A clear understanding of the proper way to log off privileged (authenticationdriven) websites prior to engaging other websites, can pay significant dividends. Enterprises that take the time to invest in security-awareness programmes reap long-term benefits. 6. Invest in efficient patch management. Systems kept up to date with the latest security patches are more likely to be resistant to attacks. 7. Remain vigilant in the ongoing maintenance, monitoring and analysis of your enterprise environment. This includes the systems, people and processes needed to safeguard your organisation.
About the author Will Gragido is the product line manager for HP DVLabs with oversight over various DV-related services and other DVLabs projects. He has expertise in operations, vulnerability and threat analysis, management, professional services and consultancy, pre-sales/architecture and business development within the information security industry. Prior to joining HP, he held various positions at McAfee, Internet Security Systems, International Network Services and the United States Marine Corps. Gragido is a long-standing member of (ISC)2, ISACA, and ISSA. He holds CISSP and CISA certifications, as well as accreditations in the National Security Agency’s Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM).
References 1. ‘2010 Top Cyber Security Risks Report’. HP TippingPoint DVLabs, September 2010. Accessed May 2011.
Network Security
9