Back in 1986, Clifford Stoll, a system administrator at Lawrence Berkeley National Laboratory in California, uncovered a high-profile hacking incident based on a US$0.75 accounting error in the systems’ computer usage. From this seemingly tiny accounting discrepancy, Stoll traced the incident to a hacker that was selling information about the US Strategic Defense Initiative (SDI) to the KGB.
This story, documented in Stoll’s “Cuckoo’s Egg” book, could not be more relevant today. Recent high-profile cyber-security incidents in 2010 and 2011 have embarrassed the security industry, frustrating end users and highlighting fundamental weaknesses in the existing security posture. Firewall, intrusion detection, anti-virus and other technologies have all been shown to be ineffective against Stuxnet-like advanced persistent threats, LOIC-like application-level denial-of-service, and Wikileaks-like exfiltration incidents. It has become clear that future threats are likely be similar: they will not expose themselves through previously-known exploitation vectors that are amenable to signature-based detection, they may lack measurable network-layer features typically used for detecting denial-of-service attacks, and may not have the clear attributes that current systems depend upon to distinguish between permissible and not-permissible actions.
Reflecting on these issues, it becomes clear that modern threats cannot be identified in a “black & white” fashion as done today. Rather, there is a broader underlying spectrum with various shades of grey when it comes to network behaviour, and users would need to place every action along this spectrum and evaluate the risk profile. However, success with anomaly-based detection in cyber-security has so far been limited. We argue that a key missing piece to make this work is full accountability. With endpoint protection being rather easy to circumvent using rootkit technology, the Achilles’ Heel of modern malware may well be its need to communicate over the network. Detecting malware communication would benefit significantly from the infusion of layer 7 context, an insight that has so far been neglected, perhaps in lack of adequate layer 7 recognition technology.
These observations are further motivated by our own experience with the use of layer-7 protocol recognition tools to help users understand activity on the network and proactively enforce restrictions on high-risk applications that are likely to be soft against exploitation. Although we have been using layer-7 information merely to label sessions for enforcement and reporting, we have observed that users are increasingly drawn to logs and reports, trying to reconcile actual observations with what they expect their network activity to look like. Interestingly, in many cases, unusual activity was traced to security-related incidents such as denial-of-service attacks, compromised internal hosts, data leakage, and security mechanism misconfiguration. What can make the difference compared to off-the-shelf security tools is the layer 7 insight, supplementing raw measures like volume, time, periodicity, and trends, with context that in many cases turns out to be essential.
Full application layer accountability is likely to have significant impact. While technology still has way to go to make this possible, raw technology will also need to be complemented by sharp and passionate analysts that can pick up the hints and investigate any discrepancies, just like Stoll did in the Cuckoo’s Egg story.
Full application layer accountability is likely to have significant impact. While technology still has way to go to make this possible, raw technology will also need to be complemented by sharp and passionate analysts that can pick up the hints and investigate any discrepancies, just like Stoll did in the Cuckoo’s Egg story.
-- Kostas, CTO, NIometrics
No comments:
Post a Comment