Threat Management Evolution

by Pete Lindstrom, Research Director, Spire Security, LLC.

Threat Management Functions

The primary goal of threat management is to identify and respond to attacks against a computing environment. In order to do so, solutions must employ all or a subset of the following functions:

1. Collection of all pertinent information
2. Analysis of the information to identify malicious or otherwise inappropriate traffic
3. Response to the action, whether active or passive
4. Recovery from the outcome, even if the activity is presumed blocked
5. Review, for follow up activities like re-architecting security or taking legal action

Within threat management, the product categories include firewalls, network and host intrusion detection, antivirus, security event management, network ecology, and forensics. This article will take a closer look at two core technologies of Threat Management; firewalls and network intrusion detection systems.

Firewalls

When applied to the functional model of threat management, firewalls demonstrate their strength in the collection and response functions, with their ability to drop packets as inline network devices. They also provide collection and analysis capabilities. The analysis capabilities of the firewall are based on defined policies - a set of rules that typically allow defined activities and deny everything else. Application firewalls often work from policy as well - web application firewalls, for example, allow access to a list of authorized web pages (built dynamically) and deny any other requests. Other analysis functions may include tracking sessions (stateful analysis) or basic content inspection.

Network Intrusion Detection Systems

The obvious power of NIDS is in the analysis. Sure, collection is important to allow for object reassembly. And response is flexible with its ability to alert in various ways and issue packet resets, for example. But NIDS wouldn't be NIDS without its intelligence.

Today's NIDS apply the analysis in a variety of ways - by far, the most popular is the 'signature' approach which is best defined as the identification of a known attack pattern within the set of examined objects. Protocol anomaly detection is a close second with its ability to define abnormal packets compared to protocol reference documents and implementations. There are many variations to within these areas and also new techniques being applied - such as traffic thresholds and flow statistics.

Recommendations

Deploy traditional firewalls:

• Between a trusted and partially trusted functional networks
  
• To compartmentalize subnets using traffic management techniques
• As a first line of defense in a layered approach that includes NIDS

Deploy network intrusion detection solutions:

• In conjunction with firewalls
  
• Between and inside trusted networks
• To provide additional context to potential attacks
  

Spire ViewPoint

The threat management architectures of tomorrow will have a highly intelligent management server that gathers information from intelligent analysis engines that incorporate data from active blocking agents as well as passive sensors. These blocking agents and passive sensors will exist either natively or be placed specifically on every component in the environment - subnet, host, client, application. The determination of whether to block or not will be made based on the level of certainty that the activity is malicious. Today's enterprise must evaluate the strengths and weaknesses of all of the tools it has at its disposal and build a cohesive threat management architecture to protect its computing environment.

Excerpt Reprinted with Permission from Spire Security, LLC.

Pete Lindstrom is Research Director for Spire Security, an industry analyst firm focused on information security issues and market research. Lindstrom combines Fortune 500 corporate security experience with audit and consulting work for Coopers & Lybrand (now PriceWaterhouseCoopers) to offer clients a real-world view to evaluating, selecting and implementing the latest security technologies for enterprises.

As an analyst with Hurwitz Group initially and now with Spire Security, Lindstrom is a frequent speaker and writer on security topics and is quoted often in the press. He is on the editorial advisory board of Information Security Magazine.

---

An Integrated Approach to Threat Management

by Steven Drew, EVP of Client Services, SecureWorks

Effective Threat Management embodies the actions organizations must take to defend themselves against today's ever-present cyber-threats. At a high-level, these actions form an intrusion prevention and protection lifecycle where each stage provides critical information to the next. These actions must include fortifying the environment through proper threat research and scanning, monitoring the network infrastructure for signs of malicious activity, responding to any incidents that do occur and, finally, conducting incident analysis through data mining to discover areas that need additional fortification. Organizations must have a dedicated, 24X7 team focused on these activities. Only by developing an integrated Threat Management program will organizations truly be able to achieve enterprise-wide intrusion prevention and protection.

Intrusion Prevention

Threat research and scanning represent the proactive Threat Management actions necessary to prevent intrusions across the enterprise. Threat research is a system that allows organizations to gain intelligence on the emerging vulnerabilities and threats that will impact their IT infrastructure. Additionally, this system must have workflow management capabilities that enable security teams to track new threats through to their resolution.

Currently, threat research is conducted inefficiently. Security teams today rely on email alerts from BugTraq and other service providers. Sometimes these emails are just forwarded to administrators for them to patch the affected systems. Only after events like Slammer and MSBlast do security teams find out that the systems were never patched. Instead, organizations should build a database for these alerts and any of the additional vulnerability research they conduct. Severity, priority and responsibility must then be assigned to all new threats. From there, security teams can pull reports to make sure all threats are addressed in a timely fashion.

Vulnerability scanning is the second preventative action. Organizations must conduct regular scans of their environment to find any vulnerabilities that could be exploited. Threat research alone does not guarantee successful prevention, since new devices are typically added frequently to the IT infrastructure. If possible, organizations should also schedule scans on remote users' computers, as these are increasingly becoming the starting points for successful attacks. Armed with scanning and an effective threat research program, security teams can prevent most external attacks.

Intrusion Protection

Unfortunately, fortifying the environment through threat research and scanning is not enough to guarantee the elimination of incidents. Organizations need to stay vigilant and continuously protect themselves against insider threats or the savvy hacker carrying out premeditated attacks. To accomplish this, security teams must conduct 24X7 security monitoring, immediate incident response and ongoing analysis of their enterprise-wide security activity.

Monitoring the network 24X7 will alert organizations to anything unusual that may signal malicious activity. Security monitoring should not be limited to just security devices. Instead, monitoring needs to be holistic, encompassing applications, databases and other critical, high risk components of the IT infrastructure. All the security information generated by the environment must be aggregated and correlated in real-time. This will provide security teams with the context of the attack in a timely fashion. Armed with this information they will be able to respond quicker and reduce the amount of exposure to an attack.

When incidents do occur, it becomes necessary for organizations to respond in near real-time to minimize the impact of the incident. To accomplish this, organizations need to have the proper combination of people, process and technology focused on the incident response efforts. Organizations must deploy technology that performs security event aggregation and correlation to facilitate the rapid identification and response efforts. Security teams must then have dedicated, properly trained staff assigned as Incident Handling experts who monitor this technology for signs of an attack. SANS' Global Information Assurance Certification offers specialized tracks on Incident Handling that can provide the appropriate knowledge. Of course, these dedicated experts must augment this training with extensive experience. Possessing a wealth of experience will enable them to recognize the attack and respond quickly to the threat.

Organizations must also develop the appropriate Incident Handling process. This process can be set up in a flow chart style. At the top of the process is receipt of correlated incidents. The next stage is categorization where incidents are classified by type of attack and target. At the bottom of the chart a threat assessment and appropriate responses are assigned to the alert. The goal of this process is to have a repeatable, disciplined set of actions that will reduce exposure time and provide an audit trail to measure effectiveness.

The final component of an integrated Threat Management program is the analysis. Organizations must conduct data mining to determine the effectiveness of the program, areas of weakness and the overall threat level facing the organization. Security teams should be able to achieve this by performing ad-hoc correlation and generating reports. Proper analysis can only be performed if the organization deploys the aggregation and correlation technology discussed above. This will provide them with a centralized database for all vulnerabilities, incidents and their associated actions. Analysis is one of the most important components of an integrated Threat Management program. Thorough analysis will provide the feedback necessary for improving this lifecycle over time.

An integrated Threat Management program will enable a true, enterprise-wide intrusion prevention and protection lifecycle. By implementing this program, an organization will fortify their environment, reduce their exposure to threats and attain the security intelligence they need to continuously improve their security. The end result of the integrated Threat Management program is more efficient security management, greater return on security investments and the ability to demonstrate provable security to management and auditors.

---

Sobig.f Examined

by Joe Stewart, Senior Research Analyst, SecureWorks

On Tuesday, August 19, users across the Internet noticed an increasing flurry of suspicious emails. Sobig.f had set new records in the sheer quantity of email traffic for any single worm variant. This new, more prolific variant was a result of some programming fixes. Instead of trying to send emails one at a time, Sobig.f uses "threading" to allow it to send 7 emails at the same time. The overwhelming number of copies of this worm in people's inboxes show showed the improved efficiency. However, many of those copies were likely sent from the same few addresses, so appearances are not always what they seem. In spite of the flood of worm emails, this variant was probably 100% ineffective at achieving its goal.

The goal of course, is to create spam proxies, as outlined in the two previous papers Sobig.a and the Spam you Received Today and the follow-up paper Sobig.e - Evolution of the Worm. If you haven't read these papers, you should stop now and do so- there is a great deal of complexity to the Sobig worm family, and it has evolved over time. In this paper, we will deal primarily with the changes since Sobig.e.

Sobig.f was actually released on Monday August 18. Unfortunately, since the worm author's specific distribution method was revealed to the press, it is likely that the next worm will not use the same distribution method, losing AV companies' valuable time in the race to inoculate users. Since Sobig.f did not deliver its final payload, it is certain that Sobig.g will soon follow.

At first glance, it would seem that the worm would have been massively effective. By Tuesday the worm was already spreading from thousands of computers worldwide. The problem was, the second-stage download routine was timed to occur on Friday the 22nd - giving law enforcement the head start they needed to shut down the "master" servers whose IP addresses were encrypted in the body of Sobig.f.

All but one of the master servers were shut down by the Friday 3:00pm EDT deadline. The one remaining server was shut down shortly thereafter, but it never "went live", that is, it never contained a valid URL for the second-stage trojan download. The URL that was returned by default was www.sex.com/dot/com, but that was a decoy, used as a placeholder until the real download URL could be inserted by the Sobig author. The week of lead-time will likely not be part of Sobig.g. There will likely be more hacked "master" servers in the next version, spread across many countries, and not enough time to have them all shut down.

Some AV companies reported that the list of master servers could be updated remotely via special UDP packets sent on port 995-999. This was actually not the case; Sobig.f does not listen on these ports (although Sobig.e had). The fact that the second-stage download did not occur is evidenced by the huge quantities of people still sending out worm-infected emails on the following Monday. Historically, every version of Sobig has removed its spreading component after the second-stage download is complete. So once the second-stage is in place, you will no longer see the emails being sent from a host.

Some reports also indicated that we didn't know what "mystery code" would be downloaded by Sobig.f. This is not true for anyone who has been following the evolution of the Sobig worm family. So far every variant has done a second stage download of the Lala trojan. This is an integral part of what makes Sobig; the worm itself it only one part of a larger picture. Stage three has always been a Wingate proxy. This has not changed since the worm's first incarnation.

Even though we do not have the code that was supposed to be downloaded this time, we can tell through anecdotal evidence that the proxy server ports have changed. Not only does a worm's release sometimes trigger a change in the Wingate proxy ports, but the ports will be updated on proxy hosts that were infected with previous variants.

The updated ports are now:

• Port 2555 - RTSP Streaming Media Proxy
  
• Port 3001 - Remote Control Service
  
• Port 3380 - SOCKS Proxy server
  
• Port 3381 - Telnet Proxy server
  
• Port 3382 - WWW Proxy server
  
• Port 3383 - FTP Proxy server
  
• Port 3384 - POP3 Proxy server
  
• Port 3385 - SMTP Server

Other than the changes described above, Sobig.f is much like Sobig.e. Sobig.g will probably be much more effective than any previous variant, as the author continues to learn from his/her mistakes. Hopefully the added exposure this variant has received will prompt people to be more careful about opening attachments; after all, this worm cannot spread without manual interaction of end users. Hopefully they'll do a better job at not clicking on Sobig.g.