Wednesday, June 08, 2005

Schneier on Attack Trends

Bruce Schneier posted an interesting blog entry the other day on attack trends seen by Counterpane's monitoring service. The post seems to be excerpted from his essay, which is an interesting read. His blog entry was also /.'d, along with some supporting information.

Some of the interesting trends that Bruce talks about include such things as "hacking" moving from a notoriety-based, hobbyist activity to out-and-out economic crime. Examples of this include extortion, as well as the rental/sale of botnets.

The data Counterpane collected supports what others have been seeing. Worms and other malcode used to be written as proof of concept, and some of it even got released into the wild. Now, some malware authors are writing code for demonstration, but providing private versions of the code, with greater capabilities, to those willing to pay for it. It seems that folks are learning from history...while writing something that's annoying can be fun and you can get your 15 minutes of fame amongst your friends, one wrong step and you could end up in jail (just ask this guy). So why not take a targetted approach to your attack, remain quiet and patient, and collect information/data for later use? Some malware now has built-in rootkit capabilities in order to hide activity (Trojan.Blubber, Trojan.Drivus, Backdoor.Ryejet).

Another trend Bruce mentions is the increased sophistication in malware. There's evidence that shows worms becoming more intelligent in their reconnaissance and propogation techniques. The Win32.spybot.KEG worm, for example, includes multiple capabilities, in that it performs scans for specific vulnerabilities, can communicate it's findings over IRC, includes a backdoor, get the contents of the clipboard, grab images from a web cam, etc.

Rather than looking at these as separate trends, consider them together. Attacks are coming quicker, and the attacks and malware are becoming more sophisticated. Malware is getting onto the network via some exposed gateway or rogue (ie, forgotten) system, and scanning for specific vulnerabilities. These tools are becoming less "noisy" (ie, looking for specific things, rather than taking a shotgun approach), moving quicker, and include the necessary capabilities to hide from all but the most sophisticated investigator.

Combine this with the continuing trend of IT as a rapidly growing industry (ie, more and more people moving into IT everyday) - which means that every day, there are new/green/un- or under-trained administrators - and you've got a pretty interesting scenario.

The scary part is that the growth of cybercrime combined with the growth of (excuse me for saying this) "security-challenged" administrators and IT managers opens up the investigative arena for explosive expansion. What does this lead to? An old friend of mine recently told me about an issue he had with a computer system, where he had to determine whether certain documents were on the system. He took the Windows XP system to a "forensic expert" who was really just an expert MAC user...who also never found the documents. Also, my friend gave the "forensic expert" explicit instructions to NOT connect the system to a network under any circumstances...and when he went by the expert's office, he found the system connected to the expert's network via RJ-45/Cat-5 cable, and the ethernet activity lights on the system blinking furiously.

The point of all this is that the attackers continue to be lightyears ahead of the victims. The need for training and education in order to (a) recognize that an incident has occurred or is occurring, and (b) do something about it is paramount.

No comments: