Conficker « SecureThinking

Posts tagged Conficker

Wednesday, May 19, 2010

Five strategies for CSO success

By Jill Knesek, Chief Security Officer, BT Global Services

Last week I spoke at the Secure360 Conference in St. Paul about the challenges facing CSOs. The last decade has been a game-changer for those of us charged with protecting all the different dimensions of the business. Not only do I and my peers have more assets to protect, but we have more potentially troublesome things to protect our enterprise and our employees from.

It once would take a truck to remove 25 million records from a business – now, it only takes a USB drive or an innocent-looking iPod to remove the same amount of data. And where once all employees worked in centralized locations with their computers protected behind the fortress of firewalls, they often now work remotely, connecting from home, the coffee shop, or the train. Adding to the complexity is the fact that a new generation of hackers/cybercriminals are able to compromise millions of computers a day, rather than just one or two sites per week, as was the case when I started my cybersecurity career tracking down Mafia Boy and Kevin Mitnick.

And did I mention that the highest levels of protection also need to be provided while adhering to complex and extensive government and industry regulatory standards, like PCI, HIPAA, and SOX?

Before you think I have an impossible job, I’d like to share a few strategies with you that have helped me be successful:

Change Your Perspective: Think Outside In — Historically, security began and ended at the firewall where we were able to protect our most critical systems and data that was housed in a centralized data center. Today’s critical systems and data are not bound by perimeters but rather reside on our laptops and mobile devices. Therefore, when we think about securing our networks and systems, we must do so from the outside in – that is, from the laptop or mobile device first and then back into our data centers and server farms. We must start with personal firewalls, encrypted hard drives, A/V .dat file updates and patch management. We must ensure that the data which travels around with our mobile workforce is secured at the endpoint, as this will normally be the most vulnerable and easiest to attack. But that doesn’t mean we can forget about the core. We just have to start with our users and work our way in.

2. Reach out to Business Partners — Engaging with all the different groups within the business — from Legal to HR to Sales — early in the process of thinking about security increases the likelihood of success — not only in terms of eventual implementation of security measures, but also with regards to assurance that you’ve covered all your bases and assets.

3. Change your Communication Style — Too often physical and IT security teams are perceived as what I call, “The Department of No” — and that’s not a fun reputation to have. Nor is it likely to win you allies and advocates on the front lines where you need them most. Working collaboratively means you will be less likely to be circumvented and locked out of key decisions and forced to play catch-up.

4. Manage Risks, Not Threats — With the increase in the vector and velocity of threats, it is no longer practical to work in a threat-based model. We must move to a risk-based model where we first identify the company assets, evaluate the risks associated with those assets and then put in place controls and mitigations to protect them from the ever-increasing threat landscape. If we try to protect against all known threats, we will find ourselves always one-step behind the criminals. By focusing on the risk and implementing the right risk management program, we can ensure that our assets are properly protected regardless of the threat against them. Also, implementation of a risk management program that produces proper measures and metrics will allow you to begin putting security in business terms, which leads to the final strategy recommendation.

5. Learn to Speak ‘Business’ — One of the most important things I’ve learned is how to speak the language of my senior executives. While they may be impressed by my command of technical lingo, what they really want to know is how the money that is funding my security budget is being used — and also how precisely it is protecting the company and the bottom line. Being able to talk about what I do in terms of EBITDA and P&L has helped me have security needs woven into the fabric of decision-making.

I know that these five things have made my life as a CSO far easier. What strategies have helped you do your job more effectively?

Tuesday, May 18, 2010

The Worm That Turned, and Turned Again: Conficker Exposed

By Pete Russo, Senior Marketing Manager, BT Global Services

It’s not often that cybersecurity gets its moment in the sun in the mainstream media. Sure, we get sound bites on the latest credit card breach, VA breach, or password protection strategies. But this report from The Atlantic is full-on investigative journalism at its best!

Mark Bowden, an Atlantic national correspondent, wades deep into the battle being waged by the cybersecurity community to stem Conficker’s spread and defeat the worm entirely.

To read Mark’s article and learn why Conficker would cause trouble for Captain Kirk, click here.

Tuesday, September 29, 2009

The Evolving World of Attack Detection

Sushila Nair, Product Manager, BT Managed Security Solutions Group, BT Global Services

How do you find out what’s going on in your network, particularly when the types of attacks your network is exposed to are constantly changing? Today’s post is focused on the different methodologies that can be used to detect attacks and strategies that can be used to combat common network vulnerabilities.

Traditionally, two methods of attack detection have been used to isolate malicious activity on corporate networks: signature detection or anomaly detection. Signature based attack detection uses patterns of known behavior to uncover potential attack behaviors. Conversely, anomaly detection does not require any prior knowledge of behavioral patterns, but instead baselines “normal behavior” and alerts when behavior deviates from this standard pattern.

While a combination of signature attack detection and anomaly detection tends to be effective against basic exploits, the next generation of malware presents a new set of challenges. Botnets, worms and trojans, to name just three tools in the hacker’s arsenal, have the potential to be far more damaging than the viruses of the late 1990s. While botnets started off innocently as a way to administer Internet Relay Chat (IRC) channel management, they are now a primary tool for DOS, Spam production, phishing attacks, and mounting distributed denial of service (DDOS) attacks. More than creating havoc for the victims’ networks, these attacks are usually financially damaging, potentially generating millions of dollars per day for those creating or renting the botnet.

Attackers have gone global in their attacks using bots to scan wide ranges of hosts for a vulnerability, which enables them to conduct mass attacks over a very short period of time, resulting in many of the mass SQL injection attacks which have plagued thousands of organizations. In the wake of attacks becoming global, it is crucial that defenses also become global; organizations need to use a monitoring system that has the intelligence to see the onset of the global attack and then warn organizations proactively to block attackers on the firewalls.

There are other relatively simple steps that can be taken to protect against bots:

Make sure IDS signatures are up to date – Most malware – for example, Conficker (2008) – has had many variants, so it is essential that IDS/IPS signatures are updated regularly.

Use host and application level monitoring - Targeted malware may not be detected by a network level IDS; however, host level monitoring may display anomalous behavior which could indicate targeted malware. Keyboard loggers and sniffers are commonly used to enable attackers to collect confidential information which is then sent back to the attacker.

Monitor firewall activity – One of the difficulties presented by bots is that they communicate infrequently with their command and control hosts. The chances of detecting infected machines prior to a critical event, without significant technology and infrastructure investment, are slim. However, since bots do communicate and these communications generate firewall traffic, BT’s Managed Security Solutions Group has created the ability to detect bots by monitoring and analyzing firewall traffic.

Educate Users - Since users are a key point of vulnerability, educating them is a step in securing the corporate network. Not only should education be focused on seemingly obvious actions — such as not opening email from unknown users, or not clicking on pop-up windows — but educating users on the organization’s security policy and actively enforcing it are key.

Disable autorun - Many strains of malware have used the autorun feature on Windows to initiate their attacks. Conficker, for example, copies itself to a file share; if the user clicks on the infected file, the computer will be infected, even if it is patched.

Build an effective DDOS strategy - This often involves contracting a third party who can withstand a large scale attack. Considering that DDOS attacks can persist for an extended period and absorb bandwidth in excess of 80GB, they can be extremely detrimental both to productivity and customer trust.

Work with an MSSP to leverage economies of scale that are impossible to achieve working in isolation. Service providers can use information from their research and development teams as well as a global network of knowledge to ensure that signatures are up to date and installed in a timely manner.

Because the world of attacks is always evolving, those who are charged with protecting their company’s networks must work diligently to stay one step ahead. Signature based attack detection tools, supplemented by behavior based detection methodologies, correlation, and more sophisticated anomaly detection, provide the most comprehensive tool kit available at present to thwarting an attack. However, as organizations acquire more tools, they should build a monitoring framework so that all security devices feed information about attacks into a central correlation system. The ability to look for patterns across hundreds of thousands of log files and devices will increasingly be a key defensive activity.

Thursday, September 24, 2009

What We’re Reading Around the Web

Pete Russo, Senior Marketing Manager, BT Global Services

A few weeks ago one of our resident compliance gurus, Sushila Nair of BT’s Managed Security Solutions Group blogged about what Massachusetts State Law 201 CMR 117 would mean for the rest of us. This week, it looks like we’re a step closer to finding out. Scot Petersen, Executive Editor of SearchCompliance.com reports that it looks like, “Massachusetts officials may have finally gotten their data protection regulation right,” based on reaction to public hearings held recently.

Do you think that by accommodating business need – but potentially weakening the legislation – that Massachusetts is heading in the right direction? I’m curious to hear your reactions – and we’ll definitely be checking back in with Sushila to see what she thinks when she returns from this week’s PCI SSC Community Meeting.

In other news from around the web, Robert Westervelt reports that we may be a little closer to understanding Conficker, thanks to researchers at SRI International who reverse engineered its P2P protocol. He cautions though, that while this research helps understand how Conficker spreads, vulnerability levels remain high.

How does your company defend against bots? Learn more about BT MSSG’s suggested best practices to defend against Conficker and other worms here: Conficker: What’s Next?

Wednesday, February 11, 2009

Conficker: What’s Next?

Senthil Venkatachalam

While the Conficker worm has caught everyone’s attention because of its ability to propagate rapidly, what comes next may be even more damaging and costly to businesses.

Conficker is a classic worm in that it propagates through un-patched windows systems, specifically through a particular service known as Windows SMB (port 445). In addition to the classic worm behavior of self-propagation by finding other un-patched MS Windows computers, this worm also takes advantage of the “autorun” facility within memory sticks to propagate itself. While this is a nuisance, the greater security threat comes from the fact that the worm tries to crack the administrator password of the host system.

If the worm is successful in cracking the administrator password, it effectively has “the keys to the kingdom” and it has the potential to reach out to controllers out on the internet, participate in a botnet and turn the host system into a zombie.

Our concern that infected hosts could be roped in to participate in a botnet, seems to be coming true. The Trojan – which is the malicious executable placed by the worm in the infected system – has coded into it instructions to contact command and control servers out on the internet. Since “static” internet domains can be easily identified and shutdown by law enforcement, the malicious command and control servers controlling the Trojan use clever and sophisticated methods known as fast flux DNS to cover their tracks and make detection very difficult.

Monitoring a customer network’s security devices such as IDS/IPS platforms and firewalls provides significant protection against the propagation and further spread of the worm; the new software updates and signature sets from vendors of these security devices will help. However, despite these measures, Trojans could go undetected without further protections in place. Consider for example, an infected laptop that is inserted into the network: even if the worm’s propagation attempts are blocked via the firewall and the host system is patched for the worm – the Trojan is still active until the host is clean up. During this period, the Trojan can and will contact the preprogrammed malicious C&C domains.

In order to detect such behavior, BT has developed custom signatures for the SNORT IDS/IPS platforms. Once installed, these signatures will fire when they detect Trojans attempting to contact C&C hosts, alerting the BT SOC to their presence. Customers can then pinpoint the location of the infected host location, isolate it and perform clean up to get rid of the problem and not just the symptoms.

BT MSSG also recommends several steps to protect their networks and systems on a proactive basis:

Keep all Windows systems updated with the most current Windows OS patch levels as well as the most current Anti-Virus (AV) engine and definition files
Keep all security devices including firewalls and intrusion detection/prevention systems (IDS/IPS) up-to-date on signatures and software patches
Close the Microsoft/SMB port 445 to traffic that traverse firewalls
Strengthen administrative passwords on host systems and follow best practices on password protection
Monitor firewalls, IDS/IPS systems and hosts for greatest protection
Educate users on strong password policies as well as the need to actively scan new media including memory sticks using AV client products

For further technical details, visit:

http://bt.counterpane.com/Risk_Assessment_W32.Conficker_Worm_Update2.pdf

Monday, February 9, 2009

Conficker – The Largest Worm Yet

Tom Le

We are currently in the middle of the largest worm outbreak in history. Estimates for the number of PC’s infected by this polymorphic worm, known as Conficker or Downandup, ranges from 9 million to 15 million PC’s. Even at 9 million, that is still almost a full order of magnitude larger than the Storm worm which peaked with a 1 million zombie army in September 2007.

To understand how staggering the infection numbers are for Conficker, consider that at its peak Conficker was growing at a rate of over 1 million new infections per day compared to the Storm Worm’s peak of 1 million total infections.

What Can We Learn from Conficker?

While it is likely that this saga is only in its beginning stages, since security experts are still waiting to see what this massive worm will do once it is given its attack instructions, we can learn some lessons about security monitoring immediately. The good news is you can take action right now to prepare yourself for the next wave of attack. These lessons should not be new to anyone using BT’s Managed Security Monitoring solutions, but they are worth repeating again.

1. Monitor everything. We all know that the sooner you know about an attack, the easier it is to contain and the less damage that will be done to your network. While we all have to operate within security budget constraints, it may be worth revisiting how those dollars are being spent. Consider what devices can be added to your current event monitoring. While IDS/IPS monitoring often comprises the core of most security monitoring implementations, BT MSSG actually detected more Conficker worm attacks from monitoring firewall traffic logs.

2. Revisit your Security ROI. The return-on-investment for your security dollars is often underappreciated in the same way to how homeowners or auto insurance is not appreciated until a loss occurs. In the case of a worm outbreak that may have large operational costs, or potentially real business losses, you have to factor in the probability of a loss and the expected cost of a loss to determine your ROI.

3. Don’t be complacent about process. Security is a process. We saw a few incidents this past month where users thought they had IPS signature coverage for Conficker, but, in fact, did not. Users often rely on automated signature updates, but there are many scenarios where specific policies or configuration changes need to be made actively to enable the IPS signatures. If you have an internal process to verify regular updates are active, make sure they are beging followed. You may want to consider adding an additional process so that when BT (or other security vendor) sends out a Risk Assessment, internal verification of vendor IPS/IDS signatures and proper configuration occurs. If you are not staffed to perform these types of functions, consider outsourcing alternatives, such as letting BT manage your IPS/IDS devices.

Beware of Patched, Yet Infected Systems

Even if you have applied the MS08-067 updates, be aware that your Windows hosts may have been infected prior to applying patches!

Let’s look at some data from Qualys to provide some perspective on the expediency of applying Windows patch updates.First, recall that Microsoft believed the vulnerability was so significant that it released an unusual out-of-cycle patch update on October 23, 2008. There was an alert issued 2 days prior to the patch update and the news and awareness cycle around MS08-067 and Conficker has continued since then. Despite this high level of awareness, Qualys’ Wolfgang Kandek reported that 30-days after the MS08-067 update, 50% of Windows machines were unpatched and that after 120 days, 30% of Windows systems were still unpatched. Keep in mind that organizations using Qualys vulnerability scanning tend to have greater security awareness and procedures in place, so the percentage of unpatched systems in the wild is likely much higher.

Secondly, consider whether any Windows systems in your environment may have been vulnerable to attack , even if for a brief period of time, before patches were applied. Do you have mobile users who take their laptops out of the office where the attack could have occurred? If you do this would mean that none of your security monitoring infrastructure would have detected the initial infection. Do you allow users to plug in USB keys that could have been infected from outside your network? Do you have VPN, extranets, or any other types of network access that could allow a system outside of your control to communicate with systems within your network?

If you answered yes to any of the above questions, it is possible that you could still have infected, yet fully patched systems.

As a worst case scenario, consider the risk of having an idle Conficker worm. The Storm Worm had large subsets of the worm population idle which were communicating only to its command & control hosts but not spreading or performing any reconnaissance activity so as to minimize detection. If the rumor is true that the people behind Conficker are the same as those behind the Storm Worm, it would not be unreasonable to assume that detection avoidance tactics may be employed with Conficker.

Bottom Line

Patch now, patch often! Make sure that all your monitoring is enabled and any signs of attack activity are investigated. Where ever possible, monitor everything: IDS/IPS, firewall traffic, host and application activity. Run the Windows Malicious Software Removal Tool (MSRT) on all Windows hosts, even if you do not suspect they are infected. This can be an enormous task for large organizations, but consider running the MSRT in silent mode as part of a domain login profile.

Windows MSRT: http://support.microsoft.com/kb/890830

Deployment of MSRT in an enterprise environment: http://support.microsoft.com/kb/891716

Finally, be ever vigilant and don’t forget that we’re still early in the life cycle of this worm. For all the attention that the Storm Worm received, remember that Conficker is at least a full order of magnitude greater in size. Moreover, we have yet to see what the impact will be when Conficker’s controllers finally tell it to “do something.”