Sushila Nair, Product Manager, BT Managed Security Solutions Group, BT Global Services

How do you find out what’s going on in your network, particularly when the types of attacks your network is exposed to are constantly changing? Today’s post is focused on the different methodologies that can be used to detect attacks and strategies that can be used to combat common network vulnerabilities.

Traditionally, two methods of attack detection have been used to isolate malicious activity on corporate networks: signature detection or anomaly detection. Signature based attack detection uses patterns of known behavior to uncover potential attack behaviors. Conversely, anomaly detection does not require any prior knowledge of behavioral patterns, but instead baselines “normal behavior” and alerts when behavior deviates from this standard pattern.

While a combination of signature attack detection and anomaly detection tends to be effective against basic exploits, the next generation of malware presents a new set of challenges. Botnets, worms and trojans, to name just three tools in the hacker’s arsenal, have the potential to be far more damaging than the viruses of the late 1990s. While botnets started off innocently as a way to administer Internet Relay Chat (IRC) channel management, they are now a primary tool for DOS, Spam production, phishing attacks, and mounting distributed denial of service (DDOS) attacks. More than creating havoc for the victims’ networks, these attacks are usually financially damaging, potentially generating millions of dollars per day for those creating or renting the botnet.

Attackers have gone global in their attacks using bots to scan wide ranges of hosts for a vulnerability, which enables them to conduct mass attacks over a very short period of time, resulting in many of the mass SQL injection attacks which have plagued thousands of organizations. In the wake of attacks becoming global, it is crucial that defenses also become global; organizations need to use a monitoring system that has the intelligence to see the onset of the global attack and then warn organizations proactively to block attackers on the firewalls.

There are other relatively simple steps that can be taken to protect against bots:

• Make sure IDS signatures are up to date – Most malware – for example, Conficker (2008) – has had many variants, so it is essential that IDS/IPS signatures are updated regularly.

• Use host and application level monitoring - Targeted malware may not be detected by a network level IDS; however, host level monitoring may display anomalous behavior which could indicate targeted malware. Keyboard loggers and sniffers are commonly used to enable attackers to collect confidential information which is then sent back to the attacker.

• Monitor firewall activity – One of the difficulties presented by bots is that they communicate infrequently with their command and control hosts. The chances of detecting infected machines prior to a critical event, without significant technology and infrastructure investment, are slim. However, since bots do communicate and these communications generate firewall traffic, BT’s Managed Security Solutions Group has created the ability to detect bots by monitoring and analyzing firewall traffic.

• Educate Users - Since users are a key point of vulnerability, educating them is a step in securing the corporate network. Not only should education be focused on seemingly obvious actions — such as not opening email from unknown users, or not clicking on pop-up windows — but educating users on the organization’s security policy and actively enforcing it are key.

• Disable autorun - Many strains of malware have used the autorun feature on Windows to initiate their attacks. Conficker, for example, copies itself to a file share; if the user clicks on the infected file, the computer will be infected, even if it is patched.

• Build an effective DDOS strategy - This often involves contracting a third party who can withstand a large scale attack. Considering that DDOS attacks can persist for an extended period and absorb bandwidth in excess of 80GB, they can be extremely detrimental both to productivity and customer trust.

• Work with an MSSP to leverage economies of scale that are impossible to achieve working in isolation. Service providers can use information from their research and development teams as well as a global network of knowledge to ensure that signatures are up to date and installed in a timely manner.

Because the world of attacks is always evolving, those who are charged with protecting their company’s networks must work diligently to stay one step ahead. Signature based attack detection tools, supplemented by behavior based detection methodologies, correlation, and more sophisticated anomaly detection, provide the most comprehensive tool kit available at present to thwarting an attack. However, as organizations acquire more tools, they should build a monitoring framework so that all security devices feed information about attacks into a central correlation system. The ability to look for patterns across hundreds of thousands of log files and devices will increasingly be a key defensive activity.