DDOS continues to change. In the case of “Reflection DDOS” they have been around a long time and yet are responsible for some of the large DDOS attacks in the past couple of months.
Reflection uses spoofing as one of the methods. The attacker will spoof the victim’s IP address and send a request for information via UDP. UDP is used because it is connectionless, unidirectional, and used as normal communication method between servers. So, a lot of servers will respond to such a communication protocol natively. The server answers the request and reflects the response to the victim’s IP address. Therefore, from the server’s perspective, the request is normal and appears to have come from the original request. This approach can turn any server running UDP a potential reflector. That includes DNS, SNMP, Game servers, and etc.
The amplification is the result of the reflector’s response being much larger than the original request. A DNS request (64 bytes) can result in a very large DNS response of over 3,000 bytes. Now take a 50 byte request sent to every byte sent to reflectors and you end up with a Gigabit of traffic coming at you.
IT is extremely difficult to stop reflection DDOS. A firewall alone will not be able to stop the packets from saturating your network.
Barrier1 and our Patented DDOS and Intelligence in Real Time Stops Reflection DDOS attacks.
• There is a good probability that these same source IP address have a reputation of being involved in some form of cyber activity. Those IP address that have not been used before or “change” will most likely becoming from a known IP range that has cyber activity. Barrier1 analytics will identify and block these IP Address.
• Barrier1 analytics will identify strange or abnormal communication types using UDP between servers. All networks have a style of normal communication. Those attributes can be picked up by sensors and when they change the Barrier1 AARE Analytical Engine will detect and block.
• Barrier1 inspects the complete data stream and can detect attributes. In this case a string stating “ANY” is a clue to the reflection DDOS attack.
• Barrier1 can detect abnormal or non-initiated scans or queries into zones containing DNSSEC data.
• Many servers are set to respond to any IP that sends certain UDP status queries. Barrier1 has sensors looking for these types of attributes that give clues to a Responder DDOS attack.
Barrier1 and its Patented Intelligence and DDOS protection platforms in Real Time Stops Reflection DDOS.
Released this past week the fact that hackers can infiltrate a network and remain undiscovered. This brings another level to the discussion on how do the bad guys get in, stay, capture, remove, and not get caught. This also explains another reason for the value placed on a set of stolen credentials. The vast majority of systems are not monitoring what type of traffic is going on internally. They are really only looking at who enters.
Once a cyber-criminal is inside a network, they are going to use lateral moves and disguises as well. The ability to catch a cyber-criminal inside requires the same Intelligence inside as it does outside. The key is to set a base line of standard behavior. All network have a pretty stable cadence. Each dept. has rights to go to and view certain areas, files, and information. The goal is to be positioned to see all the traffic via sensors throughout as well as the information leaving the organization. That includes standard entrance and exist points and Wi-Fi. Then make sure you have the ability to detect change factors, process, abnormal behavior, and etc.
Intelligence should play a major role in the inside security functions as well. Like on the outside, cyber attacker will use maneuvers to disguise and conceal. It takes the intelligence to put together that an individual in marketing has no business in the daily accounting records or legal dept. In addition, the security platforms should alert administrator and security individuals of abnormal behavior.
Intelligent Threat Management in Real Time is as important to the inside protection as at the perimeter.
New Rounds of data Wiping Malware
Data wiping Malware is not new. However, the latest version suggests Cyber Criminals are altering their strategies and process just enough to get in.
Prevention discussion still evolve around human intervention such as;
1. Do not open unknown attachments from people you do not know.
2. Individuals should be able to inspect a web site and decide if the site is safe.
The irony is this is the method of prevention that has been suggested for Years. If Malware is getting past the networks put together and secured by professionals, why are they still relying non-technical individuals to identify this for themselves?
Data Wiping Malware has attributes that can be detected within the data stream. This can all be identified in the data stream via Machine Analytics. Even though this Malware has changed or has become Polymorphic that are still part of the process. Second, with identifying attributes and adding Intelligent Threat Management, you can not only identify Process. The additional advantage with Intelligent Threat Management is you have checks and balances. If one attribute is missed, another is in a good position to identify the attack.
The last part of the human intervention aspect is that of speed. The most Intelligent and Skilled Cyber Security Experts can no longer identify and block cyber threats at the speed needed today. The world of rapid change and polymorphic attacks can easily defeat reactions that are within minutes. Rapid Change or Never before seen events require reaction within microsecs.
Barrier1 Intelligent Threat Management Inspects, Analyzes all Traffic and Traffic Types, and then reacts/blocks within microsecs.
Barrier1Zero Access Bot is another great example of a multi vector attack. In addition, it has shown resilience due to its flexibility in usage of the CnC component.
First it really is a Trojan. It is used to download malware and infect machines. Machines are infected via Click fraud and bitcoin. In order to stay hidden, it uses rootkit techniques. Zero Access also infect the master Boot record and random drivers. This give the Cyber-criminal total control. IN addition, it can disable Window Security Center and therefore leaving no FW protection and thus wide open.
In true form of today’s cyber-attacks there are several attack vectors used.
1. Social Engineering- by disguising as a legitimate file or including hidden code as additional payload in an executable.
2. Advertising- By the use of Click Advertising to lure user, once the ad is click the user is redirected to an infected URL.
3. 3rd parties are being hired to install rootkits.
First efforts by Microsoft were to kill the CnC connection. Not all CnC were using outbound destination IP. They were using P2P for outbound.
Barrier1 stops ZeroAccess Bot in several ways.
1. Barrier1 has 5 versions of Rootkits that are used for inspection.
2. Barrier1 inspects the Payload of all packets.
3. Barrier1 Analytics are used for the ENTIRE data stream and analyzed in Total. So, assuming the first CnC communications were standard destination and thus “Odd” outbound hand shaking and communications, Barrier1 would block, alert, and learn. When the CnC switches to P2P, Barrier1 would have learned enough about the previous CnC communication blocking to no STOP/BLOCK the P2P version of the CnC. This ability to learn and then apply would also work through a rapid change of IP Source Address throughout a multination BOT network.
Now Sony gaming has been hit again with a DDOS attack. It proves that a DDOS attack can be for hire. A mid size DDOS attack can be generated for around $100 then just use your PayPal account.
Time to rethink DDOS
Regin Malware has just been identified. Like most Malware, it is really not new. In many cases, new means just found. However, in reality, the Malware has been performing for sometimes years.
Regin, has several aspects that model former Malware. Flamer, Weevil, Dubuqu, Stuxnet, and etc. were similar. These early version introduced the concept of delivering in stages, have back doors, and customized for specific targets.
There are 5 stages. They are Dropper, 2 steps of the loading process, 2 steps for the Kernel and then Payload. A user is tricked into a spoofed version of a well-known web site. The dropper is installed via web browser or App. Regin has been found to originate from Yahoo, Instant Messenger, and etc. The remote access Trojans are using features and process found years ago and called RAT (remote access Trojans). They are intent on network monitoring, stealing passwords, and overall cyber theft. There are custom built and modified EVFS files, Encrypted RC5, ICMP/ping, embedded commands in HTTP Cookies, and custom TCP&UDP protocol usage.
Barrier1, with its extensive Intelligent Analytics that deals with the entire data flow and not individually, would identify Regin in several ways.
- RAT has been identified several years ago. Barrier1 has remembered how it operates and thus would detect and block.
- Barrier1 already has identified, blocked, and learned about Dubuqu, Stuxnet, Flamer, and weevil. The very attributes of this would be identified through Barrier1 AARE Engine and Analytics.
- Barrier1 extensive library of rootkits would detect the kernel frame work.
- Barrier1 inspect the Payload and thus would detect abnormal structures, request, and behavior.
- Barrier1 AARE Engine and Analytics would be able to detect spoofed web sites. Even those that are NOT on any URL black list.
- Barrier1 extensive library of Protocols would detect variants of RC5, ICMP pings, and the Customer TCP/UDP protocols would be different than the accepted RFC specs.
The following are threats to the Cloud Infrastructure
- Data segregation and session highjacking are threats
- Multi tenancy model is a great challenge to privacy
- Storage security at the cloud service providers data centers are often directly linked
- Tradition breach opportunities do not go away
- Malicious users can sniff network packets and gain extensive insight
- bypass the application logic to access the databases directly
- Cyber criminals have learned to move horizontal and thus making multi tenancy vulnerable
- Check you SLA do not assume service providers will be able to support electronic discovery or internal investigations of illegal activity
- What happens if the Cloud Provider goes out of business?
- Check your SLA, most of the time NONE of an organizations legal and regulatory compliance responsibilities are transferred to a provider when the organization adopts cloud services.
The cyber kill chain was documented to explain how cyber criminals were getting in. Several years ago, the single vector cyber-attack made its way to multi-vector approach. This also represents a process of events to accomplish goals set forth by the cyber-criminal.
These are individual steps. What was not addressed was the Rapidly Changing, Never before seen, polymorphic attacks. The principals are the same but solutions were put in place to perform functions at each stage.
The MISSSING Link was Intelligence in Real Time. The key attributes of Intelligence as defined in Wikipedia, is Knowledge, learning, memory, problem solving, and Reaction time. Intelligence delivers the ability to learn and remember what each of the steps in the Cyber Kill Chain did. Therefore, with the analysis or problem solving, and knowledge of the TOTAL situation, one can now React/block with extreme accuracy in Real Time.
Barrier1 Intelligent Threat Mgmt. goes beyond UTM- NGFW- Cloud Solutions, and Sandboxing
Intelligent Threat Management in Real Time
goes Beyond Static Analysis and Dynamic Analysis Sandboxes
Over $7B – $20B per year is being spent on network security. Yet, it is being reported that 8,000 -30,000 new malware exploits are identified per month. Worse, they are getting through the defense. UTM- NGFW- Sandboxes- Cloud Security Services were to have fixed or stop the problem. In addition, the belief that spending a lot of money on these platforms and extensive vulnerability scans and you would be protected.
History has a Clue
Network Security was developed by a couple of notable fundamentals. The process went like this
1. Early attacks were singular in nature. Singular that they had one attack vector.
2. Defense designs were first to find and identify the cyber-attacks.
3. The identification process was that of finding someone that had been the recipient of the attack and then scan that system.
4. Once found, craft a solution and then distribute the fix. This often took weeks to months.
This process was true for Viruses, Trojans, bad web sites, and etc. It was the method used on Routers using ACL rules and Thresholds, Firewall using rules, AV using signatures, Web Content/URL filtering, IDS using definitions, and etc. That process could take months. As the profit and disruptive motives increased, new vulnerabilities in OS, Applications, and Process were discovered faster and deployed faster. This ushered in new terms for exploits such as Zero Day, Malware, Bots, Mutation, Polymorphic, Dynamic, Automatic, Evasive, Rapid evolution, APT’s, and etc.
The common themes to this evolution of attacks are
• Sensors- Cyber criminals took some old and some new tools and used them to learn what was in place. They include, key loggers, root kits, Threshold technics, and etc.
• Time Compression- New Attacks types and categories are developed and launched faster
• Change- Once launched, they have the ability to Change. That could mean a change in responses, clocking, and acknowledgements, require responses, ports, destinations, file structure, and etc.
• Intelligent Evasion- by using packing, encryption, Change the required response time, changing fingerprints of the code all would alter the outcome.
How did the Cyber Criminals change?
Cyber Criminals continued to increase their activities. The increased activities compressed the time it took for new versions and methods. Second, they turned the cyber-attacks structure from a single vector to a multiple vector approach. Third, cyber-attacks became a process. The process is;
These activities are much like any modern day warfare. Cyber Criminals used these steps to learn about their targets, figure out how to get around the defenses, Attack, Extract the information called for by the Objective, and Cover Tracts. Over time this process became automated and at speeds that rendered present security solutions useless. Thus, $7B – $30 B spent and cyber criminals are still getting through.
What is the Security Gap in today’s Approaches?
The fundamental Security Gaps are;
1. Learning- No real time learning at the Edge of networks
2. Remembering- No one remembers what they found
3. Analysis- No one is analyzing the entire data stream together and as a whole
4. Slow reaction- Today’s speed of networks require inspection, analysis, and reaction with in microsecs.
5. Automation- Humans can no longer analyze fast enough to be effective
These fundamental requirements are absent in UTM-NGFW- Sandboxing- and Cloud based Security Solutions.
A new category is on the horizon. Some media outlets are calling it “Breach Detection Market”. So, what is this and how would it work? In order for this to work you will have to A. Identify and Block the known cyber attacks and B. Identify and Block the never before seen cyber attacks. All in real time.
Using real time Intelligence at the Edge of Networks is the only way.