ShellShock adds another victim

Barrier1 with all of it components is NOT vulnerable. We identified this 20+ yr. old vulnerability and have engineered it into Barrier1 from the very beginning.

It is now reported publically that a major network company is Vulnerable

http://www.theregister.co.uk/2014/09/29/cisco_splats_bash_bug_in_busy_swatting_season/

Cisco
Shell Shocked
Bash Bug

Cisco has begun its response to the Bash “Shell Shocked” vulnerability, the 20-year-old bug that’s sent the *nix world into a frenzy.

It’s going to be a long slog for the Borg, but in its advisory, Cisco has so far identified 31 individual products vulnerable to Shell Shocked, compared to seven confirmed not vulnerable. Another 23 products are under investigation at this stage.

The vulnerable systems fall under the following categories: three in its network application, service and acceleration line; three in network content and security (the identity services engine, intrusion prevention systems, and its access control server); the Unified Intelligence Center management system; various switches including the Nexus line; unified computing and unified communications products; and a bunch of telepresence products.

DDOS attacks are changing

In 2013 a DDOS exploit known as “Dirt Jump” or “Drive” was discovered. The significance of this DDOS is still alive today and being updated and improved upon.

Summary and why this DDOS is a process and the vast majority of security devices will not catch it.
- It tests network Ports for the use of known tech. that samples traffic.
- It sends an attack packet that looks for certain aspects of an edge protection being used and then forces the attention on that packet. The following packets are then allowed to slip by as legitimate.
- Long Attacks keeps network socket open for an extended period to flood.
- Smaller bytes required for an attack. Byte Attacks & ICMP attacks allow sending smaller payload to accomplish a compromised
- DDOS is now being accomplished with short lived burst and not long sustained floods. These smaller attacks are used during a recon. exercise. If they are successful, a full scale attack will be carried out immediately or at a later date.

The key here is not just that it was discovered 1 yrs. ago. The key take away is the methods and processes used.

Barrier1 stops Dirt Jump and other DDOS. In addition, without the ability at the edge of network to Learn and Analyze in total the entire data stream (All 7 OSI layers), All Protocols, All RFC’s, and etc. you most likely will fall victim to today’s DDOS, Malware, APT’s, and Polymorphic attacks.

Barrier1 identifies and blocks Dirt Jump.

Mobile Device Protection

Mobility is everything in today’s world. However, with flexibility comes vulnerability. Peter Stephenson from SC Mag. has a great article on it.

http://www.scmagazine.com/mobile-devices-are-the-new-endpointsand-both-need-protecting/article/360860/

Shellshock- Bash Injection vulnerability

The latest vulnerability being called “ShellShock” is creating alot of hype and fear.The core of this attack goes back several years. Yes, it is serious. Those that have outward facing web servers are at the most risk. This is a layer 7 Application issue. So web servers using cgi-bin mechanism to execute bash scripts. HTTP headers sent by attacker are converted to environment variables. SSH can be used to escape restricted ssh shells.

It appears that Linux, Mac, and BSD are vulnerable.

Barrier1 has always had protection for Bash in our own IDS scripts. Barrier1 does identify and read the stream in HTTP. However, in HTTPS the stream is encrypted and will not be visible with any IDS. Therefore, a true WAF is requited. A true WAF is a reverse proxy that breaks down and turns the stream into clear text. At that point it is machine readable and thus can be inspected. The WAF would then re-encrypt the stream and send it off.

Barrier1 with the WAF component will protect against ShellShock

Cyber Attacks are a process and now more Industry Journalists are picking up on it

We have stated and designed Barrier1 with the belief that cyber attacks are a process. In looking back, over the years the evolution of cyber attacks were based on avoidance. Attacks were singularly focused or single vector approach to a discovered vulnerability in all aspects of the 7 OSI layers. The buzz word today is Malware and APT’s. In reality, Malware is made up of Viruses, worms, spyware,Trojans, and other singularly minded attacks. They are just used in a process/ sequence that avoids detection, gains access, finds the information or perform the task they originally set out to do. In Malware attacks you have viruses as the role or function of infecting. Worms have the role an function of spreading. Trojans role is to disguise and appear to be legitimate. Spyware’s role and function is to gather information on the target, such learning the behavior of internet browsing and etc.

The way to identify and block malware is to have the sensors in place that singularly can identify the single process like worm and viruses and then take those attributes found from ALL of the individual attacks and analyze them in total. That is the first step and might be good for a while. The big mistake is NOT REMEMBERING. Malware mutates and changes so all of the singular inspection will have to done on a continuous basis.

Barrier1 learns and remembers from each packet.

Are IPS modules Intelligent?

Are IPS Modules Intelligent? Recently several large prospect were looking for an IPS solution. Now, in years past IDS was generally teamed with IPS, one for inspection and the other for reaction/blocking. Now, there seems to be some belief that the Intelligence factor is residing in the IPS.

The bottom line answer is that it might or might not be. You have to ask the deep technical questions. In any case, the intelligence is now one of the most important part. It needs to be discussed in great detail. Why? Without understanding how the algorithms and analytics works you will find more false positives, you will find mutated attacks still getting through, you will find your systems slowing down and NOT being real time.

Are you trying to gain Malware and APT protection from the IPS? Are you trying to gain Polymorphic discovery and reaction with IPS? By bringing in IPS you are reintroducing OLD concepts and expecting a new set of discussion points. Articulate what is you are really trying to accomplish.

Malware, APT’s, DDOS, and Polymorphic Should All be in the same Conversation

If you are discussing Malware you should be discussing APT’s, DDOS, Polymorphic, Phishing, and etc as well. The principles being used have a lot of similarities. Malware is based on a process. What was once considered an attack was really a single vector approach to gaining access, visibility, and etc. Now those singe attacks are part of a larger process. You add a technique in which a file lay dormant for 30, 45,60,80, and etc. days and you have an APT. Move the web site to another IP address and you have phantom web sites and polymorphic going on.

If you learn what a source is up to with 1 style, let’s Learn from it, Remember, and then we are prepared to accurate make the correct decision on whether to allow or block.

DNS Servers under DOS Attack

DDOS attacks using DNS is not new and pretty simple to do. Attackers send queries to name servers across the internet. Those name servers return response. In addition, attackers spoof the address. This is easily done because DNS is carried over UDP, (connectionless). In the UDP size can range from 4,096 bytes. This allows for more data to be used for the attack. DNSSEC, share photographic keys and digital signatures in records located in the name space.

The goal should be to 1. identify a DDOS attack and filter that out. The vast majority use threshold approaches to DDOS. That is not adequate in identify because DDOS attackers will just lower the rate for a bit of time to just underneath the threshold.
Barrier1 has a patent pending solution that is unique to the industry.

Barrier1 protects against All forms of DDOS.

JP Morgan compromise

JP Morgan announced they were hacked this week. What are common themes we have heard and seen before.
1. Attacks were done over a period of time. Slow, low, and and not flashy.
2. Recon discovered vulnerabilities.
3. One inside they were able to move horizontal.
4. Getting the information out went via CnC and then directed to multiple servers in multiple counties who then it to Russia. The CnC connections also changed in terms of methods. ie destination address, ports, to P2P, and etc.
5. Zero-day

How to stop it?.
1. Learn and remember from the Recon. During Recon they are just figuring out thresholds, cadence, and etc. Everyone probably block but did NOT remember or learn from it.
2. Understand what is normal behavior for you network. Horizontal movement is detectable and able to be stopped. Example, is there any reason a marketing server would be sending out financial data or customer records, or even certain types of file formats?
3. The actual attacks will not come from the same IP address as the recon. But you can learn the relationships or cadence has change for no reason.
4. Zero Day code. Today’s speeds do not allow for nothing but eyes on the screen. You will have to automate and be able inspect, analyze, and react within microsecs.

That is Barrier1

Barrier1 Intelligence tied into various SIEMs

Barrier1 has now been tied into 3 SIEM platforms. They include Nitro, ArcSight, and Splunk. This combination brings the reporting depth of a SIEM and the Real Time Intelligence and Reaction of Barrier1.