In the ethereal world of the Internet, an underground crime war is being silently waged between the cyber-criminals and those trying to stop them, reports Nick Ray, CEO Prevx.
A war that is undermining the interests of corporations and governments worldwide and one that bears no regard for innocent victims. In fact, the victims are purposely targeted, unwittingly press-ganged into becoming foot-soldiers helping to spread spam, attack large companies and unknowingly distribute illegal porn and copyrighted materials. Nowadays, cyber-attacks and automated hacking tools work so fast and efficiently that the enemy is winning. Something needs to be done.
A few years ago, cybercrime was the preserve of small groups of disaffected teenagers looking to infiltrate large organizations to highlight loopholes in IT policy, or at worst to vandalise websites. Sadly, such seemingly innocent motives are now a thing of the past, as hackers and writers of malicious programs have fallen into the employ of a dangerous master, the organized criminal. The script kiddy has grown up and he wants more than just pocket money.
In certain countries such as Brazil and the old eastern bloc countries, where laws governing cybercrime are non-existent, organised syndicates funded by cybercrime are booming. These countries have an abundance of skilled IT workers and programmers and, in this case, crime pays very well. Criminals are earning millions by covertly installing Trojans and spyware onto the home PCs of unsuspecting home users, stealing bank and credit card details and even entire identities. This is not only theft on a personal level but also stretches to global scale extortion, as illegal porn, music and software are distributed from company servers. Even websites are held to ransom. More than 90 per cent of malicious code circulating on the Internet is now for personal gain. And they are gaining. Estimates put the cost of Internet crime at somewhere around £200 billion worldwide at the end of 2004.
This pool of talent means the development of malicious programs is progressing at lightning pace. The latest weapons in the cybercriminal’s arsenal are one step ahead of their enemy. Automated hacking tools are a prime case in point. Using programmes such as Instant Messaging, hackers can command distributed systems to automatically scan the Internet for vulnerabilities and initiate new attacks based on those flaws. Such new programs are hard to detect and employ advanced techniques which allow them to mutate automatically to avoid detection. Another example is spyware such as the infamous CoolWebSearch, which bypasses even the most recently released security software, and completely takes over a user’s machine, causing numerous pop-ups and crippling Internet Explorer.
Traditional security software is inherently reactionary, which means the cybercriminal is forever one step ahead. The conventional signature-based approach, which involves maintaining a library of characteristics of each and every malicious attack, is fast falling behind. The speed of attack and propagation is such that patches simply cannot be issued quickly enough. It is feared that patching is fast becoming a token gesture by the anti-virus companies, as the cybercriminal can infect and recruit tens of thousands of computers in the period between first sighting a new attack and the patch being released and implemented. Even then, hackers devise new variants and mutations, making any patch obsolete. Truly a case of closing the door after the horse has bolted.
Change in approach
Clearly, winning this new cyber war is going to require a fundamental change in the approach adopted to date. Most attack mitigation technologies – intrusion detection, anti-virus and spyware clean-up technologies are simply too reactive. An elementary change in approach is needed to address this problem; this points towards the need for two things, a move away from the signature-based approach and an early warning system.
This is where Intrusion Prevention Systems (IPS) come into their own. IPS is a proactive solution designed to address the problems of the signature-based approach. Instead of relying on signatures, these systems recognise the actual behaviour used by the attack and, by constantly monitoring key system areas, block an attack from executing. This means that IPS can provide complete protection against zero-day worms, Trojans, spyware and other hacker attacks by automatically stopping any activity that it sees as malicious. If signature-based technologies are the equivalent of a security guard protecting you solely against known criminals, IPS is the intelligent guard that recognizes and stops criminal acts, without needing to recognize the perpetrator’s face.
Another valuable tool to protect against this new breed of fast moving attack is an early-warning system. In the digital age, information is key and to have a high-level view of any breaking Internet threat in real-time would provide precious intelligence. If such a tool had been in place at the time the Sasser worm started its march across cyberspace, it would have been possible to warn computer users worldwide, potentially saving billions of dollars in damage.
With the introduction of IPS technology comes the potential to create such an early warning tool – a tool much more powerful than current threat monitors that only report on known attacks blocked by existing security measures. With an IPS network, each computer would act as an agent, reporting precise details of malicious attacks to a centralized database. With a large enough network of agents, it is possible to create an overview of attacks taking place across the entire Internet. Using this data, it is possible to see, in real-time, emerging patterns of cyber-attacks as they happen, making it possible to warn computer users across the world of a new attack as it happens.
As opportunities for exploitation on the Internet grow, so criminals become smarter and develop ever-faster and more complex methods of attack. Traditional methods of protection are fast becoming obsolete and the need to find an all-encompassing solution is tantamount. By coupling the most forward-looking security methods with an early warning system, we are approaching an age where the IT security industry can finally compete on a level playing field, providing both information and protection against such threats. If not, then 2005 will surely be the year of the hacker.
Prevx are exhibiting at Infosecurity Europe 2005, the information security event, now in its 10th anniversary year. There are 250 exhibitors and 10,000 visitors from every segment of the industry. Held on April 26 to 28 in the Grand Hall, Olympia, west London.
