March 16, 2012

Cybersecurity – Beyond the Threat Signature File

Over the past couple years cybersecurity has gotten a lot of attention and justifiably so. With Stuxnet, the advanced malware targeted at industrial control (SCADA) systems, we saw that hackers now have the ability not just to deface websites or steal credit card numbers, but to cause real harm not only in cyberspace, but also in the real world too. When those 1000+ uranium centrifuges started blowing up like popcorn in Natanz, it was a shot heard round the world. When you reflect on the critical infrastructure run by SCADA systems, things such as factories, power plants, water treatment systems, cybersecurity has become a concern not just for IT departments and compliance folks but for society as a whole.Cybersecurity has traditionally been a bit of a Whack-A-Mole game. Hackers find new, or zero day, exploits and vendors scramble to patch vulnerabilities and update signature files. A lot of security depends on signature files – basically lists of strings that the security system looks or in the data flow. Let’s say, for example, that a new exploit involves sending an URL to a certain webserver with a certain string appended, for example, UNION SELECT user-name, password FROM USERS.

The bit after the question mark is an attempt at an SQL Injection exploit, where an evildoer does bad things to a backend database by sending SQL commands via the front end webserver. While in the best of all possible worlds the front end systems will reject bad requests, in the real world they often get passed on, with pwnage as a result. In order to help stop this, a security vendor might search incoming dataflows for strings like “?productid=123 UNION SELECT user-name, password FROM USERS” and block them.

This of course encourages the hacker to figure out ways to obfuscate the same basic attack. Some being more transparent than others. For example,

Filtered injection:

1 || (select user from users group by user_id having user_id = 1) = 'admin'

Bypassed injection:

1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1

Other attempts are considerably less human readable, such as this example from SANS:

declare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228323535292c40632<snip>long string of numbers...</snip>55f435552736f7220%20as%20varchar(4000));exec(@s);--
Reputation is one way around this type of obfuscation. Think of it this way – you know that certain people are shady and others are not. If you are a cop, you can either wait for bad things to happen, which is like getting the hose after you house is engulfed in flame, or you can proactively engage shady folks when you see them on your beat. Guess which one is more likely to have positive results?

With APTs (Advanced Persistent Threats), governments and well-funded organizations are now arming themselves with zero day exploits with an eye on attacking specific targets, which have come to include organizations with advanced technology in the defense industry. With the stakes higher than ever, both IT and national defense are very interested in looking at ways to defend large, high bandwidth networks from various kinds of attacks, including zero day and obfuscated threats that APTs might employ to get around signature-based threat detection.

With considerable pride, we announced on 15 March 2012 that a DARPA sponsored effort hosted by the Johns Hopkins University Applied Physics Laboratory, the Scalable Network Monitoring Program, is using Extreme Networks gear, including the Summmit® X670, in their high speed network. The Scalable Network Monitoring Program is designed to verify and validate new security technologies that don’t rely on traditional signature-based detection. We encourage you to read the whole press release.

About The Contributor:
Extreme Marketing Team

See My Other Posts