Targeted attacks exploiting endpoint vulnerabilities are becoming more and more common and increasingly aggressive.
For this reason I could not help but notice the last report from NSS Labs dealing with the capability of 13 consumer grade AV products, to protect against two critical Microsoft vulnerabilities (CVE-2012-1875 and CVE-2012-1889). The successful exploitation of these critical vulnerabilities could result in arbitrary remote code execution by the attacker leading to very harmful consequences for the victim, such as, for instance, to make it become part of a botnet. Unfortunately a very common scenario in these troubled days.
Even if these vulnerabilities are a couple of months old (and patched), the resulting report is not so encouraging, and renews the dramatic question: are endpoint protection technologies, on their own, capable to offer adequate protection in the current cyber-landscape?
Probably not, considering the the findings which are quite frustrating:
- Only 4 of the 13 products blocked all attacks: exploit prevention remains a challenge for most products;
- More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.);
- Researchers are not the only ones testing security products – criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimewares
will(already) include various one-click buttons to “Bypass VendorX,” for example.
Ok, you might argue that only consumer-grade AV products were tested, so enterprise organizations are not so exposed against exploit attacks. Mmh… Do not jump to conclusions, as I believe the reality is pretty much different and enterprise organizations are even more exposed for the following reasons:
- More and more organizations are approaching the BYOD
philosophypolicy in which users are free to use their own devices. Even worse, too often these are equipped with outdated EPPs (how many organizations enforce NAC policies to check the integrity of the endpoint?).
- Most of all… If cyber criminals have sophisticated testing processes in place, aimed to test the detection capability of the various products, why should they use them only for consumer products and not (also) for the most appealing enterprise crime market?
Yes, definitively I believe endpoint protection technologies, on their own, do not offer adequate protection for exploit prevention, and the time has come for Advanced Threat Detection/Prevention technologies (like Lastline :-)).
Arbor Networks and Radware, probably the two leading vendors focused on DDoS prevention and mitigation, have just published nearly in contemporary (probably not a coincidence) their 2011 reports which analyze, with similar methodologies applied to different stakeholders, one year of DDoS Phenomena occurred during the last year.
These reports are particularly meaningful since they come in a moment in which the waves of DDoS attacks unleashed by the OpMegaUploadas are not completely gone. To all the (too) many information security professionals whose sleep is disturbed by the booms of the Low Orbit Ion Cannons, I suggest to give a look to both documents:
- 2011 Worldwide Infrastructure Security Report issued by Arbor Networks;
- 2011 Global Application & Network Security Report issued by Radware.
As a matter of fact both reports provide a really interesting overview of this kind of attack which has become the flagship of the hacktivism movements.
From a methodological perspective both reports provide the results of a survey: the one conducted by Arbor Networks consisted of 132 free-form and multiple choice questions, covering a 12-month period from October 2010 through September 2011, whilst the one conducted by Radware consisted of 23 questions concerning the DDoS faced in 2011.
The participants of the Arbor Networks survey included 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, whilst the participants from the Radware survey included 135 organizations with large, medium and small size;ì,
Although the targets of the survey were not completely heterogeneous, and also the analyzed time windows were not exactly the same, I spent some time in comparing the results. In both cases, the message is clear: the DDoS attacks are becoming more and more complex, but the two vendors came to the same conclusion with a substantial difference. Does really size matter?
Hacktvism on the top
In both cases hacktivism ranks at number one among the attack motivations. The 35% of the Arbor Networks participants reported political or ideological attack motivations as the most common, immediately followed by Nihilism/Vandalism (31%). Analogously, the 22% of the Radware participants indicated a political/hacktivism motivation behind the attacks, immediately followed by “Angry Users” (12%). Curiously the 50% of the Radware participants indicated an unknown motivation, against the 19% of the Arbor Networks participants. Although hacktivism ranks undoubtedly at number one, the difference are not surprising: albeit the questions aimed to obtain the same information, they were slightly different: in one case (Arbor Networks) participants were asked to indicate Attack motivations considered common or very common, in the other case (Radware) participants were asked to indicate which motivations from a defined list, they considered behind the DoS /DDoS attacks experienced. Moreover also the different sample of participants may offer a further explanation. Arbor Networks participants are mainly operator, which have more sophisticated equipment to detect and counter attacks, Radware participants are heterogeneous organizations of different sizes, so their response may be “tainted” by emotive considerations or also by a smaller technological culture.
DDoS Attacks are becoming more and more complex assuming the nature of APTs
I was particularly impressed by a statement found in the Radware Report: “The nature of DoS / DDoS attacks has become more of an Advanced Persistent Threat (APT) and, therefore, much more serious.” The report is also more explicit and suggests that, for instance, during a DDoS Attack perpetrated by the Anonymous there is an external ring formed by the volunteers self-made hackers that use LOIC or similar tools (too often without any precautions), and an inner circle formed by skilled hackers who have access to more sophisticated attack methods and tools. The Arbor Networks report substantially agrees with this statement using the term Multi Vector DDoS, emphasizing a shift to Application Layer (Layer 7) DDoS Attacks. In both cases HTTP is the preferred protocol to convey Application Layer DDoS.
Size matters! Or not?
It is interesting to notice the opposite position of the two vendors with regard to the importance of the size for DDoS Attacks. Radware does not consider the size of the attack as the primary factor: the first myth to be debunked is the fact that not necessarily average organizations might experience intense attacks (according to Radware, in the observed period 32% of attacks were less than 10Mbps, while 76% were less than 1Gbps), the second myth to be debunked is the fact that the proper way to measure attacks is by their bytes-per-second (BPS) and packets per-second (PPS) properties. A smaller HTTP connection-based attack can cause more damage with much less traffic than a “traditional” UDP attack.
Arbor Networks has quite a different opinion: his respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis. Moreover, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack, which however represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.
At the end…
There are few doubts about the fact that DDoS attacks are becoming multi-layered and more and more complex, and even that they are mainly motivated by hacktivism. There are also few doubts about the fact that technology is enough mature to provide a crucial support to mitigate them. In any case, there is a further element to take into consideration that is the human factor: as usual technology is useless if the IT Staff is not prepared to face such a similar attacks, gaining an adequate awareness in terms of procedures and (I would say) culture. As Radware stated “the very public attacks last year raised awareness of DoS / DDoS and made organizations acquire better and more capable mitigation solutions” but maybe is not enough…