Security technology by its very nature has been reactive and defensive. It works only after a cyber threat has been identified and classified. But that leaves a huge amount of maneuvering room for cyber criminals to attack, grab loot, and make a getaway.
Malware has increased exponentially in the last few years, forcing the security industry into a “bunker mentality.” Even as malware spreads, arrests and shutdowns remain few. The reactive and defensive strategy is clearly failing. The internet, says director of McAfee’s security research David Marcus, is not getting safer. That means it’s time to consider “offensive security,” according to a new report from antivirus experts at McAfee.
“As we look at the evolution of risky domains and websites over multiple years, we can’t avoid the conclusion that the risk keeps increasing in both volume and sophistication,” said Marcus. “If we want to stop being victims, then the good guys need to advance security efforts as threats evolve.”
Shun and stun offensive tactics
Brian Krebs, security writer at Krebs On Security, writes in the McAfee report that offensive security kicked off in 2007, when security firms collected evidence, identified a Russian malware operation, and convinced its internet service providers to cut it off. This is what he dubbed a “shun” operation against the Russian Business Network in St. Petersburg. The operators identified a consistent producer of hostile threats to security and took it down, forcing it to scatter and regroup. The “shun” offensive tactic effectively isolates a criminal enterprise, cutting off its access to victims. But the bad guys are figuring out how to respond; the most recent variant of the Conficker worm uses encrypted peer-to-peer systems to enable it to reconnect with its botnet command structure even after it has been cut off.
Krebs writes that a “stun” offensive tactic, which focuses on finding weaknesses in the herds of computers, or botnets, could be helpful. Researchers map out as much of the botnet’s core infrastructure as possible and then move to unplug it all at once. In November, 2008, Krebs notified two internet service providers that were hosting much of the botnet dubbed McColo. They disabled it, taking down a botnet with hundreds of thousands of computers, if not more. The result was a huge, if temporary, decline in the amount of spam that was sent over the internet for a period of months.
Then, in May, 2009, the Federal Communications Commission orchestrated the takedown of 3FN, a hosting company associated with a huge spam botnet. More takedowns have been executed since then. The reassuring thing is that the takedowns can happen quickly, given good research, and they can disable botnets that took a long time to assemble.
Krebs notes that it isn’t just government agencies and law enforcers who can engage in these “shuns and stuns.” Rather, corporations with a vested interest in stopping malware can do so as well.
Writing in the same report, McAfee security analysts Ryan Permeh and Brandon Edwards argue that it’s time that the antivirus research community became more intimately familiar with the activities of criminal hackers and then use their techniques to create better security products. They aren’t saying that security tech firms should hire cyber criminals to teach them tricks, but they are saying that good-guy hackers should be hired, as they commonly already are, to do penetration testing. That is, they attack a corporation, but they have a get-out-of-jail free card because they have been hired by the company to test its security. The problem is that many companies don’t attempt to understand how cyber attackers work, so they have no idea how to defend against them.
Igor Muttik, a senior architect at McAfee Labs, argues in the report that collaboration across the industry, law enforcement, media, consumers and government agencies is necessary to take the battle to the cyber criminals. Max Kelly, former chief security officer at Facebook, argued the same point last week at the Defcon security conference.
Sounds like a good idea, but easier said than done. The hard part is collaborating in real time, as cyber attacks happen instantaneously and everyone has to move fast to catch the bad guys. ICANN, the Internet’s governing body, could do more to stop internet abuse, the researchers argue. Email programs also need a complete overhaul, as they are the main way spam is spread. Investigators can also focus on identifying drop accounts, where stolen data is stored, and shutting them off. Users wh0 don’t protect their machines are also a huge problem, as their machines are easily hijacked and turned into the zombie computers used in botnets.
“If we do not succeed in stopping the malware flood, in a few years we could see more malware created than legitimate programs,” Muttik says.