-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron <[EMAIL PROTECTED]> wrote: >So, what I am going to talk about... A tad bit of history on >vulnerabilities and their use on the Internet, and then, what we >are going >to see on corporate, ISP and Internet security relating to botnets >this >coming year. > >Vulnerabilities don't exist for the sake of vulnerabilities. They >are used >for something, they are a tool. Botnets are much the same, using >vulnerabilities on the next layer. > >This past year we have seen how disclosed vulnerabilities, patched >vulnerabilities and 0days have been utilized by automated kits. An >inter-linked system of websites which download malicious code >(update the >kits), try to infect millions of users from just a couple dozen >main hubs, >and react to the environment. >If a certain vulnerability is seen to be more successful on >certain OS >types or if one is found to not work, the kit will be fixed >accordingly >and distributed. Often immediately after a patch Tuesday, likely >that same >Friday evening. > >This way, income can be maximized with the number of infections, >data >stolen and thus ROI. Both from the expected response time of the >vendors >as well as how many victims can be reached in that window. > >One such kit is Webattacker, which has recently been getting more >known in >public circles. > >Where we are > >That does it, botnets are mainstream. People did not yet >understand the >idea that software vulnerabilities facilitate an attack (=are not >the >attack) and botnets facilitate much the same, only on a different >level. I >will discuss that further after what interests everybody. > >Solutions in the coming year! > >First, many products in the industry have been implemented >successfully in >the past, just as solutions of necessity, not "products". Some >were >successful, some failed. Some (services) have been supplied to the >rich >and connected, some haven't. >Botnets are now main-stream, which means other lesser beings and >corporations want these services. They want to be protected in a >hostile >world. They realize the Internet is not a safe place, and plan >accordingly. > >Services we will see more and more of: >*. Intelligence (very limited), showing IP addresses for botnet >command >and control (C&C) servers, which your computers may be connecting >to >(i.e. compromised). >*. Intelligence (very limited), showing IP addresses that you >control >which show in spam (meaning compromised hosts) or show in other >ways in >botnet data being collected. Mostly, this is spam-oriented and the >rest of >the intelligence is barely noticeable as of yet. >*. Intelligence (very limited) on the millions on millions of >credentials >(for sites, credit cards, banks, eCommerce systems, etc.) and >identities >being stolen every single day by massive phishing man-in-the- >middle trojan >horses. >*. Intelligence (very limited) other black listing services. > >In the past, a limited version of these services was provided, but >very >secretly, and at a very high cost. > >Products: > >Botnet products on the network can either detect internal problems >(such >as bots on the corporate or ISP network or the spreading of >infections) or >external problems (such as C&C servers or attacks from the world). >These >can be based on behavior or intelligence. > >Solutions, which we discussed in the past and are now going to >manifest: > >Intelligence-based (until now only supplied by select groups to >select >groups) - >*. Known bad IPs. Etc. Much like in spam, only for other realms. >*. Known bad URLs or domain names. Etc. Much like in spam, only >for other >realms. > >Detection - >*. IDS approach (decent but not even close to cutting it), >*. DNS monitoring approach (very cool, but is just one approach in >a >layered solution). >*. Netflow approach (proven for years now, only one approach, >however >useful, which is growing more limited every day). > >Respond and quarantine - >*. Walled garden approach (close off/limit suspicious or confirmed >compromised computers until they clean themselves. NOt successful >in >current solutions, shows promise). >*. Try to fix the situation remotely (solve the vulnerabilities, >etc. ahead of time or remove after the fact). > >There are several others, but these are the main ones describing >the 10 or >so products we are about to see (all of which are already >available >publicly as open source, privately developed tools or unsuccessful >solutions due to lack of client awareness and interest). > >QoS, virtualization and half decent intelligence gathering will >come >next. Other solutions I will not waste breath speaking of right >now, they >will appear for public consumption once the effectiveness of the >solutions >above (or the better ones there) is done to dust. > >What's next? > >Decent, real decent, intelligence, and support response tools to >mitigate >what you find in conjunction with a response team trained to deal >with >thousands of real incidents rather than mark check-lists on a >couple an >hour to a couple a month. That's simply not being aware of what's >happening in your network. >Many of the CERTs and SOCs are very trained and high quality, they >are not >equipped or don't see what they need to react to nor in most cases >are >built to deal with this threat. > >What's never going to happen? > >With security done right, on a wide-scale, with a decent systems >design, >network, policy, monitoring and responce - a lot can be done and >0days can >also be avoided, even (and especially) with business concerns >being put >first. > >Gadi Evron, >[EMAIL PROTECTED] > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ If Hitler was alive and a hacker, do you think your box would be working, Gadi? -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkVAxgAACgkQsGS6s78KOsXp5gP8CIlcHIyTcYj8wDx+LMRuHnrIsCO2 N6ELTIQfGdwLBR+o57u41PHmurUdwcwiXChZ4W2Qz/p1NO+Js7rXETMYHRUW/hwv0Aos KZN7RpCFH3PsS9fnPKljBEaWTDG6q+IoBvKI/+6V6M+s0jftHsPp6I6w9eiWf9TQ9tp7 tF9QnSg= =WL6I -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/