Re: [Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
*. Gadi Intelligence (very limited) On 10/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron [EMAIL PROTECTED]wrote:So, what I am going to talk about... A tad bit of history onvulnerabilities and their use on the Internet, and then, what weare going to see on corporate, ISP and Internet security relating to botnetsthiscoming year.Vulnerabilities don't exist for the sake of vulnerabilities. Theyare usedfor something, they are a tool. Botnets are much the same, using vulnerabilities on the next layer.This past year we have seen how disclosed vulnerabilities, patchedvulnerabilities and 0days have been utilized by automated kits. Aninter-linked system of websites which download malicious code (update thekits), try to infect millions of users from just a couple dozenmain hubs,and react to the environment.If a certain vulnerability is seen to be more successful oncertain OS types or if one is found to not work, the kit will be fixedaccordinglyand distributed. Often immediately after a patch Tuesday, likelythat sameFriday evening.This way, income can be maximized with the number of infections, datastolen and thus ROI. Both from the expected response time of thevendorsas well as how many victims can be reached in that window.One such kit is Webattacker, which has recently been getting more known inpublic circles.Where we areThat does it, botnets are mainstream. People did not yetunderstand theidea that software vulnerabilities facilitate an attack (=are not theattack) and botnets facilitate much the same, only on a differentlevel. Iwill discuss that further after what interests everybody.Solutions in the coming year! First, many products in the industry have been implementedsuccessfully inthe past, just as solutions of necessity, not products. Someweresuccessful, some failed. Some (services) have been supplied to the richand connected, some haven't.Botnets are now main-stream, which means other lesser beings andcorporations want these services. They want to be protected in ahostileworld. They realize the Internet is not a safe place, and plan accordingly.Services we will see more and more of:*. Intelligence (very limited), showing IP addresses for botnetcommandand control (CC) servers, which your computers may be connecting to(i.e. compromised).*. Intelligence (very limited), showing IP addresses that youcontrolwhich show in spam (meaning compromised hosts) or show in otherways inbotnet data being collected. Mostly, this is spam-oriented and the rest ofthe intelligence is barely noticeable as of yet.*. Intelligence (very limited) on the millions on millions ofcredentials(for sites, credit cards, banks, eCommerce systems, etc.) and identitiesbeing stolen every single day by massive phishing man-in-the-middle trojanhorses.*. Intelligence (very limited) other black listing services.In the past, a limited version of these services was provided, but verysecretly, and at a very high cost.Products:Botnet products on the network can either detect internal problems(suchas bots on the corporate or ISP network or the spreading of infections) orexternal problems (such as CC servers or attacks from the world).Thesecan be based on behavior or intelligence.Solutions, which we discussed in the past and are now going to manifest:Intelligence-based (until now only supplied by select groups toselectgroups) -*. Known bad IPs. Etc. Much like in spam, only for other realms.*. Known bad URLs or domain names. Etc. Much like in spam, only for otherrealms.Detection -*. IDS approach (decent but not even close to cutting it),*. DNS monitoring approach (very cool, but is just one approach inalayered solution). *. Netflow approach (proven for years now, only one approach,howeveruseful, which is growing more limited every day).Respond and quarantine -*. Walled garden approach (close off/limit suspicious or confirmed compromised computers until they clean themselves. NOt successfulincurrent solutions, shows promise).*. Try to fix the situation remotely (solve the vulnerabilities,etc. ahead of time or remove after the fact). There are several others, but these are the main ones describingthe 10 orso products we are about to see (all of which are alreadyavailablepublicly as open source, privately developed tools or unsuccessful solutions due to lack of client awareness and interest).QoS, virtualization and half decent intelligence gathering willcomenext. Other solutions I will not waste breath speaking of right now, theywill appear for public consumption once the effectiveness of thesolutionsabove (or the better ones there) is done to dust.What's next?Decent, real decent, intelligence, and support response tools to mitigatewhat you find in conjunction with a response team trained to dealwiththousands of real incidents rather than mark check-lists on acouple anhour to a couple a month. That's simply not being aware of what's happening in your network.Many
Re: [Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
On 10/27/06, poo [EMAIL PROTECTED] wrote: *. Gadi Intelligence (very limited) You are just jealous that he has a job in infosec,and you are a 3rd shift helpdesk technician.I guess the official ratio of trolls to normal people have passed 1:1 on FD, sweet! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron [EMAIL PROTECTED] wrote: So, what I am going to talk about... A tad bit of history on vulnerabilities and their use on the Internet, and then, what we are going to see on corporate, ISP and Internet security relating to botnets this coming year. Vulnerabilities don't exist for the sake of vulnerabilities. They are used for something, they are a tool. Botnets are much the same, using vulnerabilities on the next layer. This past year we have seen how disclosed vulnerabilities, patched vulnerabilities and 0days have been utilized by automated kits. An inter-linked system of websites which download malicious code (update the kits), try to infect millions of users from just a couple dozen main hubs, and react to the environment. If a certain vulnerability is seen to be more successful on certain OS types or if one is found to not work, the kit will be fixed accordingly and distributed. Often immediately after a patch Tuesday, likely that same Friday evening. This way, income can be maximized with the number of infections, data stolen and thus ROI. Both from the expected response time of the vendors as well as how many victims can be reached in that window. One such kit is Webattacker, which has recently been getting more known in public circles. Where we are That does it, botnets are mainstream. People did not yet understand the idea that software vulnerabilities facilitate an attack (=are not the attack) and botnets facilitate much the same, only on a different level. I will discuss that further after what interests everybody. Solutions in the coming year! First, many products in the industry have been implemented successfully in the past, just as solutions of necessity, not products. Some were successful, some failed. Some (services) have been supplied to the rich and connected, some haven't. Botnets are now main-stream, which means other lesser beings and corporations want these services. They want to be protected in a hostile world. They realize the Internet is not a safe place, and plan accordingly. Services we will see more and more of: *. Intelligence (very limited), showing IP addresses for botnet command and control (CC) servers, which your computers may be connecting to (i.e. compromised). *. Intelligence (very limited), showing IP addresses that you control which show in spam (meaning compromised hosts) or show in other ways in botnet data being collected. Mostly, this is spam-oriented and the rest of the intelligence is barely noticeable as of yet. *. Intelligence (very limited) on the millions on millions of credentials (for sites, credit cards, banks, eCommerce systems, etc.) and identities being stolen every single day by massive phishing man-in-the- middle trojan horses. *. Intelligence (very limited) other black listing services. In the past, a limited version of these services was provided, but very secretly, and at a very high cost. Products: Botnet products on the network can either detect internal problems (such as bots on the corporate or ISP network or the spreading of infections) or external problems (such as CC servers or attacks from the world). These can be based on behavior or intelligence. Solutions, which we discussed in the past and are now going to manifest: Intelligence-based (until now only supplied by select groups to select groups) - *. Known bad IPs. Etc. Much like in spam, only for other realms. *. Known bad URLs or domain names. Etc. Much like in spam, only for other realms. Detection - *. IDS approach (decent but not even close to cutting it), *. DNS monitoring approach (very cool, but is just one approach in a layered solution). *. Netflow approach (proven for years now, only one approach, however useful, which is growing more limited every day). Respond and quarantine - *. Walled garden approach (close off/limit suspicious or confirmed compromised computers until they clean themselves. NOt successful in current solutions, shows promise). *. Try to fix the situation remotely (solve the vulnerabilities, etc. ahead of time or remove after the fact). There are several others, but these are the main ones describing the 10 or so products we are about to see (all of which are already available publicly as open source, privately developed tools or unsuccessful solutions due to lack of client awareness and interest). QoS, virtualization and half decent intelligence gathering will come next. Other solutions I will not waste breath speaking of right now, they will appear for public consumption once the effectiveness of the solutions above (or the better ones there) is done to dust. What's next? Decent, real decent, intelligence, and support response tools to mitigate what you find in conjunction with a response team trained to deal with thousands of real incidents rather than mark check-lists on a couple an hour to a couple a month. That's simply not being
[Full-disclosure] Vulnerability automation and Botnet solutions I expect to see this year
So, what I am going to talk about... A tad bit of history on vulnerabilities and their use on the Internet, and then, what we are going to see on corporate, ISP and Internet security relating to botnets this coming year. Vulnerabilities don't exist for the sake of vulnerabilities. They are used for something, they are a tool. Botnets are much the same, using vulnerabilities on the next layer. This past year we have seen how disclosed vulnerabilities, patched vulnerabilities and 0days have been utilized by automated kits. An inter-linked system of websites which download malicious code (update the kits), try to infect millions of users from just a couple dozen main hubs, and react to the environment. If a certain vulnerability is seen to be more successful on certain OS types or if one is found to not work, the kit will be fixed accordingly and distributed. Often immediately after a patch Tuesday, likely that same Friday evening. This way, income can be maximized with the number of infections, data stolen and thus ROI. Both from the expected response time of the vendors as well as how many victims can be reached in that window. One such kit is Webattacker, which has recently been getting more known in public circles. Where we are That does it, botnets are mainstream. People did not yet understand the idea that software vulnerabilities facilitate an attack (=are not the attack) and botnets facilitate much the same, only on a different level. I will discuss that further after what interests everybody. Solutions in the coming year! First, many products in the industry have been implemented successfully in the past, just as solutions of necessity, not products. Some were successful, some failed. Some (services) have been supplied to the rich and connected, some haven't. Botnets are now main-stream, which means other lesser beings and corporations want these services. They want to be protected in a hostile world. They realize the Internet is not a safe place, and plan accordingly. Services we will see more and more of: *. Intelligence (very limited), showing IP addresses for botnet command and control (CC) servers, which your computers may be connecting to (i.e. compromised). *. Intelligence (very limited), showing IP addresses that you control which show in spam (meaning compromised hosts) or show in other ways in botnet data being collected. Mostly, this is spam-oriented and the rest of the intelligence is barely noticeable as of yet. *. Intelligence (very limited) on the millions on millions of credentials (for sites, credit cards, banks, eCommerce systems, etc.) and identities being stolen every single day by massive phishing man-in-the-middle trojan horses. *. Intelligence (very limited) other black listing services. In the past, a limited version of these services was provided, but very secretly, and at a very high cost. Products: Botnet products on the network can either detect internal problems (such as bots on the corporate or ISP network or the spreading of infections) or external problems (such as CC servers or attacks from the world). These can be based on behavior or intelligence. Solutions, which we discussed in the past and are now going to manifest: Intelligence-based (until now only supplied by select groups to select groups) - *. Known bad IPs. Etc. Much like in spam, only for other realms. *. Known bad URLs or domain names. Etc. Much like in spam, only for other realms. Detection - *. IDS approach (decent but not even close to cutting it), *. DNS monitoring approach (very cool, but is just one approach in a layered solution). *. Netflow approach (proven for years now, only one approach, however useful, which is growing more limited every day). Respond and quarantine - *. Walled garden approach (close off/limit suspicious or confirmed compromised computers until they clean themselves. NOt successful in current solutions, shows promise). *. Try to fix the situation remotely (solve the vulnerabilities, etc. ahead of time or remove after the fact). There are several others, but these are the main ones describing the 10 or so products we are about to see (all of which are already available publicly as open source, privately developed tools or unsuccessful solutions due to lack of client awareness and interest). QoS, virtualization and half decent intelligence gathering will come next. Other solutions I will not waste breath speaking of right now, they will appear for public consumption once the effectiveness of the solutions above (or the better ones there) is done to dust. What's next? Decent, real decent, intelligence, and support response tools to mitigate what you find in conjunction with a response team trained to deal with thousands of real incidents rather than mark check-lists on a couple an hour to a couple a month. That's simply not being aware of what's happening in your network. Many of the CERTs and SOCs are very trained and high quality, they are not equipped or
