Government Technology

By Ron Meyran, Security Products Manager, Radware
September 2008

Introduction
The motivation of hackers has changed – from a gain to fame – to one of financial gain. Financially motivated hackers are looking for unauthorized access to confidential information including credit cards and patient records. Hackers offer a wide variety of "products" including a bots-for-hire service that can put organizations under siege and sensitive information trading using credit cards, bank accounts, patient records, and license keys. One can buy "fresh dump" credit card numbers with PIN starting at £10 each and up to £50 for a platinum card. The Estonia attack case highlights that network attacks are well organized using other people's hosts and shows that the complexity and impact level is significantly increasing. IT managers need tools to fight this type of organized crime.

From vulnerable code to vulnerable service
Traditional network security practices have focused on the research of application software code, finding code flaws that could lead to a security breach, which could be exploited by hackers.. These flaws are referred to as a vulnerability. Software, anti-virus and Intrusion Prevention Systems signature updates, and patches are all about protecting vulnerable code.

To bypass existing security technologies focusing on patching vulnerable codes, hackers are switching from vulnerability-based attacks to “non vulnerability-based attacks”. These new attacks do not exploit any code flaws and therefore patching cannot block them. These attacks are executed on Internet-connected services and on users, unnoticed by existing protection technologies and can result in information theft, fraudulent activities and service disruption.

What are non-vulnerability threats
Non-vulnerability-based threats aim to exploit weaknesses in server applications that cannot be defined as vulnerabilities, but rather as attempts to misappropriate software without vulnerability. These attacks can be typified by a sequence of legitimate events, generally not associated with unusually large traffic volume. They are used to break authentication mechanisms; scan applications for hidden confidential files; flood the service with legitimate application requests to create denial of service - misusing server resources without exploiting software vulnerability.

Examples of non-vulnerability threats
Brute force attacks –used to defeat an authentication scheme by running a sequence of login attempts until success. Each attempt is a legitimate application transaction; however the actual threat is in the systematic use of logins until successfully guessing a username and password.

Web application vulnerability scanning – scanning a web server for known vulnerabilities or detecting pages, left for maintenance. Hackers use this information to launch targeted attacks or break in maintenance back doors.
Service flooding – hackers are moving from simple DoS/DDoS packet-based flood attacks to more sophisticated non-vulnerability application flood attacks including HTTP, SIP Invite floods, etc. This type of attack is based on a completely legitimate session-based set of requests that are generated towards the victim server, exhausting CPU resources.

The above are only a few examples of typical threats reliant on service misuse. Hackers use services through "legitimate" sessions, easily integrating attack traffic with real user traffic, undetectable by standard security tools. The challenge is clear: differentiating between legitimate and attack traffic?

Fighting back: automatic real-time signatures
Detecting non-vulnerability threats requires the understanding of network applications. Behavioral analysis of network, server and client-based traffic allows the creation of baselines for normal application traffic patterns. An expert network security system can then identify the non-vulnerability threat, an abnormal application traffic pattern, and automatically generate a real-time signature to block the attack.

A few examples
Brute force attack: can be detected through the understanding of normal server login reply frequency; an increase of login error replies and a range of error frequencies indicating that a user is running a cracking tool.

An HTTP page flood: usually generated by users unwillingly recruited into a bot ring; can be detected through an abnormal sequence of legitimate HTTP requests from certain users without dependencies on traffic rate.

For these cases a vulnerability-based signature does not exist. However, there is a “behavioral pattern” that can be used to characterize an attack and can therefore, either completely block it or (sometimes) mitigate it to avoid service resource misuse. This is valid only for the duration of the attack, and can be represented by a real-time signature generated on the fly, to block and report the attack.

Conclusion
Non-vulnerability threats go beyond standard security tools, offering a framework for vulnerable software code protection.

An effective IPS system must be able to detect and automatically repel a wide variety of attacks in real-time, without negatively impacting legitimate users. Because legitimate network traffic patterns change constantly, an effective IPS needs to quickly adapt to its surrounding, without human intervention.

Behavioral-driven real-time signature technology is key to accurately detecting and mitigating non-vulnerability threats by learning normal user traffic patterns and alerting and preventing abnormal patterns.
http://en.wikipedia.org/wiki/Cyberattacks_on_Estonia_2007

For more information
Tel: 01344 401610