I was at the Emagined Security booth at the SecureWorld Conference in Santa Clara, California yesterday when someone came up to me and asked me what I thought about persistent attacks. The person caught me off guard. But I started talking about them with him and then went back home and noticed a few recent news items, and suddenly my brain was ablaze with ideas about this subject.
Persistent attacks are attacks in which not only are certain machines targeted, but they are targeted over a span of time. In normal attacks an attacker who succeeds in “owning” a machine continues to own it until someone takes away this person’s ability to access and control it, usually by cleaning or possibly rebuilding it. The attacker then normally moves on and attacks other machines—the world of computing is, after all, a very target-rich environment. In persistent attacks, however, the attacker and/or malware continually comes right back and takes control of the targeted system each time after it has been cleaned or rebuilt. Consequently, there are machines out there that have been more of less continuously compromised for a period of a half year or more.
How can this be? Isn’t the computing world getting better at securing systems and, if necessary, responding to and recovering from successful attacks? The simple answer is “no.” SANS repeatedly tells us to at least patch the vulnerabilities that are most likely to be exploited. Cost effective patch management technology is available. Software that eradicates most known viruses and worms is widely available. Incident response methodologies such as the PDCERF methodology that Dr. Tom Longstaff, David S. Brown and I created while we ran the Department of Energy’s Computer Incident Advisory Capability (CIAC) years ago tell us to find vulnerabilities in patched systems and fix them before putting compromised systems back into operation. But despite all these admonitions and the availability of suitable technology, vulnerabilities in systems still run rampant, making them ideal targets for persistent attacks. Consider, for example, the increasingly troublesome Adobe Reader and Flash Player, vulnerabilities that are being frequently exploited all over the Internet. A recent study shows that 75 percent of Firefox users are running older, vulnerable versions of these programs. What an ideal playground for persistent attackers!
The problem isn’t just vulnerabilities, either. Research by Trend Micro indicates that malware stays on infected systems month-after-month. Trend Micro researchers examined 100 million IP addresses that were malware-infected. Unbelievably, 80 percent of them were still infected after 30 days and half of them were still infected after 10 months. The researchers attributed these results to the fact that today’s malware is so much more covert than in the past. The researchers are probably at least partially correct, but users’ lack of security-related knowledge and technical skills such as the skills needed to detect malware and then clean a system afterwards is also a major reason for the persistence of malware.
The fact that persistent attacks have become a trend also calls for an adjustment in the way an organization practices security. The threat factor associated with these attacks must be included in risk analyses. Targeted machines must be hardened way beyond the requirements of baseline security standards. And doing something such as changing the IP addresses of targeted machines and either moving them to a different, more secure subnet or possibly assigning their IP addresses to a secure VLAN is also becoming increasingly necessary. I fear that persistent attacks are here to stay, so doing something about them is not an option—it is a necessity.