Infogressive, Inc.

I’ve been to a bunch of cybersecurity conferences in the past month or two. They were mixed in their target audiences and attendees. Everything from Department of Defense, FBI, generic IT, ethical hacker, etc. I keep hearing the same discussions and the same theories about signature that, string that defense. I keep trying to explain to these groups of professionals and people within the industry that signatures just do not protect us against targeted attacks.

As an illustration, I recently did a presentation that utilized the Adobe printf vuln that was annouced clear back in like November 2008. I simply uploaded the pdf to virustotal.com in front of the crowd and they were amazed at how many current virus engines did not detect it as malware. Needless to say, I had the room’s attention from there on out.

Everyone, including the product vendors, seems to be so focused on coming up with reactive signatures that they’re missing the key point. By the time signatures are created for the masses and implemented it is FAR too late. The damage for those organizations that are specifically targeted is already done. The vulnerabilities have been announced, exploits have been developed, and critical data has been compromised by the time the signature reaches it’s intended purpose. The good thing is that signatures are way ahead of the patches from vendors, but that’s a whole other blog.

The immediate question I get from people is so what do you suggest we do differently? My typical answer is Defense-in-Depth. Put multiple layers of defense between your organization and those that target you. For most people out there, that means you have to do more than put up perimeter protection. Yes, it means that you have to do more than implement a firewall. Even with the best walls of defense you still should have something that monitors file integrity on your systems (aka tells you when your system is compromised). The probability that systems will be compromised at some point is good, so wouldn’t you like to know when that occurs as close to immediately as possible? I would.

Vendors are starting to catch on to this whole idea of behavioral heuristics as it applies to security technology. They are trying to create rating algorithms, deem source and destinations green and red, blah blah blah. While I think we as a community are definitely on the path of becoming more proactive vs. reactive, I’m not sure how fast we can create technology that can predict something as unpredictable as human behavior on the Internet.

As an example, SourceFire was in our office yesterday showing us their RNA product. It’s definitely cool to create baselines and alert off of changes to those “normal” activities. I also like the idea of only alerting me on things that systems are truly vulnerable to and/or changing the severity of alerts based on the real potential. As I said, I think we are moving in the right direction here, just don’t depend on signature-based defenses only. If you do, it won’t be long and you’ll be calling my company to do forensics investigations instead of penetration testing