Tuesday, February 26, 2013

Crunchy on the Outside, Tender on the Insider

Palo Alto Networks, the very successful "next-generation firewall" vendor, just published its 10th edition of "The Application Usage and Threat Report". Its findings point to a threat landscape moving from outside the firewall to inside.

[Our findings imply] that perimeter security efforts are “crunchy on the outside” effectively stopping some of the threats. Shifting the focus to internal applications, the findings show that security is “tender on the inside”, with 97% of the vulnerability exploit logs found in only 10 applications (out of 1,395 found). Nine of these applications are considered high-value assets; they are internal or infrastructure related applications that are integral to many business functions. This data indicates that the strategy of attacking critical resources from inside the network continues to become the rule and not the exception, and will force enterprises to monitor their internal traffic for threats in addition to the perimeter.

...attackers will ... heavily modify and customize their communications not only to confuse traditional security, but also for more functional purposes. Malware will regularly modify peer-to-peer protocols in order to create their own resilient commandand-control communications. For example, the Zero Access botnet (and its rootkit) is one of the most popular pieces of malware in the wild, and likewise was the leading malware observed in our data. This particular malware uses customized peer-to-peer traffic as well as other customized UDP and TCP traffic for communicating with its command and control infrastructure. This traffic is critically important to the reliability and survivability of the botnet in the wild. The malware, having delivered its payload, is sacrificed and the botnet survives to execute the next phase of the attack.

...However while this traffic works perfectly well from the attacker’s point of view, it does not match any known applications, and was thus classified as being custom or unknown traffic ... The analysis clearly shows that customized or modified traffic is highly correlated with threats. This indicates that proactively controlling or blocking “unknown” traffic could easily provide a powerful and untapped strategy for controlling modern threats.

For large organizations concerned with Advanced Persistent Threats (APTs), especially those launched by malevolent nation-states, internal network monitoring appears to be a must-do.

No comments: