(Security) Intelligence is Power

Published on June 6, 2013

In the last year or so, we’ve seen significant growth in attacks on web servers, as opposed to the more traditional attacks on individual users. The instigators of these attacks use the higher levels of available bandwidth and processor power to unleash particularly effective DDoS attacks against banks and other financial institutions.

But with the widely reported success of watering-hole malware distribution schemes, there has been an explosion of exploits targeting webservers that redirect user requests to deliver a malware payload. These are some of the most effective malware distribution efforts the net has seen, mostly due to their sheer volume and the seeming randomness of the attacks.

By far, the most widespread of these attacks is the Apache Darkleech exploit. Apache is the most popular web server in use today, and along with open source variants Nginx and Lightppd are the targets for the exploit called linux Cdorked. Cdorked redirects users under specified circumstances to compromised landing pages, where the Blackhole Exploit Kit is surreptitiously installed. These attacks are stealthy, complex and utilize several known/unknown vulnerabilities.

But the most important thing to know at this point, is that even after months of study, nobody knows for certain how Cdorked works. The attack vector is unknown – original claims that it utilized a vulnerability in cpanel or PDF turned out to be either false or only partially true as web servers without either were compromised. Security professionals have known about this attack in the wild since at least April, and still don’t have a good idea of how to prevent infection. Update and patch, they tell you, but you might still be hit.

This is an extreme example of the nightmare scenario. The same problem has been with us for years. Essentially, anti-malware efforts have been entirely reactive – recognize the attack, reverse-engineer it to understand what it does, patch the vulnerability and write a signature to prevent the attack in the future. We’ve been confronted with an impossible dilemma – we could stop the known attacks, but had no method for even recognizing a new, unknown attack until the damage was well and truly done. What has long been needed was a way to detect suspicious activity on the network in real time, regardless of the credentials or privileges in use.

The key lesson here is the rapidly increasing sophistication of these attackers. They are no longer the hackers and script-kiddies that used to represent so much of the threat to enterprise networks, data and customers. The very idea that we’ve been closely observing a major attack against broad swaths of internet infrastructure for months and still don’t know what it is they’re doing, ought to serve as a wakeup call. A properly architected security infrastructure includes the basic tools for prevention of known attacks, but absolutely MUST include a Security Intelligence layer that can integrate all the disparate data sources about users, network devices, databases, applications, activities and transactions to provide fast, effective analysis of that data. As advanced targeted attacks become more sophisticated, traditional information security tools become less effective for preventing new attacks and the more critical it is to deploy real intelligence to detect and stop them before they inflict major damage.

By definition, a successful attack will be an attack you are unaware of. If your security architecture does not include capabilities that allow for detecting the behaviors, activities and transactions associated with an attack, you will lose money, data, customers and credibility. Securonix is offering the most comprehensive security analytics platform available today and your team can try it, hands on, with your user and network data, for free. Let us show you how you can mitigate these risks as well as fraud, insider theft, data theft, IP theft, access risks and high privileged accounts monitoring to upgrade your security operations from the SOC to a SIC (Security Intelligence Center).