Criminal use of malware is in the middle of an evolutionary curve. Their capabilities, target platforms and creative uses are about to enter a period of rapid change and deeper, enhanced infection vectors. Organizations without the capability to identify anomalies in their environment via monitoring tools and honeypot technologies will simply become the most compromised victims in the long term.
L. Brent Huston, @lbhuston, CEO and Security Evangelist, MicroSolved, Inc.
Secure software and smart security practices, such as the ones listed below, are the keys to protecting yourself and your system from cyber theft and from becoming a zombie computer in a bot network.
As malware tools continue to evolve, so do the defense systems against them. Firewall, antivirus, and anti-malware software applications hold a prominent place in every personal and organizational computer system or network. And yet it has been acknowledged by the cybersecurity industry that these defense systems only catch about 25% of all malware attacks.60
A passive defense aimed at preventing compromise by malicious code is not enough. Active defense techniques are beginning to evolve, such as confusing and frustrating the attacker, as well as counterattacking by exploiting the attacker’s vulnerabilities.
Research on counterattacking, also known as aggressive self-defense, active defense, or strike-back, has taken place for many years. The counterattacks range from passive approaches to full remote exploitation, and popular tools to gain information about attackers include honeypots and honeynets.61 Honeypots and honeynets are traps set to detect, deflect, or corrupt malware attacks on individual computers or networks.62
Many antivirus firms and other research organizations have run large honeynets to collect malware and attack signatures.63 These organizations research and implement counterattacks to deceive, crash, exploit, or just get information on attackers.
One such organization, MicroSolved, Inc. (www.microsolved.com), provides a product, HoneyPoint, which fools attackers into believing that they are attacking defenseless applications, while in reality they are triggering sensors that are catching them “in the act.” By doing the things attackers do, such as scanning ports, connecting to services, and probing for vulnerabilities, they are giving away their presence and tactics.64
There has even been a suggestion to use software agents to scout networks and seek and destroy botnets.65 Agents are defined as programs that autonomously acquire, manipulate, distribute, and maintain information on behalf of cybersecurity forces.66
Although there is some legal controversy regarding the use of active defenses, it is the most effective deterrent to date. Once the commercially sold botnets become easily detectable and ineffective, the market value of these botnets will decrease, and so will the desire by third parties to buy and use them.
60 Ollmann, Gunter. “How Criminals Build Botnets for Profit.” Central Ohio InfoSec Summit, Columbus, OH. 2011.
61 Weeks, Matthew. “Counterattack: Turning the tables on exploitation attempts from tools like Metasploit.” Black Hat™, Crystal City. 2011.
62 Ibid.
63 Ibid.
64 MicroSolved, Inc., www.microsolved.com.
65 Dembskey, Evan, and Elmarie Biermann. “Towards an Intelligent Software Agent System as Defense against Botnets.” Proceedings of the 6th International Conference on Information Warfare and Security, The George Washington University, Washington, DC, USA, 17–18 March 2011. Reading, UK: Academic Publishing International Limited, 2011. 299–307.
66 Ibid.