Posted by: Greg Ness | September 19, 2007

“Where’s Waldo” Goes Polymorphic

Rumors regarding the death of security innovation have been greatly exaggerated.  

The arms race between hackers and security pros over the protection of highly-sensitive servers just got more interesting.  Overtaxed network security appliances using voluminous, and yet ever-increasing static libraries of signatures to detect malicious traffic now face the specter of polymorphic attacks.  Just when security experts were lamenting a dearth of innovation in security, the hackers show up teaching old signatures new tricks. 

  

For those unfamiliar with how most traditional intrusion detection/protection solutions work, think of them as a geek version of Where’s Waldo (a popular children’s book/game where kids race to spot Waldo in various crowds and places) played with packets racing through networks in milliseconds.  Waldo is distinctive enough to spot on his own, but when he mixes with various crowds throughout history he can get downright hard to find.

  

In the same way that we use our eyes to spot the Waldo pattern of clothes and accessories, highly specialized and powerful network security appliances use exploit signatures (recognizable patterns of packets) to detect and block known malicious traffic, protecting data assets from attack.

  

If exploits all looked alike (like Waldo, for example) the signature libraries could be very small and easy to manage.  Then powerful processors churning through volumes of packets could spot and block attacks in microseconds.

   

Yet it’s never been that simple.   For starters, there are thousands of hackers and tens of thousands of distinct exploit signatures; tens of thousands of Waldos.  Unfortunately for signature-based security solutions, the larger the database of exploit signatures, the more processing power required to vet out each individual signature.  And the libraries keep growing.  So the specter of more exploits combined with more traffic has exponential growth implications.

  

Yet there is another problem. Signatures have never been highly reliable.  For some security types the act of tuning (turning various signatures on and off) these powerful appliances to reduce the incidence of false alarms (while potentially missing genuine attacks) has been downright painful.  While larger companies with well-funded departments and highly trained staff have learned to live with the frustrations of signature tuning, smaller firms have been less satisfied with their efficacy.  As a result, signatures have not been without controversy in the security press.

  

Beyond the accuracy problem, anyone who has deployed a signature-based intrusion protection system has to be quietly wondering where the tipping point is: how many exploits and mutations of exploits can an installed device handle before it slows to a crawl?  Will security pros eventually have to turn off some signatures (let a few Waldos through) in order to focus on more threatening Waldos?

  

The clever marketers at these companies have responded to the processing ceiling posed by growing signature libraries by introducing “high fidelity” signature bundles, which are a smaller subset of signatures.  Conclusion: vendors with signature-based solutions are walking away from some signatures deemed less trustworthy in an effort to address accuracy and performance challenges.

    

The New Polymorphic Helter Skelter

  “When I get to the bottom
I go back to the top of the slide
Where I stop and turn
and I go for a ride.”

Paul McCartney – Helter Skelter

  

Now there is a new and even more ominous twist to the intrusion detection game.  Hackers are now disguising their attacks in order to evade the known signatures once relied upon to locate them in the crowd of fast-moving network packets.  Imagine how difficult it can get to identify Waldo if he changed clothes or hair color or added a few pounds.  These devices were never intended to do anything more than identify the known pattern of an exploit signature.  When that pattern changes (Waldo dons a disguise) all bets are off.

  

The unbearable irony for the well-heeled vendors who generated billions in market capitalization for signature-based security solutions: just when pundits were claiming the death of innovation in security, the hacker community figured out how signatures could be modified so as to avoid detection. These disguised signature attacks are sometimes called polymorphic largely because they can be modified (or even modify themselves in traffic) in ways that hide them from intrusion detection appliances.

   

As you might surmise, static-signature based security systems have very little protection against these polymorphic attacks.  As a result, over the past few weeks they have generated substantial operational pain for data centers and created new additions to the worm lexicon, including Nirbot, Delbot, Rinbot and Vanbot.  Many of these polymorphic exploits are not really new; they are older known attacks that have merely been modified to evade mainstream security appliances using signatures for detection.

  

So what are security vendors and professionals to do?  The business of tracking, compiling and growing vast libraries of exploit signature libraries has run its course.  Signatures may still catch the inexperienced hacker in training out for the equivalent of a Sunday drive; but they’re messy, operationally intensive and of declining usefulness.  Vendors need to focus on application-aware and protocol-aware technologies capable of identifying attacks by their actions and not just their suspicious appearances.  This will require older solutions to re-architect or acquire technologies that allow them to analyze the context of an action, not simply its similarity to a previous attack.

  Bottom line: Speed, accuracy and protocol/application understanding will become increasingly important for successful security strategies.  Today’s static solutions will need to shift from sifting among millions of possible polymorphic exploit permutations (to determine guilt or innocence in milliseconds) to a more flexible and sophisticated focus on the underlying application vulnerabilities and the much smaller set of actions taken against those vulnerabilities.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: