Protecting IT Infrastructures Against Zero-Day Network Attacks with Intrusion Prevention System Tech

Top Layer Networks, Inc. Protecting IT Infrastructures Against Zero-day Network Attacks with Intrusion Prevention System Technology This document is intended for Information Security and Information Technology professionals interested in understanding Zero-day Attacks, the various protection schemes available today and how Top Layer Network’s Intrusion Prevention System solutions provide the best mechanisms for protection from these types of attacks. May 2005 © 2004 Top Layer Networks, Inc. All rights reserved. Page 1 Table of Contents EXECUTIVE SUMMARY .............................................................................................. 3 INTRODUCTION............................................................................................................. 3 WHAT IS A ZERO-DAY EXPLOIT? ............................................................................ 4 THE CHALLENGES IN PROTECTING FROM ZERO-DAY ATTACKS .............. 6 REACTIVE: SIGNATURES AND ZERO-DAY ATTACKS ....................................... 7 PROACTIVE: RIGHT APPROACH TO PROTECTING FROM ZERO-DAY ATTACKS ................................................................................................................ 7 PROTECTION THROUGH ENFORCEMENT OF ACCEPTABLE USAGE ENFORCEMENT ............. 7 PROTECTION THROUGH ENFORCEMENT OF RESOURCE CONSUMPTION POLICIES ............. 8 PROTECTION THROUGH ALLOWED S ERVICES POLICIES (ACCESS PROTECTION )............... 8 CONCLUSIONS ............................................................................................................... 9 © 2004 Top Layer Networks, Inc. All rights reserved. Page 2 Executive Summary The Network security landscape is dynamic with new remotely exploitable vulnerabilities consistently being discovered and exploited. According to SearchSecurity.com, the growth rate of system and software vulnerabilities tripled from 2001 to 2003 to 60 per month, and new viruses popped up at a rate of 10 to 15 a month. IT organizations struggle to quickly patch systems before significant damage or theft of assets takes place. Network protection solutions, such as Network Intrusion Prevention Systems (IPS) are necessary to improve protection for vulnerable systems until patches are properly installed across the entire infrastructure. Updating signatures in a few IPS devices for the detection and blockage of exploits is a more efficient method for protecting servers until all systems can eventually be patched. However, Zero-day exploits present even a bigger challenge where: • • Even with consistent patching of servers, vulnerabilities are exploited before a patch may exist IPS that rely primarily on signatures as their protection mechanism suffer the same problem since a signature may not be available before the vulnerability is exploited Historically, even the fastest vendor response time for patch and signature development is too slow to prevent significant IT loss • A new approach is necessary, which includes more proactive protection from these damaging exploits, known as Zero-day exploits. Top Layer has developed unique protection capabilities as a primary- line of defense against Zero-day exploits. This paper will discuss Top Layer’s innovative protection mechanisms for defending against Zeroday exploits. In addition the paper will cover how signature-based protectio n, while an important component of an IPS, is not well suited as a primary mechanism for defending against Zero-day exploits. Introduction According to the latest CSI/FBI report on Computer Crime and Security, the average economic loss due to cyber crime per respondent was approximately $526,000. This is because today’s IT infrastructures are vulnerable to attack by almost anyone with a computer, Internet connection, and a modicum of skill. It is increasingly critical to protect against the work of individuals and groups that create and/or use malicious exploits (or malware), that release hacked up worms, Trojans, etc. such as the Sasser worm. In the past, the damage many of these have done has often been consumption of network bandwidth, loss or theft of some files, and the time of IT administrators to isolate and patch vulnerable systems. Invariably software and security vendors have released patches to prevent further exploitation of system and application holes. © 2004 Top Layer Networks, Inc. All rights reserved. Page 3 More recently, there has been an increasing spread of attacks with an economically damaging purpose. Critical infrastructure and businesses with significant financial resources are experiencing a high severe attack rate. Financial services, healthcare, and power and energy were among the sectors hardest hit by severe events in 2004. According to a 2004 CSI/FBI Computer Crime and Security Survey done in June 2004, out of just those that respond, it was estimated that U.S. businesses alone lost over $140M due to cyber threats. Figure 1. Losses as Described by CSI/FBI from June 2004 report on Computer Crime and Security With an increasingly interconnected and mobile workplace, malware can spread and infect critical assets at higher frequency. As resources grow and attacks occur more often, it becomes challenging to keep up with patches of vulnerabilities when they are finally released. In addition, a class of attacks, termed “Zero-day exploits”, is a growing segment, that targets a previously unknown, and therefore unprotected vulnerability. As these exploits grow in complexity and scale, relying on traditional firewall security, virus updates, or software patches are inadequate solutions to the Zero-day problem. What is a Zero-day Exploit? A Zero-day exploit occurs when an exploit for a vulnerability is created before, or on the same day as the public learns about the vulnerability. IT organizations are constantly fighting the battle of keeping systems patched and updated. As software and hardware vendors learn about new vulnerabilities, either from 3rd-party researchers, customer feedback or internal testing, they create software updates, patches, service packs and security updates to mend the security holes. By creating a virus or worm that takes © 2004 Top Layer Networks, Inc. All rights reserved. Page 4 advantage of a vulnerability, that a vendor may not yet be aware of, and for which there is not currently a patch available, a malicious attacker can wreak maximum damage in a short amount of time (See Figure 3). In Figure 1, we show the three areas of concern for IT professionals as they focus on securing their infrastructures: • Undesired Access: Blocking Access and Enforcing Usage Policies based on legitimate users and allowed applications. Examples include enforcing access to specific email servers or blocking P2P traffic. Malicious Content: Bad programs or “malware” developed to install, delete or manipulate files on internal resources and/or exploit vulnerabilities in network and server applications and/or operating systems. Examples include malicious email attachments and worms. Rate-Based Attacks (Resource Consuming): Attacks, such as Distributed Denial of Service (DDoS) attacks, that employ large rates of transactions for the purpose of exceeding the capacity of network, server and/or application resources. For example, a spoofed user may try to access the same web page a thousand times in a second. This may task network devices, such as a firewall or load balancer, server capabilities that must process network packets, or applications that must do processing of the request. The end result is that legitimate users are prevented from accessing the web content. • • Zero-day attacks can fall under either attacks that contain malicious content or rate based attacks, such as DDoS attacks or both (a.k.a. a hybrid attack). However, even blocking right of entry through specification of appropriate user or resource access can assist in the spread of Zero-day attacks. Undesired Access Malicious Content Rate -Based Attacks “ZERO” DAY ATTACKS Figure 2: A Zero-Day Attack Can Be Harder To Defend Against When Malicious Content Is Intermingled With Rate-Based Attacks A growing trend is the combination of an application exploit intermingled with a DDoS attack or with high rates of illegitimate traffic. This type of hybrid attack is effective in tasking resources on a security device, such as an IPS, to the point it is unable to properly © 2004 Top Layer Networks, Inc. All rights reserved. Page 5 inspect and block every bad packet. This increases the chance of malicious traffic penetrating an infrastructure. A well-known example is the SQL Slammer worm that targeted Microsoft SQL Servers. A known vulnerability in Microsoft SQL server systems had been targeted by a hybrid worm that combines a DDoS attack with the automated propagation techniques used by worms such as Code Red. The Challenges in Protecting from Zero-day Attacks Many vendors improperly dub the exploit of known security vulnerabilities as a Zero-day exploits. Often times the vendor and key technology providers are aware of a vulnerability weeks or even months before an exploit is created or before the vulnerability is disclosed publicly (See Figure 3). In this scenario, “Zero-day” is used to mean prior to a vendor producing a patch or detection mechanism, not the day the exploit was first known to exist. Unfortunately it also happens all too often that the first time a vendor or the rest of the world becomes aware of a vulnerability is when doing a forensic investigation to find out how a system was broken into or when analyzing a virus that is already spreading. Whether the vendors knew about the vulnerability a year ago or found out about it this morning, if the exploit code exists when the vulnerability is made public, it’s a potential Zero-day exploit that can threaten critical assets immediately. Even when a patch is created and advertised, there can be an extended period while the patch is being tested and deployed on every system. During this timeframe, systems are vulnerable to being exploited. Worse yet, most incidents of attack accelerate after an announcement or release of a patch (See Figure 3). According to Gartner Research the percentage of vulnerabilities that are exploited after a vulnerability notification is posted will double from 15% in 2003 to 30% (0.7 probability). The Vulnerability/Patch/Attack Race “Bad Guys” Reverse Engineer Exploit Code Vulnerability Scan Patch Released 331 180 Scriptable Exploit 151 25 Days between patch and exploit Mass Attack Nimda SQL Welchia/ Blaster Slammer Nachi Notice Patch Test Patch Evaluate Patch Develop/ Document New Image Push New Image Last System (Re)Patched “Good Guys” Figure 3. The Vulnerability/Patch/Attack Race Source: Gartner 2004, John Pescatore “ Tomorrow’s Software Does Not Need to Be Vulnerable” © 2004 Top Layer Networks, Inc. All rights reserved. Page 6 Reactive: Signatures and Zero-day Attacks Once a new vulnerability in software has been identified, the race is on for vendors to develop and publish a patch to stop that vulnerability from being exploited, which has thus far been unable to prevent several rapidly propagating viruses and worms from wreaking havoc on networks. IDS-based Intrusion Prevention Systems are built on a foundation of signature matching. An IDS-based IPS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IPS looks for a specific attack that has already been documented. Like a virus detection system, a purely IDS-based IPS is only as good as the database of attack signatures that it uses to compare packets against. While signature matching is an important part of a multi- layered defense, vendors that rely mainly on signatures for protection, while able to guard against known attacks, use a skewed definition of Zero-day exploit when claiming the ability to guard against them. In fact, the fastest worms now spread more quickly than security companies (including IDS-based IPS companies) can respond through the creation of new signatures. In addition, as signature databases grow, an IDS-based IPS can quickly get bogged down trying to search for that specific signature match. In this case it is critical to investigate IPS solutions, not just with special purpose architectures, but ones that scale beyond their current capabilities and have “room to grow”. Proactive: Right Approach to Protecting from Zero-day Attacks Industry experts agree, that the best strategy for protecting against exploits is to follow good security policies and employ a multi- layered approach to security. By installing and keeping your anti-virus software up to date, blocking file attachments to emails, which may be harmful and keeping your system patched against the vulnerabilities you are already aware of, you can secure your system or network against the majority of threats. However, the best protection against both known attacks and Zero-day exploits is through Intrusion Prevention Systems that employ integrated la yers of protection. An integrated approach combines blocking undesired access, filtering out malicious content and limiting inappropriate rates of network and application traffic in order to provide the most comprehensive levels of protection. Top Layer Networks Attack Mitigator TM IPS 5500 solutions provide these protection capabilities against known threats and Zero-day exploits through three significant mechanisms in addition to signature matching. Protection through Enforcement of Acceptable Usage Many attacks target protocols such as HTTP, DNS, and FTP. Certain programming errors (such as unchecked buffers), which can be exploited by attackers, provide the opportunity to compromise or damage a system. These attacks exploit loose programming practices that exist in applications and systems. The enforcement of acceptable protocol behavior ensures that the data flowing through the network adheres to the expected policies of the applications running in your environment. In addition, Top Layer’s IPS can also enforce proper usage based on Internet protocols standards. © 2004 Top Layer Networks, Inc. All rights reserved. Page 7 Here's a simple example: The HTTP 1.0/1.1 protocol allows hostnames up to any length, so an RFC-checker would not bother checking this field. Top Layer’s pragmatic Application Usage Enforcement knows that since DNS does not allow for hostnames greater than 256 characters, the Top Layer IPS 5500 can be configured to block any HTTP request, which contains a hostname field that is greater than 256 characters. With checks like these, the IPS 5500 can actually block unknown exploits (commonly called Zero-day attacks) that might attack a still unknown vulnerability in a web server that cannot handle hostname fields of an arbitrary length. Protection through Enforcement of Resource Consumption Policies Some hybrid attacks can send large volumes of seemingly legitimate requests that can consume bandwidth in hopes of leading to a Denial of Service condition. During this period of increased load, a malicious user may try to inject some packets with a Zero-day exploit in order to compromise resources. In addition, a DDoS attack may be the consequence of a worm that has taken control of an internal resource. The IPS 5500 offers an additional protection mechanism to limit the impact of the resource attack in addition to existing mechanisms for blocking the malicious content. In order to limit high- volume network and application-based attacks, application specific connection thresholds can be set to limit resource consumption beyond maximum expected usage levels. Once a threshold is exceeded, the IPS operates in a suspicious mode for a period of time and doesn’t restrict traffic immediately, while still looking for any exploits. This allows for the normal spike in traffic that sometimes occurs. If rates continue to the point where an internal resource is being unduly tasked, the traffic is now considered “malicious” and the number of connections is limited until the traffic returns to normal levels. For a small period following, traffic is still categorized as “suspicious” and if rates continue to stay normal, traffic is then finally restored back to a category of “normal”. All “normal connections” are able to go through without delay, but suspicious connections are proxied and if deemed malicious over time are discarded. Since threats like Nimda, Code Red, and Blaster basically chose random destination network addresses, they initiated many new connections to systems, which is highly anomalous behavior. While Top Layer’s Acceptable Application Usage checks would block these types of threats, in addition Top Layer’s rate-based checks would provide additional protection by limiting the spread of such threats and limit the ability of an infected system from causing or locally launching a DDoS attack. Protection through Allowed Services Policies (Access Protection) Another effective strategy and blocking the propagation or effectiveness of Zero-day exploits is by blocking any dialogue to resources that should not be accessed by the compromised resource. Example: If a mobile employee gets his/her laptop infected with MyDoom virus and then connects that laptop into the corporate network, this infected system would act like an email server and start sending infectious email messages. However, by defining the list of authorized email servers that can host email services, a policy can be configured to stop all further propagation of these messages. This capability can severely limit the scope of the attack and protect a large subset of resources that would normally be compromised or overly loaded. © 2004 Top Layer Networks, Inc. All rights reserved. Page 8 Conclusions A primary goal of a Network Intrusion Prevention System is to proactively and selectively stop “bad” traffic while maintaining system availability and integrity for “good “traffic. A comprehensive Intrusion Prevention solution must build on a foundation of basic protection, such as that which is provided by a firewall, but also understand proper application usage and behaviors in your environment to be effective. While signatures are a needed component in providing overall protection, an IPS must employ other more powerful proactive protection mechanisms for effectively stopping Zero-day exploits. Top Layer IPS 5500 proactive protection architecture is the right solution for defending IT infrastructures from dangerous Zero-day exploits that could have significant economic business impact. Top Layer’s acceptable application usage analysis and rate-based protection experience has resulted in the collective creation of multiple defense solution which include: • • • Protection through Enforcement of Acceptable Application Usage Protection through Enforcement of Resource Consumption Policies Protection through Allowed Services Policies (Access Protection) These Powerful Proactive Protection Mechanisms are further fortified with the IPS 5500 performance architecture, which leverages Top Layer’s years of experience providing high-speed network security products to Global 2000 organizations. Top Layer has the most experience in in- line Intrusion Prevention with customer deployments wo rldwide. As the Internet continues to control key aspects of our everyday lives, it is essential that enterprises deploy the right solutions, such as Top Layer’s Intrusion Prevention Systems, in order to protect this global network – and themselves. Only through such approaches will the next generation of Internet computing be secure. Only IPS to Ever Receive Double NSS approval for Rate And Content Based Protection Top Layer Networks, Inc. 2400 Computer Drive • Westborough, MA 01581 USA • 508.870.1300 • Fax 508.870.9797 www.TopLayer.com 0 5- 0 5 ' 2 0 05 . Top Layer Networks, Inc. All Rights Reserved. Attack Mitigator, D C F D , F l o w M i r r o r, a n d I D S B a l a n c e r a r e trademarks of To p L a y e r. AppSafe, AppSwitch, S e c ur e Watch, To p L a y er , To p Layer Networks, TopFir e , To p F l o w, TopPath, To p V i e w, and perfecting the art o f network s ecurity a r e r egistere d trademarks o f To p L a y e r. Unless otherwise indicated, Top Layer trademarks ar e registe red i n the United States and may or may not b e register ed in other countries. All other company and product names may b e trademarks o f the r especti ve companies with which t h e y ar e associated. Top Layer trademarks ar e r egister ed in the U.S. Patent and Trademark Office. © 2004 Top Layer Networks, Inc. All rights reserved. Page 9