Since 1988, the CERT CC (Computer Emergency Response Team Coordination Center) at Carnegie Mellon University in the United States has begun investigating the activities of invaders. CERT CC gives some trends about the latest intruder attack methods.
Trend 1: Automation of attack process and rapid update of attack tools
The degree of automation of attack tools continues to increase. All four stages involved in automated attacks have changed.
1. Scan the potential victims. Since 1997, a large number of scanning activities have occurred. Currently, new scanning tools are becoming more powerful and faster with more advanced scanning technology.
2. Invade a system with vulnerability. Previously, attacks on systems with vulnerabilities occurred after large-scale scans. Now, attack tools have designed the intrusion of vulnerabilities as part of scanning activities, which greatly speeds up the intrusion.
3. The attack spreads. Before 2000, attack tools required one person to launch the rest of the attack process. Now, attack tools can automatically launch new attack processes. Tools such as the Red Code and the Nimda virus spread all over the world within 18 hours.
4. Collaborative management of attack tools. Since 1999, with the emergence of distributed attack tools, attackers have been able to attack a large number of attack tools distributed over the Internet. Now, attackers can launch a distributed denial of service attack more effectively. The collaborative function utilizes a large number of popular protocols such as IRC (Internet Relay Chat), IR (Instant Message), etc.
Trend 2: The continuous complexity of attack tools
The authors of attack tools have adopted more advanced technology than before. The signature code of attack tools is becoming increasingly difficult to discover through analysis, and is becoming increasingly difficult to discover through signature-based detection systems such as antivirus software and intrusion detection systems. Three important features of today's attack tools are the anti-detection function, dynamic behavior characteristics, and the modularity of attack tools.
1. Counter detection. Attackers use technology that can hide attack tools. This makes it more difficult and time-consuming for security experts to judge new attacks through various analytical methods.
2. Dynamic behavior. Previous attack tools launch an attack in a single predetermined step. Today’s automatic attack tools can change their characteristics in different ways, such as random selection, predetermined decision paths, or direct control by intruders.
3. Modularity of attack tools. Compared with previous attack tools that only implement one attack, new attack tools can make quick changes through upgrades or replacement of some modules. Moreover, attack tools can run on more and more platforms. For example, many attack tools use standard protocols such as IRC and HTTP for data and command transmission, so it is even more difficult to analyze attack characteristics from normal network traffic.
Trend 3: Vulnerabilities are discovered faster
The number of vulnerabilities reported to CERT/CC each year increases exponentially. The vulnerability data released by CERT/CC was 1,090 in 2000, 2,437 in 2001, and 4,129 in 2002, which means that more than a dozen new vulnerabilities are discovered every day. As you can imagine, it is difficult for administrators to keep up with patches. Moreover, intruders are often able to detect these vulnerabilities first before software vendors patch them. With the trend of automation of tools for discovering vulnerabilities, the time left for users to patch them is getting shorter and shorter. Especially the buffer overflow vulnerabilities, which are very harmful and ubiquitous, are the biggest threat to computer security. In investigations by CERT and other international cybersecurity agencies, this type of vulnerability has the worst consequences for servers.
Trend 4: Penetration of firewalls
We often rely on firewalls to provide a security primary boundary protection. But the situation is:
* There are already some technologies that bypass typical firewall configurations, such as IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning)
* Some protocols that claim to be "firewalls are applicable" are actually designed to bypass configurations of typical firewalls.
"Mobile code" with specific features (such as ActiveX controls, Java, and JavaScript) makes it more difficult to protect vulnerable systems and discover malicious software.
In addition, with the continuous growth of computers on the Internet, there is a strong dependence between all computers. Once some computers are invaded, it has the potential to become a habitat and springboard for invaders as a tool for further attacks. Attacks on network infrastructure such as DNS systems and routers are becoming increasingly serious security threats.
Adopt active defense measures to deal with the next generation of cyberattacks
The "red code" worm virus infected more than 250,000 computer systems within the first nine hours of its spread on the Internet. The cost of the infection increased rapidly at $200 million a day, with the end of the loss reaching $2.6 billion. The threat of "Red Code", "Red Code II", and "Nimda", "Cover Letter" to spread rapidly shows the serious limitations of existing network defense. Most intrusion detection systems on the market are simple and do not have enough defense against emerging, unknown threats in the network, commonly known as "Zero-day Attack".
Hackers' "Window of Opportunity"
Most intrusion detection systems are currently limited because they use signature codes to identify whether there is any attack. These systems use this method to monitor specific attack modes. They are based on the identification information stored in their database: similar to how antivirus software checks for known viruses. This means that these systems can only detect specific attacks that they have been programmed into the identification program. Because "instantaneous attacks" are new and have not been widely recognized, they can bypass these security systems before new signatures are developed and installed and configured. In fact, only a slight modification of known attack methods is required, and these systems will not recognize these attack methods, thus providing intruders with means to avoid feature code-based defense systems.
The period from the launch of a new attack to the development of new feature codes is a dangerous "window of opportunity" and many networks will be broken. At this time, many fast intrusion tools will be designed and developed, and the network is vulnerable to attacks. The following figure illustrates why most security products are actually invalid during this period. This chart developed by the CERT organization illustrates the typical life cycle of a cyberattack. The crest of the curve comes just after the first attack of the attack, which is when most security products finally start to provide protection. However, "instant attacks" are the focus of the most experienced hackers in the earliest stages.
At the same time, those fast-moving attacks now exploit security vulnerabilities in widely used computer software to cause wider distributive damage. With just a few lines of code, they can write a worm that penetrates into a computer network, clones themselves through a shared account, and then start attacking your companions and users' networks. In this way, during the time when the manufacturer develops the signature code and distributes it to users, the "Nimda Worm" spreads to more than 100,000 network sites in the United States alone. These distribution mechanisms allow "instant attacks" to sweep 2.3 million and 40 million computers, respectively, without much human intervention. Some of these attacks even build the foundation for future breach by installing a backdoor that allows adversaries, hackers and other unauthorized users to access an organization's important data and network resources.