[nsp-sec] Mid 2008 - State of the net?

jose nazario jose at arbor.net
Mon Jun 9 14:40:32 EDT 2008 

[sending here at the request/suggestion of a list member]

It's 6 months into 2008 and I'm reviewing progress on my goals. One of my
major goals for 2008 was to work on, and assist with, scaling up the "good
guys". 2007 was the busiest year most of us had and we kept up very
inefficiently. 2008 is even busier and we're struggling to keep up. We're
missing a lot of stuff, a lot of things are falling through the cracks.

We as a community cannot continue like this if we hope to protect our
networks or our constituents.

At the recent IMPACT event I did a lot of thinking and discussing with folks
about what is needed at this point to bring things to the next level, where
we need it to be. Things that aren't a problem that once were include:

- data collection
  we have honeypots coming out our ears, we're sharing samples etc. people
  are actively engaged in new honey* tools (e.g. Honeyclients) to identify
  problems faster. Information is a commodity.

- data distribution
  we have private channels and most of the people who can contribute are
  participating. 

- collaboration
  this is one area where lists like this make a difference

What's missing then?

If we take a step back and see the problem as three-fold it becomes clearer:

    discover | prevent | cure

When you look at it like that, the roles of these tools that we have
developed - honeypots, sample trading networks, sandboxes, mailing lists -
all become more clear. It also highlights where we are lacking.

Discovery
We're missing more than I can name. we're missing huge changes in the botnet
landscape, we're missing infection vectors, and we're missing groups and
activities galore. Part of this is due to ineffective problem delegation.
Joe Stewart and the rest of the great team at SecureWorks have been tracking
spam botnets very well; Damballa is been chasing them, too; ASERT here at
Arbor is tracking a bunch of DDoS networks; Shadowserver is tracking a bunch
of botnets. But we're missing whole swaths of other content.

We're missing attacks against clients and the low hanging fruit of the web -
RFI and the more banal SQL injection attacks - all the time. This
increasingly has repurcussions even outside of the massive chinese-related
SQL injection flood lately.

Prevention
We're not doing well at outreach and delegation to the right people. We need
to make sure that we have recruited all of the right people to the community
to address this. CERTs, registrars, and private research teams etc.

We're doing a lousy job of helping admins and site admins (e.g. Of hosting
facilities) to *safely* get back on their feet. After the SQL attacks, sites
that get popped just restore content and get popped again. What can we do to
help them fix the problems to prevent this from happening again. "death by a
thousand duck bites" is how we often describe it internally.

We need to also help the right teams get authority to cease activities. How
many of us have watched, completely exasperated, when a CERT cannot get a
registrar to kill a domain name that's being used for nothing but malice? We
need to reach out to the right teams in both national and international
organizations to get the right teams the authority. We need to bring them
into the community. We need to build positive, trustworthy relationships.

Cure
Finally, we need to look at helping LEOs deal with the people behind the
attacks. We're getting more and more prosecutions but the rate they're being
brought is anemic. This will always be the case because of the nature of
criminal investigations and prosecutions.

What can we do to fix this? How can we prevent new folks from simply filling
the void when a "top dog" has been removed?



If I sound frustrated it's because I am. This is exhausting work, we're all
suffering burnout, and in this battle of attrition we're headed towards
losses all around.

What can we do to really fix the problems? The current ad-hoc approach
simply does not scale.


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------

More information about the nsp-security mailing list