The massive U.S. and Korean Internet attacks on government and financial websites this month demonstrated that hackers may be using old techniques to attack networks, but they are becoming much more sophisticated in how they execute those attacks.
This latest cybercrime news reveals that the ongoing attacks and Internet security threats appear to be a combination of a relatively old-fashioned SYN flood distributed denial of service (DoS) attack and a malware attack that used old worms, such as myDoom, a top malware threat in 2004.
"Don't assume that because something has been solved or patched – or because something isn't getting a lot of notoriety anymore – that criminals will not leverage it in some new and unique way," said Marie Hattar, vice president of network systems and security solutions for Cisco Systems. "A lot of old attacks are being reinvented in new ways."
In fact, according to Cisco's new Midyear Security Report, criminals are emulating legitimate businesses in how they orchestrate attacks on networks.
"It's phenomenal how they are leveraging very sophisticated business processes in the criminal world," Hattar said. "They are collaborating with each other."
For instance, the owner of one botnet might agree to propagate malware for another botnet owner. Some "bot-masters" advertise the services of their botnets on websites and forums frequented by online criminals.
"Bot-masters are being more professional," Hattar said. "Instead of big mass-volume attacks, they're often doing targeted attacks so that we don't see them as easily. They're stealing information, stealing contacts, getting data, crippling an enterprise."
Some criminals are using search engine optimization (SEO) concepts, something most people in the online media world are well aware of, to trick search engines into ranking websites loaded with malware higher up in search results. Someone searching for information on topics ranging from network switches to the latest summer movie can be tricked into clicking onto sites that show up in a Google search. Hattar called this new trend "spamdexing."
Insiders pose network security threats
Another growing threat to network security is the insider, whether malicious or inadvertent. And with the economy still mired in a slump, many highly skilled people are out of work, making the problem even worse.
"We interviewed a bot-master who said the reason he does this is because he was let go," Hattar said. "And he used his knowledge as an advantage to create these botnets that he could sell."
"More and more businesses are thinking of bringing in short-term employees and contractors," she said. "But then they expose them to the network and there's no way to ensure that these guys don't turn around after they exit the company and make a directed attack at the network."
Defending against network security threats
Defending against a botnet can be difficult, especially as criminals get better at masking their attacks. One basic first step is to capture and store traffic so that you can understand what is coming and going from your website or your network, according to Joe Habib, director of global services at network management vendor WildPackets Inc.
"The simplest case would be if typically your website might be just 5K and is optimized to load really fast on someone's machine," Habib said. "Look for requests where people are requesting far more data than that. You know what your site or the service you are providing is normally doing. Look out for things that are outside that normal range. If normally your website gets 50 an hour and now it's getting 1,000 hits, or if normally your users are all geographically local and then all of a sudden you get this spurt from overseas, those are key indicators."
Habib said there is no silver bullet technology out there to protect from increasingly sophisticated criminals. Monitoring and baselining, combined with an intrusion detection system, is a good start.
"We become aware through the security community of what sites are bot-masters," Hattar said. "We have the capability in our firewall to monitor when a machine tries to go to that site. If we find that a certain machine is trying to communicate to a location that is known as a bot-master, we can flag that and provide it to the IT professional. But there are many bot-masters who are unknown. It is really tough."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor