ISTR X – Attacks and bot networks
The Internet attack threat landscape has definitely changed. Long gone are the days when it was easy for bot network owners and script kiddies to run their favorite publicly available exploit for the vulnerability of the week. They could take control of as many computers as they bothered to take the time to attack. Really, the flurry of remotely available network-based vulnerabilities and their corresponding attacks that exploded in the first few years of the twenty-first century were culminations of the type of attack that was exploited by the Morris Worm, back in 1988. Microsoft Windows was the ideal target: coded for commercial purposes, security was still in its infancy and it was ripe for the harvest.
Today, perimeter security technologies, such as firewalls, are a part of the standard vocabulary of your average computer user. Microsoft even packaged one with their operating system and enabled it by default, quickly making opportunistic attacks targeting network-based services a thing of the past. In reality though, the flurry of network-based attacks in the early 2000s was an anomaly. The high number of attacks was often fueled by a lack of secure coding practices and the widespread adoption of new operating system offerings. Users insisted that something be done to address the issues. I am surprised it took so long for vendors like Microsoft to deal with the problems; however, once the firewall was implemented and enabled in the operating system by default, things started to calm down a bit.
Don’t get me wrong—there are still plenty of vulnerabilities to be taken advantage of out there—they just take a bit more care and effort for attackers to exploit successfully. Widespread network-based attacks are being replaced by more targeted, Web-based, Web browser attacks. Web browser attacks often require successful social engineering, such as convincing a user to follow a link in an email or instant message, or by compromising a popular Web server to carry out the attack with success. This takes us full circle. Prior to the rise in popularity of Microsoft Windows, attackers often had to put time and effort into social engineering to set up their attacks. Now, we see that process repeating itself once again.
Evidence of this transition is obvious in the data. The number of bot-infected computers actively attempting to propagate through network-exploitable vulnerabilities is a perfect illustration of this. We have seen the bot-infected computer population become increasingly consistent, as it begins to normalize to the carrying capacity of the environment. Basically, these bot nets are living off the remainder of computer users that haven’t been able to update their current or non-supported operating systems and who don’t (or, can’t) run Windows Update regularly. As older computers continue to be updated with more modern, up-to-date operating systems that include default firewalls, this number will continue to drop.
So, what does this mean for users and organizations alike? It means that targeted attacks will be on the rise. Home users should be much more cautious of following links in unsolicited emails and instant messages. Not only would this protect from phishing attempts, but also potentially avoid attacks targeting Web browsers. Organizations are going to have to rely on education; that is, the education of their employees on safe Internet usage (including being cautious about following Web links in emails and instant messages) is absolutely essential to maintain secure networks. This is particularly challenging for large organizations because people need to communicate and share their ideas, which potentially allows attackers to gain access to information that may help them break into the organization’s networks. However, implementing a few policies, such as required encryption on all communications, will go a long way toward navigating today’s threat landscape.
Download a copy of the latest Internet Security Threat Report here.