Web application attacks now make up an ever-increasing proportion of all IT system intrusions and have to be detected at the application layer of the protocol stack.
So says Paul Henry, vice-president of Secure Computing, who was touring Australia and New Zealand earlier this month. Intrusion detectors that rely on packet filtering at lower levels looking for the “signature” of a virus or worm will miss these application attacks, he says
The danger of application-level attacks is becoming more widely recognised, with several firms moving into the market. These include Citrix, which acquired application-layer firewall vendor Teros in 2005, and Microsoft, which, similarly, bought Whale Communications last year.
Henry’s company, by virtue of its 2005 acquisition of Cyberguard, also has Layer 7 filtering products in its armoury.
A well-known example of a web application attack is SQL injection, where the attack vector is a spurious SQL command containing special characters, such as punctuation symbols, which lower-level firewalls don’t recognise as dangerous.
Nor does the release of application-level exploits mean signature-filtering is dead. It is still valuable, but only as a second layer of defence, says Henry.
He also warned of rapid growth in the number of exploits — the Computer Emergency Response Team estimates 30% per year and IBM 40% — as well as a rise in “zero-day” exploits, where potential targets get no warning.
“There has [also] been a shift in the research community away from open disclosure of discovered vulnerabilities,” says Henry. The discoverer of a vulnerability in a piece of software used to tell the vendor first, so allowing a patch to be developed and deployed before the discoverer told the world.
“Now they’re going out to the world first. The rules of engagement have changed.”
He cites security researcher HD Moore and his Metasploit project, which every month since last October has dedicated each month to a certain kind of vulnerability (the month of kernel bugs; of Apple bugs; of browser bugs, for example), and each day of said month has released a new exploit of the kind cited.
Worryingly, as the number of victims grows fewer of the new victims are internet novices. Experienced users’ systems are now being penetrated in increasing numbers, says Henry.
CipherTrust, another Secure Computing acquisition, is mapping an increasing number of botnets, with as many as 400,000 computers being newly compromised daily, he says. These are then used to distribute spam as well as viruses.
With spam, filtering by searching words and phrases in suspicious emails is notoriously unreliable, but as much as 80% of spam can be identified simply by the address, he says. Rather than depending on reports of intercepted spam, and lists of supposed spamming sites, CipherTrust’s reputation-scoring of addresses also looks to behaviour. For example, it’s a safe bet that an address sending out hundreds of emails but receiving none is a likely spam source.