Financial institutions rely heavily on web access performing transactions and user access to their accounts. Hackers’ motivation has changed. The "old" motivation to gain fame has switched to financially motivated hackers offering their services for hire. Cybercrime activities including phishing, spam, information theft and extortion are now fueling the creativity of hackers, raising the detection challenge beyond standard network security tools. By Ron Meyran, May 2008
Hackers, discovering they can make money from cyber attacks, have established and taken control of the next generation of botnets, creating bots-for-hire. Storm worm, first seen on the Internet in January 2007, has infected more than 11 million computers, making it the most powerful attack using bots-for-hire to-date. Other bots such as Nugache, are also established and we see botnets fighting to offer the best deal – lower prices and more features. Organized crime has taken advantage of the bot-for-hire scheme to implement cyber-criminal activities including fraud through phishing, information theft, spam and extortion.
These newer botnets use victim computers to spread the bot code. In many cases, most bots are controlled by a dedicated control channel such as IRC, which maintains an undetectable bot herder. Once installed on the victim’s computer the bot herder activates the bot to generate spam, phishing attacks, large scale spam, HTTP page floods, brute force attacks, keyloggers, and other methods disclosing sensitive and private information to remote servers. More advanced de-centralized control channels such as P2P can then be deployed, making it harder to defeat the bot herder as there is not a single server that can be shut down to terminate the bot ring activity. These channels may also be encrypted.
New threats in the marketplace
Online transactions in the financial services industry continue to grow rapidly. Financial companies rely more and more on electronic transaction processing with their customers, which in turn increases business-to-business activity. The financial industry collects and stores increasing volumes of sensitive information from customers, partners and employees. This makes the industry an attractive target for hackers and criminal organizations who continue to develop new attacks that can put the financial market under siege.
According to IDC’s Key Forecast Assumptions for the Worldwide Threat Management Security Appliance Market, 2007–2011 , “Hackers and others continue to find ways to misuse other people's software. Initially this was done by exploiting a vulnerability but they are now finding ways to just misappropriate software without a vulnerability.”
The major threat to the financial industry now becomes non-vulnerability threats: serving the goals of criminal organizations and hackers well. Non-vulnerability threats are developed, spread and employed by hackers for cyber criminals, offering financially-crafted attacks. These threats are undetectable by standard network security tools, as they do not rely on vulnerabilities: all network transactions are legitimate, and in many cases, traffic remains at normal volume.
What are non-vulnerability threats
Non-vulnerability threats aims to exploit weaknesses in the service application that cannot necessarily be defined as a vulnerability due to a software design flaw. Non-vulnerability threats can be typified by a sequence of “legitimate” events that are used to break authentication mechanisms, scan the application for existing vulnerabilities, usually followed by the successful exploitation of it and could be used for taking control of the server’s application operations. More sophisticated application attacks from this non-vulnerability-based type include well chosen repeated sets of legitimate application requests that misuse server CPUs and memory resources thus, creating a full or partial denial of service condition in the application.
Examples of non-vulnerability threats
- Phishing – CSI states  that “financial fraud overtook virus attacks as the source of the greatest financial losses.” This is well demonstrated with the increasing volume of phishing campaigns. Fraudulent sites have become a global phenomena and a major threat to financial service companies. These sites use social methods to infect users with non-vulnerability based malware (such as Trojans and keyloggers) or to steal user privileged information by requesting the user to provide it and making the user believe they are surfing a genuine site. Phishing is about identity theft, and since phishing campaigns do not target financial services company servers but their users, it further raises the detection level - as in many cases fraud is detected after the launch of a fraud campaign.
- Brute force attacks – the hacker runs a sequence of login attempts which is used to defeat an authentication scheme. Each login attempt is a legitimate application transaction; however the actual threat is in the systematic use of the login process until successfully guessing a username and password. The risk associated with these attacks is very clear: once a username and password are obtained, the way to information theft, service manipulation or even shut down is very short.
- Web vulnerability scanning – hackers run application-level scanning to find services that are known to be vulnerable or actual vulnerabilities so they can later be exploited by the attacker. The scanners, automatic or manual, do not send an exploit to the server, but a more legitimate request that only shows the existence of the vulnerability, and as such does not trigger a signature-based IPS. In most cases, the server is not vulnerable and responds with an error message.
- Service flooding – hackers have been moving from simple DoS/DDoS packet-based flood attacks to more sophisticated non-vulnerability application flood attacks such as HTTP page floods. This attack is based on a completely legitimate, session-based set of HTTP requests that are generated towards the victim web server. These HTTP request are usually chosen with the main goal of utilizing significant amounts of the server’s processing resources, creating denial of service conditions without necessarily having them typified as a high rate HTTP attack – This can result in a low volume attack but still exhaust server resources, leading to denial of service. The attack is usually established by hosts recruited into a bot ring.
The above are only few examples of typical threats that rely on service misuse. Hackers use services through "legitimate" sessions, easily integrating attack traffic with real user traffic. The challenge is clear: how does one differentiate between legitimate and attack traffic?
Rising to the detection challenge
Non-vulnerability service threats are extremely malicious: they look like legitimate application transactions and are generally not associated with unusually large traffic volumes. This allows hackers to easily integrate with totally legitimate forms of communications and comply with all application rules, so that in terms of traffic thresholds or known attack signatures, they will pass under the radar of existing network security protection.
This is well emphasized by Gartner  discussing emerging threats in the recent IPS Magic Quadrant review for 2008. Gartner states that “the nature of the most damaging attacks on businesses has changed. Financially motivated attacks don't simply go after unpatched PCs and servers; they increasingly are using targeted malware that requires more than simple, signature-based detection.”
The detection level is further raised with wide-spread bot rings. Bots use legitimate user hosts to launch application-level attacks including application scanning, brute-force attacks, application session-based flooding. Attack sources are the hosts of real users. Blocking access of the hosts to an application may result in denying access to legitimate users of these applications – and if these hosts are located behind NAT or proxy servers – to a whole range of users.
Beyond standard IPS security: network resilience
The most critical aspect of handling emerging threats is: how fast can your network respond and recover from new unknown attacks? The main concern of CSOs is how to design, build and maintain a resilient network infrastructure while retaining the availability of enterprise mission critical applications. Resilience is also about the human factor: How do you stop an attack which starts now and for which you have no signature? Does your security team have the expertise to detect and mitigate newly discovered attacks in a very short time period?
The reality is that Hollywood is writing a script, but we don’t know what it is about. CSOs cannot rely on standard network security measures but need automated real-time signature creation to effectively mitigate emerging threats and maintain network resilience. The automation of protection measures is required as security budgets are limited and new investments target compliance which do not assure network resilience.
Beyond standard IPS security: the need for real-time signatures
First generation IPS devices match patterns (or “signatures”) of known vulnerability exploits to incoming network traffic and block the traffic that is deemed undesirable. However, a significant part of today’s and tomorrow’s threats which are non-vulnerable in nature can not be addressed by static signature-based IPS devices.
Standard signature-based IPSs offer a rate-based solution mitigating high volume attacks and unknown zero-day attacks. While this mechanism is prone to suffer from false positive detection (high volume legitimate user access triggered as an attack) and false negative detection (attacks that run below the detection threshold), they also require manual configuration and tuning as network traffic patterns evolve.
Non-vulnerability threats cannot be mitigated using signature- or rate-based technology. In most cases static signatures cannot be created in advance as no application or OS vulnerability is being exploited. However, rate limit is also ineffective: the volume of the non-vulnerability attacks is below detection thresholds.
This raises the need for automatic real-time attack signature creation to effectively mitigate these threats.
Fighting back: automatic real-time signatures
Detecting non-vulnerability threats requires the understanding of network applications. Behavioral analysis of network-, server- and client-based traffic allows the creation of baselines for normal application traffic patterns. An expert network security system can then identify the non-vulnerability threat, an abnormal application traffic pattern.
A few examples: a brute force attack can be detected through the understanding of normal server login replies frequency; an increase of login error replies and a certain range of error frequencies indicating that a user is running a cracking tool; An HTTP page flood that is usually generated by users which are unwillingly recruited into a bot ring, can be detected through an abnormal sequence of legitimate HTTP requests from certain users without dependencies on traffic rate – as mentioned these attack can be low rate attacks.
For these cases a vulnerability-based signature doesn’t exist. However, there is a “behavioral pattern” that can be used to characterize an attack and can therefore, either completely block it or (sometimes) mitigate it to avoid service resources misuse. This pattern is valid only for the duration of the attack, and can be represented by a real-time signature generated on the fly, to block and report the attack.
Financial institutions that cannot mitigate targeted non-vulnerability-based threats are at risk of financial loss, disclosing sensitive information of their users, service quality degradation, complete denial of service and loss of reputation. In larger volumes this may cause credibility loss of the entire financial industry. In March 2008, a highly covered breach to Hannaford Bros. Co., an east-coast US supermarket chain, emphasized the risk of exposed financial organizations: 4.2 million account numbers were stolen . Hannaford was found to be PCI DSS compliant, a security standard required by the payment card industry, but this case shows that compliance does not guarantee security.
An effective IPS system must be able to detect and automatically repel a wide variety of attacks in real-time, without negatively impacting legitimate users. Because legitimate network traffic patterns change constantly, an effective IPS needs to quickly adapt to its surrounding, without human intervention. Behavioral-driven real-time signature technology is the key to accurately detecting and mitigating non-vulnerability threats by learning normal user traffic patterns and then alerting and preventing abnormal patterns.
Detection mechanisms used by IPS must be capable of distinguishing between normal and abnormal behavior, even though the differences between them may be subtle. If IPS miss-identifies traffic, it must incorporate a self-correcting mechanism to minimize false positives.
Furthermore, the system must be able to select the most optimal response-method to stop the attack with minimum human interference. These responses must be dynamically self-tuned according to the changing conditions and the development of the attack’s characteristics.