The security
industry is full of pernicious problems with no easy solutions. Take spam, for
example. The current best defense is filtering out the obvious spam messages.
Yet, the countermeasure is not a solution: As anti-spam technology gets better,
spammers merely churn out more spam and achieve the same results. Not satisfied with
the status quo, a team of academic researchers focused
on collecting data on the business ecosystem that funds spam and
searched for weak links. While blocking domain names will not generally work,
they did find a strategy that could have a high payoff: Targeting the small
number of banks that process spammers transactions and getting them to cut off
their clients.
“The cost to
the payment processor to set up a new banking relationship is high both in
capital costs … and in time,” says Stefan Savage, a professor of
computer science and engineering at the University of California, San Diego,
and one of the authors of the paper discussing the experiment. “So we find
that everything else changes all the time, the banks are pretty stable. That is
the place where you get at what ultimately drives this.”
In the security
industry, where demand for products and technology are as often driven by
hyperbole as by data, analyzing a security problem with a mind toward results
is a rare thing. Savage is quick to point out that it will be difficult to get
international banks to jettison clients who may operate in a country where
spamming is not illegal, but it could be possible for policy makers to make
spammers lives much more difficult.
Yet, defenders need
to start analyzing attack data more often to find better ways to achieve
results, he says.
“The general
idea of building defenses with a mind toward who the hell your adversary is, is
a really great one that doesn’t seem to get done a lot,” Savage says.
“It’s as though we ask our generals to plan warfighting against an unknown
country. No one does that. We plan for the wars that we may fight.”
At the SOURCE
Boston conference, security consultant Daniel Guido did just that. Using data
from 2009 and 2010 and analyzing the popular exploit kits available in those
periods, Guido found that only exploits for 27 of the approximately 8,000
vulnerabilities found during those two years made it into the kits. Turning on
data-execution protection (DEP) would stop 14 of the 19 memory corruption
vulnerabilities, while barring Java from running in the Internet zone would
prevent 11 of the 15 kits from executing Java exploits.
By tackling other
security problems in a similar data-driven way, defenders can make better
choices about how to defend against attacks, he says. Rather than focus on the
severity of the vulnerabilities as a metric against which to prioritize
patching and defenses, defenders should analyze attacks to discover weaknesses
in attackers’ methods.
“Attackers are
better at certain things than they are at others — they have capabilities that
they exercise and they prefer certain tactics, they prefer certain
techniques,” he says. “If we can inform our defenses to focus on
those capabilities, those tactics, and those techniques, then we can make much
more effective defenses than just going from top to bottom and patching
vulnerabilities from zero to 8,000 every year.”
Microsoft’s Active
Response for Security (MARS) program, which is responsible for taking down both
the Rustock botnet and the Waledac botnet, is another example of a proactive
approach that focuses on results.
Some of the UCSD
researchers also brought the approach to predicting which vulnerabilities will
be exploited. Just by throwing data from the fields in a vulnerability report
form into a machine learning equation, the group found a high correlation
between length of the report — more detailed information led to a greater
likelihood of exploitation — and a negative correlation with age of the
report. In the end, the group could predict whether a vulnerability would be
exploited about 80 percent of the time.
At the USENIX Annual Technical Conference later this month, Savage
will make a call for more empirical research into cybercrime.
“Let’s look at
the whole value chain … and what it takes to make this value chain
profitable,” Savage says. “Without looking at the enterprise, and why
it’s happening and what the elements are, it is pretty hard to invest in the
right thing.”