Fending Off a Vicious Attack - Page 2
It only takes a few minutes before alerts start to ring out on Operations consoles. Servers across the network suddenly stop responding, and then blank out completely. Grabbing on to multiple infected outside email servers with address books referencing the company, infected data packets stream in.
Once inside, the worm's first thread starts looking for other machines on the network to infect. The internal targets are easy prey. While the company had invested heavily in perimeter defenses, the internal soft center was left wide open. Production servers, test servers — all are rapidly compromised.
The second thread rifles through the company's stored messages. It is late at night so emails that users hadn't yet accessed had been piling up. All sensitive information inside those messages will soon find itself out in public by first light.
The guys in Operations stand by helplessly while the worm burrows through their network. As CPU and disk usage in each of the mail servers maxes out, the worm prepares for its finale. After compromising each server and sending all its data out onto the Internet, a self-destruct command within the worm activates, deleting all stored information and mutilating each infected machine as thoroughly as if it had been hit by a grenade.
While the attack just described is hypothetical, it could easily be real — all too real. The Slammer virus, for instance, could have been much worse with just a little extra code added to it. It was, relatively speaking, a benign beast. We may not be so lucky next time.
Attacks that exploit common technologies, such as web and email servers, won't be stopped by firewalls. How can a company react to this class of attack?
Monitor, monitor, and monitor. If Operations only finds out about an attack when an email server crashes, it's too late. Use real-time monitoring tools to analyze data from IDS (intrusion detection systems) and firewalls in real-time to give the best warning of a new attack.
Secondly, protect your core assets. Consider modifying processes based on the potential threat posed by a vulnerability, and make sure that core machines are always at the highest practical level of protection. That way the potential damage inflicted by an attack that gets through (and there always will be some attacks that get through) is greatly reduced.
Also remember to isolate infected systems. If the infected system is the Internet instead of an internal server, figure out when to cut the cord to prevent further damage to the organization.
And don't throw out your firewall. It can be useful. It's simply not the be all and end all of a secured network. Enable operators to shut down outbound or internal traffic on common ports if that's what it takes.
Another thing to think about is correlating and suppressing alarms. When a massive worm like the one described in the story above appears, the operations team could get swamped with thousands of similar alerts. Real-time correlation and security event management systems will link and escalate similar events, creating a few 'master' alerts. This reduces information overload during crises and clearly identifies the root cause of the attacks. Any organization with more than five to 10 firewalls and IDS should consider a security event correlation solution.
Phil Hollows is vice president of product marketing for OpenService, Inc. OpenService provides network security event management solutions designed to anticipate potential security breaches and proactively ensure network availability.
Feature courtesy of eSecurityPlanet.
Back to CrossNodes