News Security Monitoring
What The IPS Saw
Analysis of HP TippingPoint intrusion prevention system alerts from the past five years reveals how attackers pump out exploits in wake of patches, and how old threats never die
Researchers have drilled down into billions of alerts from intrusion prevention system (IPS) worldwide in an effort to get better picture of the anatomy of today's attacks.
The preliminary findings shed light on spikes in attacks, as well as the source of the types of attacks plaguing organizations. HP researchers Sathya Chandran Sundaramurthy and Sandeep Bhatt of HP Labs, and Marc Eisenbarth of HP TippingPoint, analyzed more than 35 billion alerts issued by its TippingPoint IPS devices between 2007 and 2012 at more than 1,000 of its customer sites around the world, and plan to present their findings at a big data conference next month called BADGERS'12 in Raleigh, N.C.
More Security Insights
White PapersMore >>
One thing they found: those old-school attacks like SQL Slammer are alive and well. The HP researchers saw the IPSes triggered alerts for the near-decade old Slammer worm more than one hundred times as much as any other threat. "In fact, Slammer accounts for almost 2% of all alerts raised by 6,000 filters over the 5 year period," the researchers wrote in their paper.
More than half of its customers had a Slammer infection, followed by Nimda (46 percent); Back Orifice (31.4 percent); Storm (8.29 percent); and Code Red (2.29 percent). Slammer, which was first discovered in 2003, was spotted in HP's data set in January of 2009, and hasn't been seen since mid-February of this year, the report says. The alerts for the worm hit a high of 42 million on February 15, 2011.
"There have been reports ... that Slammer activity, which always exists in the background, dipped significantly between March 1 and April 12, 2011. This is consistent with our findings; it is likely that, in response to the February 15 spike, administrators initially took measures to weed out Slammer infections," the researchers said. "Many people have noted that Slammer persists on the Internet as a sort of background radiation and our results are consistent with this, except for a specific high volume denial-of-service attack using the Slammer payload targeting just one customer. While it is certainly possible that the target was a vulnerable instance of Microsoft SQL Server, it is also quite possible that the intended victim was a piece of security or networking equipment in hopes that it could not keep up with the attack volume."
Bob Walder, chief research officer for NSSLabs, says the phenomenon of old-school malware re-emerging is a good reality-check. "The frequency and volume of probes from machines infected by 10-year old malicious code is a constant source of amazement, and a reminder that some of these machines may never be disinfected, at least not until they simply die of old age," says Bob Walder, chief research officer for NSSLabs. "It is also a salutary reminder that when choosing a security product like an IPS it is important to verify that the vendor does not age out older signatures too aggressively in order to improve performance of the product. SQL Slammer is showing no signs of dying out, and even old chestnuts like the LAND attack can reemerge as programmers forget lessons learned years ago. If any IPS vendor tries to tell you that old vulnerability signatures don't matter, it is time to run far, run fast."
When Microsoft on October 12, 2010, issued a patch for its Extended OpenType fonts flaw, the IPSes detected a massive increase in exploit attempts. (TippingPoint had a filter to detect exploits of the flaws back in 2006). "We believe that attackers became aware of this vulnerability and started hosting malicious websites that contain EOT fonts crafted and embedded in a way that would compromise Windows client machines," the researchers wrote. "Even though the filter just detects the download of EOT font over the network (which could be benign), the fact that the download increased after a patch disclosure is suspicious."
NSSLabs' Walder says exploit spikes are inevitable after vulnerabilities get disclosed. "Many of these will be successful as security practitioners struggle to keep up with patching vulnerable software deployed on their network, or are unable to do so due to vulnerabilities being disclosed without first giving the software vendors time to formulate a fix," Walder says.
Take the recent Java exploit exposed last month, which quickly was added to the BlackHole crimeware kit and the open-source Metasploit penetration testing tool. "Within days, it [the exploit] became a major threat to Internet users," he says.
[Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit. See New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs.]
That's where IPSes with timely signatures can come in handy as a stopgap measure prior the release and application of a patch. "When purchasing an IPS, it is very important to focus on the signature-writing capabilities of the vendor, whether or not they have a history of producing timely and accurate updates, and whether their signatures are vulnerability- or exploit-focused," he says.
[UPDATE]: Rapid7's Moore says he'd like to see more analysis of the initial IPS data from HP. "I would love to see a deeper dive into this data with more clear-cut examples of the pre-disclosure and post-disclosure periods. The report includes a lot of great data to chew on, but I don't believe they make a compelling case for post-patch exploitation increases today," he says.
The researchers say they plan to continue their analysis, according to the report.
Moore says the publication of HP's analysis of the data was intriguing. "The most surprising thing about this report was the fact it was released at all. It is amazing that 1,000 of TippingPoint's customers agreed to provide their IPS alert data for this analysis," he says.
HP's research paper is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.