F5 Friday: Is Your Infosec Motto ‘Compone Accomoda Supera’?

That’s “Improvise. Adapt. Overcome.” and it should be if it isn’t. The right tools can help you live up to that motto.

If you Google “Zeus Trojan” you’ll find a wealth of information. Unfortunately all that wealth appears to be draining into the bank accounts of miscreants leveraging the tenacious trojan to steal funds from organizations. Despite attempts by just about everyone to detect and prevent this nasty piece of software from infecting data centers around the world, it continues to mutate and wreak havoc across the globe.

September 28, 2010: Fake LinkedIn e-mails lead to Zeus Trojan
October 20, 2010: Attackers Improve Zeus Trojan to Beat Security
November 5, 2010: Zeus Trojan defeats Microsoft security tool

It’s not just Zeus that’s a problem, though it is certainly gaining notoriety and will likely be remembered as one of the more vile trojans of the decade. It, like many other attacks, succeeds because it continues to evolve – to evade detection by getting smarter and more adept at acting like real users and thus confusing the heck out of infrastructure and solutions designed to stop it.

The Georgia Tech Information Security Center (GTISC) last week released its Emerging Cyber Threats Report, which offers insight into the malicious tactics it expects to be prevalent in 2011. The report, based on GTISC research and collaboration with security industry experts, covers the increasing sophistication of botnets, mobile attacks and related cybersecurity issues.

Mustaque Ahamad, director of the GTISC, said botnet creators are succeeding in covering up botnet attacks by causing distractions to mask primary attacks. Typical botnet detection efforts focus more on larger scale attacks, creating a cover of sorts for smaller, more targeted malicious attacks, which makes them more difficult to track.

Attackers getting creative, thwarting botnet detection, research finds

Before you throw up your hands in despair, there is hope. Creators of these viruses and botnets aren’t perfect and neither are their digital minions.

PROTOCOL CORRECTNESS != LOGICAL CORRECTNESS

What makes Zeus in particular so difficult to detect is that it makes completely valid requests. These requests are no different than those that would be made by a user: there’s no anomalies at the network or application protocol layers nor does the data appear odd or incorrect in any way. The requests are valid and thus almost every intermediate piece of infrastructure sees the requests but allows them to pass, undetected, to the applications it is targeting.

The good news is that’s only technical correctness. The logical correctness of those requests – the path through the application – is not accurate nor does it mirror the actual behavior of a user when interacting with the application. Web applications are, for the most part, comprised of steps that make up a business process. Order entry, for example, requires that items are selected first, and then the user is guided through a series of steps that gathers the information necessary to “checkout” or “submit” that data. Users do not, for the most part, remember the URIs that represent those steps in the process – they navigate to them using a series of buttons or navigation aids contained in the page. They follow a specific application flow that closely models the business process.

Trojans like Zeus, however, are not users and are not aware of that process. Requests generated by such trojans do not necessarily follow the process and instead make requests that if they were to be plotted on a flow diagram would fall outside the normal patterns of access by a real user. They’re basically using an attack vector known as “forceful browsing.” And forceful browsing can be detected and even prevented if you take the time to leverage the tools at your disposal.

APPLICATION AWARENESS REQUIRED

This is the demesne of the web application firewall, where application awareness is a critical component to successfully detecting and preventing requests from botnets like Zeus from successfully completing. An intermediate web application firewall like BIG-IP Application Security Manager (ASM) can track the flow of requests through an application and enforce certain navigational paths and stop forceful browsing-based attacks like Zeus.

Some of these paths are obvious: you can’t get to /checkout.do before you’ve visited /login.do. Some may be more subtle, and require capturing real user sessions as those users legitimately navigate the application to discern how customers and users will move through the application. Application developers may already have such application flow charts as they will have worked with business stakeholders to understand how to build the application in the first place. This may give rise to the idea of having developers put in place such controls and indeed such hard-coded controls will aid in preventing forceful browsing but will result in more rigid applications that cause challenges when attempting to integrate, upgrade, or modify in the future and cost more in the long term to maintain. Leveraging an external enforcement solution in a strategic point of control within the data center architecture affords the organization with agility and the ability to respond quickly to other attacks or modifications in behavior of existing trojans/bot nets.

A web application firewall like BIG-IP ASM provides an externalized, agile means by which such security policies can be implemented and rapidly adjusted to meet the challenge of new or modified attack vectors without incurring risk while developers modify and/or update application code.

NOT A PANACEA

It should be noted that neither the implementation of application flow control policies in an intermediary or in the application itself is a complete solution to the problem of trojans like Zeus. Miscreants are forever modifying, updating, and learning how to circumvent security measures designed to stop their evil plans and thus information security professionals must remain ever vigilant in their efforts to prevent the successful exploitation of corporate resources by such malware.

The use of a web application firewall is a more agile, cost-effective solution precisely because of the rapid rate of change occurring in the malware “industry”, as it were. Web application firewall policies can be modified nearly on-demand to address newly discovered techniques and behaviors leveraged by miscreants. In-application solutions, however, require constant coding, testing, and redeployment to keep pace with the rapid evolution of malware and while they can certainly be as effective in practice as a web application firewall they are not as agile a solution and can inadvertently introduce errors or new vulnerabilities that can be exploited.