Criminals don't follow the rules

If you are a criminal and trying to steal things then breaking the law in other ways is unlikely to concern you. To me such a statement seems obvious, but apparently it isn’t – and I’m not just talking about cyber-criminals here.

The classic example in the physical world is the bank robber, who not only breaks the law by robbing the bank but also commits firearms offenses by being a felon in possession of one, violent crimes up to and including murder, traffic offenses in the getaway car and so on. The robber doesn’t care whether, as a result of running a red light, he causes a major traffic accident (as long as he's not in it) – indeed he may actually like that because it slows down the pursuit.

A moment’s thought shows that the same applies to the cyber-criminal hoping to steal money using your electronic banking credentials. Just as the bank robber neutralizes the guards, the malware that infects your computer disables your anti-virus. And like the way the robber ignores traffic rules, the malware is not going to necessarily bother about using the nameservers, web proxy, configured default protocols etc., that have been set up to make your job as the defender easier. Moreover it certainly isn’t going to be concerned about obeying protocol conventions to call home and get the data back to the criminals. For example, it will pretend to be posting an image to google or yahoo but will actually not use a google IP address (or upload a real jpeg).

The problem here is that a lot of security tools work like traffic lights. They slow down and inspect the law-abiding genuine data flows but don’t do anything about the outlaw ones that, in one way or another, ignore or circumvent them.

The only way to stop them is the cyber equivalent of the roadblock that inspects every vehicle trying to go past and which is placed in such a way that all traffic has to go through it. In computer networking the only device in that position in the overwhelming majority of organizations is the Internet connected firewall.

Tools that don't see every packet inbound and outbound can only stop malware that doesn’t make the simplest efforts to evade detection. Engineering around any type of protocol specific inspection, directory service, or other resources used by normal traffic is relatively trivial. In fact, in much the same way that the bank’s CCTV system shows the bank-robber’s masked face to investigators after they have fled with the cash, these systems might warn you that a particular computer is infected but they don’t do much about stopping the malware on the computer from calling home. They just make the criminal have to be marginally aware of the usual countermeasures – a bit like how the CCTV means the robber has to wear a disguise.

In the physical world the people that really care about security (e.g. the military) have adopted a policy of ensuring that everything going in and out of a secure location goes through a checkpoint and it is scanned (metal detector, ID check etc.) as it passes through. In theory, organizations have the same policy for the Internet when they place a firewall on the border of their network. In practice, these firewalls work more like the border between the US and Mexico: they are very restrictive on things coming in, but make only cursory checks of anything leaving, if at all. As anyone who has sat at the San Ysidro crossing for hours coming back from Baja knows, full scanning (deep inspection) leads to large increases in latency for legitimate traffic. The result is that, in most cases, organizations elect to skip it for most outgoing traffic and almost all incoming traffic that is related to an outgoing request.

The key insight behind ThreatSTOP is realizing that on the Internet, unlike in the physical world, traffic cannot lie about where it is going to (or coming from for TCP packets). We use a variety of sources and methods to figure out what actual IP addresses malware tries to go TO. This makes it possible for the firewall to block on the IP address. Firewalls are designed to do this very quickly for lots of source and destination pairs. The result is that good traffic is not slowed down.

ThreatSTOP allows your existing firewall to do the job you bought it for, for all traffic, not just the Internet equivalent of the door-to-door salesperson (spammer), gang attire wearing tagger (Website defacement) or opportunistic petty criminal.

With ThreatSTOP it doesn't matter what the criminal malware does while it tries to call home from your network, it gets stopped (and the attempt logged) as soon as it tries to leave.

The malware can:

  • fake its protocol and port
  • run roughshod over or sneak around your web proxies, DNS and Active Directory (including any outsourced ones)
  • it can obfuscate urls and encrypt content
  • or try a dozen other tricks

but no matter what it has to use a REAL, non encapsulated, routable IP to actually communicate with its masters and "gang".

If it tries to contact an IP address that we know is an active C&C host it is stopped at the firewall, the internal IP is logged, and there's no way around our block.

Share this: