- Posted by Plurilock
- On September 15, 2011
Although it is expected that humans are always at the origin of cyber attacks, the level of human involvement in network attacks has decreased considerably over the last decade. Likewise, automation is increasingly playing a more central role in the deployment of most current attack sessions. In a recent study conducted by Imperva’s Application Defense Center, several websites were monitored over a period of six months; 10 millions attacks were observed. Automation played a significant role in these attacks, with an average of 27 automated attacks per hour or about 2 attacks per minute, and a peak of 25,000 attacks per hour against the targeted systems. The main outcome of the study is the confirmation of the prevalence of automation in today’s cyber attacks.
Today’s automated attacks may originate from a group of compromised machines operated remotely and in a coordinated fashion by a single individual or a small group of hackers. The group of compromised machines are referred to as botnets (or network of bots), and the hacker operating the network is known as the botmaster. Studies of some botnets have yielded counts of more than 100,000 members and over 1 million bot infected hosts. Botnets are used to search and exploit vulnerable online hosts and applications, distribute malware, conduct distributed denial of service (DDOS), disseminate mass spam, manipulate search engine results through click frauds, perform brute force password cracking via distributed computing, and other forms of cybercrimes.
Because of its seriousness, several botnet detection and analysis tools have been released to the market. Unfortunately the existing products are severely limited by the fact that they are only good at detecting existing or known botnets technologies such as Waledac, Zeus, and Storm botnets whose signatures have already been exposed. However, there are many custom botnets exploits or variations of existing botnets (unknown to the security industry) which are currently being used unnoticed by hackers around the world.
Custom botnets are not the only type of automated attacks that fly under the radar of existing intrusion or botnet detection products. There are several automated exploits used traditionally by individual hackers to control remotely a victim host, maintain access, and remain stealthy, which have proven elusive and difficult to detect by existing products which are by far and largely signature-based.
A common characteristic of automated attack codes is the need to interact intermittently with the hacker to provide access to or transfer valuable information from a compromised host, or to use the compromised host as a stepping stone in carrying out further attacks. Such interactions are quite often initiated automatically by the compromised host through rogue outgoing connections which are made possible because most firewalls allow unrestricted outbound connections.
Detecting malicious automated outbound connections is challenging because of their stealthiness and the fact that they are quite often buried among countless outbound connections initiated by legitimate automated programs such as operating system daemons and scheduled software updates.
By monitoring user behavioural biometrics, such as mouse and keystroke dynamics, Plurilock is pioneering a new approach to automated attack sessions detection which covers a large swath of automated exploits. The upcoming BioTracker v3.0 (to be released by the end of October) will make use of advanced artificial intelligence (AI) to quickly detect automated attack sessions. While detecting automated attack sessions using behavioural biometrics may seem counterintuitive at first because of the inherent lack of human traces in the execution of such attacks, it is this apparent contradiction that is the main tenet of our detection strategy.
The threat of automated attacks is real and serious. Corporations and institutions have a responsibility to ensure that their computers have not been compromised by deploying the proper tools. Failure to do so means not only that they are no more in control of their networks, but also that hackers can use the compromised machines as stepping stones to anonymously attack other organizations, which can open the door to expensive lawsuits and other related problems. For any organization looking to avoid the pitfalls of a major security breach, now is the time to start understanding how security intelligence software like BioTracker can help fortify the strength of your network security.