This week, I had phone conversation with Josh Corman about botnets. Corman is the host protection architect for Internet Security Systems, Inc. (ISS), with more than eight years of experience in security and networking software. What was refreshing was Corman's out-of-the-box thinking on the distributed networks currently being used by online criminals. Of the most popular of these networks, he said "Storm did a lot of things right; in some ironic sort of way, you could argue that Storm is itself a blueprint for fighting (botnets)."
But Corman's most incisive comments are reserved for the security community itself. We know that botnets as a platform for launching attacks are here to stay. Where they go next--say, toward launching a "digital Pearl Harbor"--remains debatable and, after talking with Corman, perhaps misses the point. Storm and other botnets have shown themselves to be agile and adaptable; so, too, must the security community become agile and adaptable, says Corman. "It's our turn to evolve."
Corman's praise for botnets is only within context. "Storm is really pulling together some of the best discrete technologies in the underground and leveraging them for maximum value. I think that is a blueprint for what we need to do in the security industry." He's arguing that security vendors and practitioners need to take some of the best defense technologies currently in use and begin "an elegant collaboration among them." In particular, Corman says "we need to focus on the success of paying attention to the social element."
Storm did a lot of things right; in some ironic sort of way, you could argue that Storm is itself a blueprint for fighting (botnets).
"First and foremost, the beauty and elegance of Storm has been its ability to do social engineering. That has been the bait or the success factor which sets (Storm) apart. Its resilience comes from its decentralized nature. Its continued success is the continuation to adapt and evolve." Corman chooses to see all this as a positive, rather than a negative. "I think there are a lot of lessons to be learned from Storm on how to fight it."
Future of security
Corman says the future is clear. "Storm has really paved the way for more of this stuff to continue. So I'd like to see more of us get more strategic about how to tackle these new forms of threat.The nature of the threat has evolved, and now it's our turn to evolve as well." He went on to say "I think what's interesting is not Storm as a chunk of code, but the template laid out by Storm...this newer generation shows a strategy for persistent and pervasive and decentralized botnets."
We really lack the technologies to defend against a large-scale DDoS or the kind that could be perpetrated by these numbers on infected systems.
"So as a technology, I think (botnets) can be used for a number of issues. "We're currently studying and tracing the economically driven use from the current owners. But a lot of the research that I've done and the colleagues that I speak with are talking about how this technology could be used in other ways in the future."
The three Ps
Corman frequently talks about the "three Ps" of cyber security issues. "For the first 20 years, we were dealing with the first 'P' of prestige, but there's two more: it's profit, politics." Prestige could seen in use of viruses; virus writers only wanted to see their creation heralded in the media. There was no remuneration for virus writing. With botnets, there's money to be made.
"What we see with Storm is a very impressive arsenal. It's a very elegant solution. There's no particular part of Storm that's incredibly innovative. It's really the ability to hold together the right pieces of technology in a very effective way. But Storm has largely been driven for that second P, which is the profit." He cites the use by Storm of MP3 files for pump-and-dump spasm, as an example.
It's the political use that bothers Corman the most, because distributed botnets can be used to do any numbers of things. "You can launch a fairly devastating level of DDoS attacks...(some of) these DDoS attacks currently exceed the best anti-DDoS technologies in the industry. We really lack the technologies to defend against a large scale DDoS or the kind that could be perpetrated by these numbers on infected systems."
"Digital Pearl Harbor isn't trying to be a scare tactic. It's just that Storm has become somewhat of a sleeping giant, where the methodologies involved in Storm are allowing large numbers of systems to be roped together and being delivered common purposes. Currently most of those purposes are fairly a nuisance rather than a major, serious threat." But all that could change.
"When you take pennies from millions of people, no one says 'ouch!'" Corman says one of the reasons Storm has succeeded is "it's never really taken out a very large, high-profile enterprise, or it hasn't launched large scale DDoS attacks on a SCADA system for example. But as we've seen in unrelated events recently, down in New Orleans there were some power grids taken down by a hacking team."
Corman hastens to add that those examples were done without Storm. "I see no evidence to connect the two. But the botnet known as Storm, which is being leased and rented, could be used for large-scale DDoS attacks on Fortune 50 companies, on e-commerce sites with probable success. We just don't have the anti-DDoS technologies in place to be able to counter the kind of throughput you could get out of that many notes."
Should the security community change the way it thinks about botnets, or are they basically the same threat as virsues were 20 years ago? TalkBack to me.