Polymorphic Attacks Reshape Security Landscape

A review of network security threats shows growth in attacks that use DDoS and other methods as smokescreens for data breaches and extortion.

December 17, 2015

7 Min Read
Light Reading logo in a gray background | Light Reading

The growth of polymorphic attacks, which change over time or use one kind of attack to mask another, is forcing the telecom industry to reshape its view of cyber security to be broader in scope and based more on network intelligence and behavior patterns.

The move away from traditional solutions such as firewalls and signature-based detection is one part of the strategic shift among managed security services providers and their vendors. The shift is an to attempt to try to keep up with innovation by the bad guys, who are constantly looking for new exploits. In this first of three articles on evolving network security strategies, we'll look at the threats themselves and how they are changing, according to experts on the front lines of protection.

One definite trend is the growth in polymorphic attacks, which either combine a so-called volumetric attack involving high volumes of traffic such as distributed denial of service (DDoS) attacks with a data breach, or morph over time from one type of attack to another. For example, a DDoS can be used to distract attention away from another type of data breach.

Read the latest on issues around network security in our security section
right here on Light Reading.

"We are seeing a dramatic increase in the number of polymorphic types of attacks," Dave Ostertag, Verizon Enterprise Solutions 's global investigations manager, said in November in a panel at Light Reading's Carrier Network Security Strategies event. In many cases, the same players are involved as in earlier attacks -- Eastern European crime syndicates, for example -- but their motivations have changed, he said. (See Verizon: Cyber Attacks Hit New Targets in New Ways.)

"They are now involved in nation-state geopolitical attacks," Ostertag said. "We see the US put sanctions on Russia, and then we see those same players that were financially motivated attacking with a disruptive attack, either a traditional DDoS attack or going after those servers that are critical to doing business with a data grab to post on the Internet for embarrassment purposes."

At the same time, however, some of the data originally grabbed in polymorphic breaches of the past is now being used for financial gain. Ostertag cites the Anthem Inc. breach, which affected medical data held by the insurance company that was stolen originally for embarrassment purposes. A year down the road, and the information is being used for financial gain.

Next page: Shifting motivation requires new responses Increasingly, DDoS attacks are related to extortion attempts, said Michael Sabbota, senior consulting engineer at Arbor Networks , a security systems vendor. They become part of "advanced direct campaigns to distract and overwhelm direct response teams." Sometimes the distraction masks a data breach or other activity that is the real goal of the attack.

What this means for service providers is that the high packet-per-second attacks themselves are changing and can threaten specific parts of the network, not just the broader pipe, Sabbota noted. "You have to understand that line cards and other things can be overwhelmed," and that can be enough for a successful extortion attempt.

Polymorphic attacks aren't new -- they've been around for a long time, noted Tim Rains, chief security advisor for the Enterprise Cybersecurity Group at Microsoft Corp. (Nasdaq: MSFT), but they are growing in number and becoming more sophisticated.

"Once a system gets infected with a professionally managed threat they will update that threat 1,200 times a day to avoid detection by anti-malware software," Rains said. "That is one area where I see innovation -- more and more obfuscating attacks. They obfuscate so anti-virus and anti-malware won't be able to detect the attack on the disc and the only way to find it is in memory."

So even as malware infection rates in general have come down over the last year, there is still the ability for the bad guys to penetrate a network's defenses and do a lot of damage before being detected. According to Verizon's DBIR, the average attack isn't discovered until 288 days after it has infiltrated a network, and during that time, a lot of data can be captured and a lot of damage done.

Even with the focus on stopping polymorphic attacks, however, the continued growth of volumetric attacks means these can't be ignored, noted Pat Barnes, product line manager for Mobile Service Provider Security at Juniper Networks Inc. (NYSE: JNPR).

"Volumetric attacks are just too easy. They are just too good. It's bread and butter for the bad guys," he said. "Application layer attacks are a little bit more sophisticated, a little harder. But as bad guys continue to innovate on the application layer, they aren't going to give up on volumetric, and for service providers, those have the biggest impact."

Barnes also pointed out that service providers themselves and their data are increasingly direct targets of the cyber attackers. UK-based TalkTalk was the victim of an embarrassing DDoS as a smokescreen attack during which a lot of customer data including credit card numbers was stolen. In addition to facing extortion attempts from the attackers, Talk Talk lost customers as well. (See TalkTalk Plummets on Security Woes.)

Next Page: Mobile app vulnerability

There are some who believe mobile smartphones represent a new threat vector, but while that has played out in places such as China, where cyber criminals have infected mobile apps in both the Apple iTunes store and Google Play, there is not yet evidence of a broader threat generally, said Ostertag.

In Verizon's Data Breach Investigations Report, issued annually, there were no data breaches reported using mobile phones, and Verizon Wireless itself reported .03% of data breaches involved mobile phones, he said. (See Verizon Offers Industry-Specific Security Advice.)

That doesn't mean it isn't a concern for the future, especially as the Internet of Things rolls out. Sid Harshavat, principal telecom architect at Symantec Corp. (Nasdaq: SYMC), said mobile apps are being used to embed both fraudulent services such as premium SMSs, and potentially as part of an ecosystem for broader attacks.

Microsoft's Rains noted that there were almost 1,400 vulnerabilities noted in Android apps alone, as part of Google Play, causing the annual National Institute of Standards and Technology (NIST) database of software vulnerabilities to go up sharply in 2015.

"There are thousands and thousands of apps with SSL [secure socket layer] validation vulnerabilities in them," Rains said. "I don't think those are the source of data breaches, but I do think man-in-the-middle attacks with applications that fail to do SSL validation is real. From the data we have, that is probably the most noteworthy thing."

That's especially a concern for apps that are specifically designed to protect data such as banking transactions, he added.

Smartphones also represent a way in for the bad guys in that they often exist within an enterprise, on the internal WiFi network, and may bypass perimeter security altogether.

In Brazil, Harshavat said, a social networking app that had been widely downloaded was set up to wait for commands from a third party to divert traffic to set up a DDoS attack. Cyber criminals are getting cleverer with how they set up points of entry into a network, he said.

At the same time all of this is happening, Ostertag notes, enterprise customers, in particular, are turning to network operators to ask for more help in making sure attacks are stopped outside their perimeter, in the network and in detecting and shutting down attacks when they do happen. In part two of this series, we'll look at some of the strategies for doing that, from companies such as AT&T, Verizon and Level 3 Communications.

— Carol Wilson, Editor-at-Large, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like