Heartbleed Impact: Community Health Systems BreachRob Kraus on Solutionary's Latest Threat Report
The Heartbleed bug, of course, was the big news in the second quarter of 2014, and Solutionary's security engineering research team invested time, testing exactly how prospective attackers could exploit the vulnerability.
In some ways, says Kraus, SERT's director of research, the Heartbleed bug - despite the massive media attention - was actually under-appreciated for its full potential.
"Some organizations are still working on their maturity models, and they don't understand the threat," Kraus says. "The people who are on the ground, testing the Heartbleed vulnerability and writing proof of concept code and exploiting it ... [their perception] is certainly different than what the general public understands, as well as even security practitioners who ... don't necessarily understand the impact of Heartbleed."
Yet, malware continues to steal the headlines. And among the latest findings: 59 percent of malware captured was hosted in the U.S. - a 12 percent jump since the end of 2013. And the top 10 internet service providers represent the source of 52 percent of the malware identified in Q2.
In an interview about Solutionary's latest threat intelligence report, Kraus discusses:
- The Heartbleed impact;
- Latest malware trends;
- The need for threat intelligence and risk analysis prior to selecting security products;
- Threat trends to watch in the months ahead.
Kraus is the director of research for the Solutionary engineering research team. He is a Certified Information Systems Security Professional (CISSP), specializing in vulnerability research, malware analysis, threat intelligence, Web application security assessments, external and internal penetration testing, and social engineering. He previously was a manager within Solutionary's security consulting services group.
Solutionary, an NTT Group security company, is the next generation managed security services provider (MSSP). Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data.
Quarterly Threat Intelligence Report
TOM FIELD: Looking at the Quarterly Threat Intelligence report, it's bigger than the reports typically are. Does that mean that it is also better?
ROB KRAUS: As we go through an evolution of putting out these reports -- we've been putting them out for a couple of years now -- we have a very technical team of folks within the Solutionary Security Engineering Research Team, and although they are technical, they also have a really good eye for what's valuable intelligence for distributing to the security community, as well as other folks who may be reading the report. With that maturity, we continue to develop the report, make it better, add new features, and over time things get better. Specifically for this report, it's a bit longer with topics around Heartbleed, and we have some follow-up information from some of our previous malware analysis. Additionally, [there is] some content we added about types of vulnerabilities and attack vectors as well.
FIELD: Was the Heartbleed vulnerability over-hyped or under-appreciated in the market?
KRAUS: I don't know if I would use the word over-hyped. It was very interesting to see how many organizations realized that this was a legitimate vulnerability and the potential for leveraging that with publicly available exploit code. I don't think it was over-hyped in the aspect of, "this is something small and people are talking too much about it." It was definitely worth the amount of media, press and attention that it received over the long-term.
Under-appreciated, I think in some cases. Some organizations are still working on their maturity models, and they don't necessarily understand the threat. I was on an airplane, sitting next to someone who asked me what I do for a living, and I told them I'm a security practitioner and we do a lot of research. [She asked if I knew] about that Heartbleed thing, that flaw in SSL? That goes to say: There is a clear misunderstanding of what people think. The people who are on the ground testing the Heartbleed vulnerability, writing proof of concept code and exploiting it are certainly different then what the general public understands. As well, even security practitioners and organizations who may not necessarily have in-depth knowledge of security that may be fulfilling a security role don't necessarily understand the impact of Heartbleed.
During the week that Heartbleed was released, we had a lot of education sessions for our clients to help them understand what the vulnerability was, how it potentially impacted their organizations and what they should look at from a business perspective. One thing I do want to point out is, we did have a lot of great media coverage that week, but how many people actually took action on it? Through our global threat intelligence report that came out earlier this year, we identified some pretty scary statistics about patch and vulnerability management. Specifically, we showed that organizations were showing that it took approximately 180 to 190 days to address a medium-level vulnerability within their organization. That is a quite a significant amount of time, and when Heartbleed first came out, it was actually flagged as a medium-level vulnerability. I've got to think to myself that there is going to be significant lag time before this problem is totally gone. That's one of the things from the under-appreciated side, this is really going to test organizations on how efficient they can be with their vulnerability life cycle management in addressing threats such as these.
FIELD: Where is malware coming from, and what are you seeing for strains of malware in the wild?
KRAUS: We're still seeing that the United States is a major contributor to where malware is derived from, captured or hosted in general. When you think of the overall picture of the world, and the populace amongst different countries around, it makes sense that the United States is at the top of the list. We do everything, culturally, [such as] different social media services. We're very much about sharing information as quickly as we can. Because the United States is so well-connected, and so many people subscribe to those different services, it's a breeding ground to move malware around this type of environment.
But we are seeing increases from around the world as well. Some of the analysis that we're looking at shows upticks in different countries, such as France, the Virgin Islands and Ireland. The U.S. has not necessarily cornered the market on it. There are certainly other countries who are up and coming, and that fluctuates over time. There are clearly some trends that will continue, but as malicious attackers are out there looking for different ways to deliver malware and infect hosts, they are going to be looking for deeper, darker corners of the web to leverage some of that space as well.
Additionally, we've seen an increase in different ISPs and hosting providers in general that are being utilized to host malware. In the last report, we talked about services such as Amazon or GoDaddy that have different types of hosting capabilities. It's a playground for malicious attackers to get out there and put software up on servers and host websites without too much trouble. They do it for the same reason that businesses use it. It's fast and efficient to set up a web server when you're going through another hosting provider, but unfortunately the bad guys know that. [With] Amazon we saw a significant increase from 16 to 41 percent, which is quite a big jump. Obviously the malicious actors are out there using these services to throw up sites that are hosting malware leading to additional drive-by downloads or command and control servers. But at the same time, GoDaddy had dropped to position number nine on our list of the top 10. They went from 14 to two percent. We can't speculate why they dropped. We don't know if they had implemented additional controls. Maybe they read our report and said, "Hey we've got to do something about this," but that would be pretty optimistic of me. This is just like the stock market, things fluctuate every day depending on the goals of the attackers.
FIELD: Can you talk about the changing threat landscape?
KRAUS: That's always an interesting discussion because it's really hard for us to tell on a day-to-day basis how much things change. Think about it this way: I have some cousins that I don't see every day, but when I see them every couple of months I realize how much they've grown and matured. I look at malware and the security industry the same way. If you look at it from the micro-focus of what's happening every day, there are certainly notable events. But you don't see what's happening on the threat landscape unless you take a step back and look over time.
We did a lot of that comparison in our Global Threat Intelligence Report earlier this year. We've compared some of the things we had seen last year to what we saw this year, and a lot of it showed consistency. There were some things that were notably different. For instance, malware exploit kits are still making a significant drive in their capabilities. When we compared this year's results with last year's results, we had identified that the exploit kit developers had actually gone back and pruned a bunch of older exploits they had for older vulnerabilities to make their kits more relevant today. You can tell that there is certainly a maturity in the development of the capabilities of the kits themselves, but also in how they're going to market with their kits.
When we look at the threat landscape, sometimes we have to focus on the micro, and sometimes we have to take a step back and look at the bigger picture. Sometimes those pictures don't always paint themselves until you have some historical data.
As far as the threat landscape evolving, I can tell you that we have definitely seen an uptick in niche providers of malware detection capabilities and more specifically in the area of specialized network detection capabilities. People are understanding that malware is a big deal. Additionally, there are significant strides in threat intelligence as well.
Organizations are starting to understand that threat intelligence is not just a feed that gives IP reputation data, but it's more about the collective of all different sorts of intelligence that comprise an overall threat intelligence basis. Organizations are starting to realize that the generic feeds that tell you the daily digest you get to your desktop provides value. These are the things that are going on in your vertical, or around the world in general. But we're finding a lot of organizations have a significant desire to learn about what people are saying about them specifically. I predict that we're going to see a lot more targeted threat intelligence offerings out there.
FIELD: Where should organizations be investing their time, resources and money in the next quarter?
KRAUS: Where should organizations invest their time and money is one question that I probably hear several times a week. I speak with a lot of C-level executives who are concerned about their environment. They want to make sure that they're protected, but often I get the very product-specific questions, which is interesting to me because there are a ton of great products out there that we could put into our environment to protect us against different types of threats.
So specifically, if you look at malware products, there are a ton of products out there. If you look at DDoS, there has been a ton of providers who have come out over the last couple of years who provide mitigation capabilities. The first thing I ask whenever I'm asked is, "What is making you believe that you need a DDoS product? What is making you believe that you need a malware analysis product on your network today? What is justifying those as the priority?" Quite often the answers I get back is, "I was talking with some of my peers and they said that XYZ product was great and highly recommend it."
What is disturbing to me is that there is not any risk analysis actually performed to justify that. Years ago there was a report that came out indicating that 10 percent of the IT security budget should be dedicated toward security. A follow-up report came out saying that most organizations use about three percent. We're dealing with a very small amount of money to help secure our entire enterprise. What have you done to determine that is your biggest risk? If you think your biggest risk is a DDoS attack, and you spend all your money on that without doing a qualified risk assessment, you may be spending that money ill-informed. What if you do a risk assessment and your risk tells you DDoS is a significant concern, but you have a much greater loss potential in addressing malware threats? That's why it's important to have those types of assessments up front. It's hard to say, on an organization by organization basis, where the best place to invest time and money is unless they have a risk assessment that tells you what your greatest loss potential is, which will help you identify how to mitigate those.
There are a lot of things coming up. My team will be at some of the major industry conferences, and there's likely to be a lot of new vulnerabilities that are released as part of those. A lot of web-innovation and new research always comes out with those conferences every year. One of the constants that I expect to see over the next quarter is the rise of malware. Recently, with the FBI and some other organizations taking down the Blackhole exploit, there's been a significant drop-off. However, some of the research that we see has us identifying other exploit kits that are stepping in to fill in their shoes. Some of those different exploit kits are likely going to step up and take over where Blackhole left off. They are going to fil that gap pretty quickly. My question is, what is the end game? What is the next step? It's going to be pretty interesting to see it unfold over the next couple of years.