Early Warning Security Event Systems

Years ago, early warning systems for security events used to be a proprietary service available to a vendor’s customers only, or even worse, to the vendors themselves. But with more vendors realizing the marketing potential behind viral marketing, and the need for more transparency on the state of Internet attacks, nowadays such EWS’s are either publicly available at a vendor’s site, or accessible due to the emerging CERT-ization and aggregation of honeypot data on a coutry level courtesy of the local CERTs themselves. And such is the case with ARAKIS :

an early warning system operated by CERT Polska. ARAKIS aggregates and correlates data from various sources, including honeypots, darknets, firewalls and antivirus systems in order to detect new threats. The dashboard provides a snapshot of activity on the Internet based on data gathered from a selected group of sensors.

PING sweeps dominate the local threatscape? As always, nobody likes shooting into the dark unless of course they really have to. Several more publicly available early warning systems for security events worth considering are :

ATLAS: Active Threat Level Analysis System
CipherTrust’s Real-Time PC Zombie Statistics
WatchGuard’s Real-Time Spam Outbreak Monitor
ProjectHoneypot’s Spam Harvesting Statistics

as well as several malware outbreaks related early warning systems:

Trend Micro’s Virus Map
F-Secure’s World Map

PandaSoftware’s Virus Map

McAfee’s Virus Map

As far as any other non IT security incident on a worldwide scale is concerned, the Global Map of Security and Terrorist Events, maps the “big picture”.

The syndication of such publicly available data into a central dashboard is nothing new, but with so many CERTs in Europe the next big milestone to be achived should be to first integrate the data between themselves, share with vendors and vice versa, and then communicate the big picture for industry insiders and outsiders to see. An effort which could really undermine the commercial EW systems, ones whose business model is getting outdated with every day.

The FBI’s recent “Operation Bot Roast” not only reminds me of the Wardriving Police who will wardrive and leave you flyers that you’re vulnerable, but also that when proactive measures cannot take place post-event ones dominate – “Dude, you’re malware-infected and sending spam and phishing emails to yourself!” – not exactly what pragmatic is all about :

OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers.

One thing I’ve learnt about end users, either educate and evaluate the results, or directly enforce practices leaving them with no other option but to stay secure by default. Most importantly, with major U.S based ISPs sending out spam, thus having the largest proportion of infected customers are publicly known. So instead of giving out anti virus tips, cooperate with ISPs on the concept of filtering outgoing spam messages, and DDoS attacks.

With malicious economies of scale, that is botnet masters automating the entire process of exploiting unpatched PCs, using old-school social engineering attacks taking advantages of opened up “event windows”, packing and crypting their malware to exploit the flows in the current signatures-based detection hype – is such an initiative really worth it? Time will show, but what could follow are fake FBI emails telling everyone that they’re infected, a little something about the operation itself, and how visiting a certain malware embedded web site will disinfect your PC the way we’ve seen it happen before.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *