We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security


The Danger of Low and Slow Attacks: Mike Rothman Explains

Vote 0 Votes

What follows is my Q&A with Mike Rothman. Many of you will remember Mike Rothman as a very popular columnist and podcaster for ebizQ, among other places, and Mike has now moved on to become Senior Vice President of Security Strategy for the eIQ Networks. In this podcast, we discuss Mike's move, then dive into detail over 'low and slow' type attacks -- how to recognize them, and how to stop them -- and then I ask Mike what type of attacks we can expect in the year ahead.

Listen to or download the 9:42 minute podcast below:

Download file


Can you just give me a quick rundown of your past few months and how you came to join eIQ Networks?

Sure Pete. I mean it was kind of really kind of an interesting process because I was pretty fortunate in that I wasn't really looking for a job, right.

I was doing some work with you guys at ebizQ. I was, obviously, kind of had a successful public speaking and consulting and analyst/research business. But it turned out to be an interesting opportunity at EIQ Networks. It was really driven by the president, a guy named Jim Geary who I had previously founded a company with back in the late 90s.

So we decided and we've been looking to do something together for a long time and then when he got the opportunity to do EIQ and it makes sense for me to think about doing it as well. It was something that it just felt right from the standpoint of interesting market segments, and security and compliance management, great team, interesting opportunity and market from that perspective. So it was just one of those things were a lot of things had to go right for me to decide to make the jump and it turned out that it did.

So now, what exactly are the characteristics of low and slow attacks and how can they be detected?

That's actually an interesting thing that we've detected over at EIQ Networks. And what we do just for a little bit of background is we have a security and compliance management platform that really gathers and aggregates a lot of the traditional security information, and network information, and configuration information, and performance information that's happening out there in a technology infrastructure aggregated into our --I'll call it a correlation machine.

And really look for interesting relationships and look for potential attacks scenarios as well as really correlate a lot of that information to try to pinpoint specific attacks. And one of the things that we have really detected or what I'll call a low and slow attack, which is an attack that from the get go, is designed to be evasive. So back in the history of kind of Internet crime, it used to be the attacks were much more about brute force. They were about trying to knock a network down, doing denial of service, and really trying to create havoc from that standpoint.

But now that the objective of many of these attacks is much more about crime than it is about actually trying to log down a network, the attackers are trying to remain undetected. They're trying to steal information over and over again so it makes a lot more sense for them to adopt a much more patient type of structure to compromise a network. So what I mean by that is they'll take over a server and then they'll wait, right.

They'll compromise a device and then they'll wait for maybe a week, maybe two weeks until everything seems to be back to normal, and then they'll do it again and get a little bit deeper into the network, and then a little bit deeper, and a little bit deeper. And this whole attack may take months but in most cases, the attacker will remain undetected and for them that's much more important thing, than kind of the quick easy hit so that's kind of a low and slow attack.

And in order to detect those, you have to be able to maintain a long history of what's happening in your environment and not disregard a lot of that data. So a lot of the existing security management products out there, actually just look at two or three days worth of data and if somebody kind of attacks one of these or uses one of these low and slow type of attack vectors, that is not going to become detected by the security products. So what we do at EIQ is we actually gather 90 days worth of traffic in our correlation machine and use that to really try to detect not just low and slow attacks but pretty much every other attack that's out there as well.

That's interesting. Now, how can you tell if your company is a prime target for one of these attacks and what it exactly is one of the best ways to prevent them?

Well, I would actually say that every company is a target for pretty much every attack, right. A lot of the attackers, Pete, they're working on the lowest hanging fruit principle, right, which is there are literally millions and millions of places to attack they're going to focus on the places where they have the highest likelihood of being successful and obviously with some kind of economic benefit to them for perpetrating that attack.

So folks that have a lot of Internet facing activities, so if you do customer service, or if you have an order system that you host yourself, or if you do logistic management, you're obviously a target for pretty much all of these attacks. So let's use an example like Hannaford Brothers, which was -- that was a big PCI oriented attack but it really turned targeted all their stores and targeted their point of sale systems.

But that was a typical kind of attack in that, again, these guys laid low and then they started compromising these devices and stealing the point-of-sale data before it got encrypted to send back to the processing plant. So from that standpoint, again, I think that everybody is a target to these kinds of attacks and the way to prevent them is again to really have an idea about what's happening in your infrastructure and just looking at IDS logs, or IPS logs, or firewall logs, that's not really enough.

What you have to do is also look for other indications of an attack right, right. So not only do you have to have the data from your log system that says, hey, you know something funky may be happening because my IPS fired and firewall fired for any number of different reasons things or got some router ACL types of log events.

But then you want to check for other corroborating evidence for what may be happening out there so that could be a configuration change. So again, going back to the example of Hannaford Brothers, if you were monitoring the configurations on those servers that were hosting the point-of-sale application, you would have seen a different configuration, you would have seen a new executable loaded onto that machine and known something was kind of funky.

Then, if you were actually looking at the network flow data, for example, you would have detected that there was kind of strange traffic from that server back to a place outside of the network, which is uncharacteristic of what you would see. So if you're paying attention, again, I have this whole thing back when I was a columnist for you guys I kind of use whole idea of react fast, right, especially to application oriented types of attack.

You're never going to get out ahead of that threat but by you doing in a savvy fashion actually looking at what's happening in your infrastructure and looking for anomalies, you can't detect that these attacks are happening and then, again, try to react faster before you have a catastrophe or your hands.

So people can find you at EIQ Networks then?

Yeah, you bet, EIQNetworks.com, that's where we're at. Right now, and anonymously I'm still blogging at securityinsight.com as well on my hobby site. But as we talked about before, Pete, you know having a day job I have to spend most of my time focused on the EIQ Networks thing.

Now, to take a step a little bit back, and back to your ebizQ role, as you were our main security brain here, besides low and slow attack, what other type attacks do companies need to be worried about in this upcoming year?

Interesting enough, Pete, listen there are always going to be kind of new attacks du jour, right. They're a whole bunch of new different SOA-based attacks. They're a whole bunch of different web oriented attacks and you know what, the only thing I know in 2009 is that we're going to have more of those attacks. And I don't know what they are yet. But the thing I think a lot of customers need to be really focused on is how can they do their activities and really operate their security infrastructure more effectively and more efficiently. And that gets back to automation.

That's one of the things at EIQ that we really hammer on which is they're going to be new attacks which means you have to bring in new devices and those new devices take new people to actually manage. And then you get into the math problem, right. So if over the next couple of years you're going to bring a couple more products in and each one of those products requires a couple more people. Guess what? That math looks pretty ugly when we're in an economic situation that says not only can you not add people, in many cases you may have to contract and certainly work a lot more effectively.

So automation to me in 2009 from a security standpoint, automation is really kind of the key words because you can't do it all yourself, you can't wade through all the crap that's happening out there, all the attacks that are the really been perpetrated against your organization. So what organizations -- what successful organizations are going to need to do is strategically automate what they're doing much more effectively than they're doing today.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives