Threat Landscape Shifts

I have watched the vulnerability exploitation window move down over the years, from 1 year in the ’90s, to 3 months in 2000, and more recently to just under 30 days.  This is the amount of time that it takes for an attacker to develop working, weaponized exploit code for execution in the wild.  This development window is for privately reported vulnerabilities, and does not consider the zero-day threat where a “researcher” discovers a vulnerability and publicly discloses the details, or simply starts exploiting it.

Fortinet, a network security and unified threat management (UTM) solutions provider reveals a 61% exploitation rate of new vulnerabilities discovered in January in its January 2011 Threat Landscape report.  Fortinet says that during a typical month, exploit activity falls between 30% and 40%.  Half of new critical rated vulnerabilities were targeted, offering arbitrary code execution by an attacker on a target machine. 

In order to pull this accelleration off, they have been reverse engineering patches released by the vendors, identifying the differences between the patched and unpatched files, and then targeting their research on the changes being made to develop their exploit code.  SecurityWeek

InformationWeek is reporting that Distributed denial of service (DDoS) attacks, the bane of all online services, have broken the 100 Gbps barrier, increasing in bandwidth by 102% over the past year, and by 1000% since 2005.   This finding comes from an infrastructure security report, released on Tuesday by Arbor Networks.  The company surveyed 111 IP network operators from around the world, and found the volume and severity of attacks continues to increase.

The attacks appear to be driven by the spread of botnet malware agents that allow an attacker to use compromised computers to launch coordinated and focused attacks.  This has led to rapidly escalating DDoS attack size, frequency, and sophistication.  “Adding to the challenges facing operators is the increasing number of attack vectors, including applications and services, not to mention the proliferation of mobile devices” according to Roland Dobbins, a solutions architect at Arbor Networks.

Dealing with DDoS has been a major challenge for businesses of all size.  Solutions have been targeted at ISPs and very, very large enterprises, but have had very low adoption rates becaused of cost limitations.  ISPs can’t generally justify the expense without some sort of return on investment, and protection against a threat that may or may not materialize is a very tough sell as a value added proposition and justify in the boardroom.