(2007-02-19) In defense of the rabbit

In a world where putting up a brave fight is the most honorable defense, the rabbit is often seen as a coward as it runs from any danger. But people seem to miss the important skill here: detection. Running away does nothing if you're already caught. The rabbit is already almost out of sight when you see it, since it sees you first! Now, I'm not much of a biologist, so let's take this discussion into the realm of IT Security.

Let's see now, what weapons or let's call them "controls" do we have at our disposal? We can detect, deter, prevent/mitigate and off course we must recover from whatever happens. Still I believe the "detect" part is the hardest and most underestimated part of it all. I you cannot detect, nothing else matters. The most hardened safe can only buy you time. If you don't know they're trying to break into it, it doesn't matter at all. How do you guarantee detection then? Well call me a defeatist, but I don't think you can. You can do much to detect intrusion, but in my opinion, it's the hardest part of security. Most of the time they have not "almost succeeded" in breaking down your firewalls. Most of the time, they're not even trying, but you have to tirelessly watch of for attacks every single moment. It doesn't matter that all you see on the firewall log is simple "door rattling" attacks. The next thing that hits you might get through. Paranoid yet? Good! Let's move on.

As soon as they've managed to get into your system, the really skilled crackers will try to conceal themselves. The rebirth of the root kit lends them a powerful tool that helps them to remain unseen. A really simple explanation of a root kit is "camouflage" for your intrusion tools. Just tell the root kit what files and processes that it should conceal, and all normal tools will fail to report that it to you. A particularly bad thing is this "Blue Pill" kind of root kit that still has to leave the prototype state last time I checked. It (ab)uses the new virtualization functions on AMD's and Intel's newest CPUs. The jury is still out on how effective and "undetectable" those root kits are, but let's at least agree on the fact that the makes it very hard to detect malware. So detection is even more crucial, since you might not see what happens after you've been infected.

One particularly sad story is about an unnamed company that detected a successful worm attack and reinstalled all their servers using every trick in the book to keep the infection from get a second chance. They forgot about the printers, and sure enough, this particular worm knew how to infect the printers on board software and then attacked the servers again before they could be properly hardened and patched. The whole reinstall have been in vain, as the infection was back before the cleaning was done.

I believe that we have to tackle the problem of detection in a better way. But I sure have no solution to provide. A IDS solution is more likely to give you excessive "false positives" or "false negatives" than only to tell you when you really have a problem. It takes lots of work to calibrate the detection. And a mr Schneier says "Security is a process, not a product". Your security work is NEVER done. There's always another crisis looming somewhere.

In short: I admire the rabbit. Not because it runs away, but rather that it's so good at detecting threats and handle them whether they turn out to be false alarms or real attackers.

Tags: Detection, Bruce Schneier
Posted: 2010-06-17 by Erik Zalitis
Changed: 2010-06-17 by Erik Zalitis

News archive