It’s All About the Information
"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"
- "Cosmo", From the movie "Sneakers" (1992)
The last part of the quote above always seems to play in my head during the course of an average day in information security. It really is all about information in many different aspects. One aspect I would like to highlight is collecting information about those who are attacking you. Specific information potentially useful to those defending networks and systems could be:
- The Software Itself - Perhaps the most useful information you can have, understanding what the malicious software (a.k.a. "malware") does is critical in being able to detect, prevent and remove it from your systems.
- The Users - Understanding how and why the end-user is using the software can provide some useful information (admittedly not as useful as analyzing the software itself). Malware can give an attacker a host of features. Knowing which ones are using it for denial of service attacks, and which groups are stealing bank data can help aid detection and forensics analysis (on both the system and the network).
- The Programmer - Probably the least useful to those defending networks on an everyday basis. Most authors of malware are most-likely motivated by profit, and create software to sell on the black market. Sometimes interesting things can be found in the software itself, indicating potentially where the software was created and providing hints as to the author's skill level.
I'd like to highlight some of the above information in this article (and an upcoming podcast) as it relates to botnets and malware. There is an endless supply of malware designed to perform a wide-array of "evil biddings". There is an entire economy behind botnets, including outsourcing, marketing and shady business schemes. All of this activity is happening on our networks today, leading to service disruptions from distributed denial of service (DDoS) attacks to theft of banking information.
Tenable has produced several configuration audits and updates to enterprise products, such as the Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS), to help detect this activity in your environment. Nessus ProfessionalFeed customers can download the configuration auditing files that detect malware from the Tenable Support Portal Virus Detection Policies page (requires a Tenable Support Portal Login). For more detailed information on how Nessus is able to detect viruses, refer to the article Auditing Infected Systems for Viruses and Trojans with Nessus.