Monday, January 20, 2014

Moving up the Stack

Over the past decade, attackers have moved deeper into the packet. As network defenses, controls, and detection techniques have improved, attackers have had to "move up the stack" to avoid detection and maintain persistence. A decade ago, attackers would often use dedicated resources on known malicious networks to communicate with their malicious code. Back then, malicious IP blacklists were common, and they were used widely to detect malicious activity. Back then, it was often possible to detect malicious activity using only data available at layer 4 of the OSI model.

Over the years, attackers were forced to move away from dedicated resources to more dynamic resources. This was due in part to dynamic resources becoming easier and cheaper to use, as well as efforts by law enforcement, telecoms, and others to shut down dedicated resources. Because of this transition, attackers were forced to change the way they operate and communicate with their malicious code. Domain names and URL patterns, both of which are only found in the data available at layer 7 of the OSI model, became the preferred means for malicious communication. Moving up the stack allows attackers to change where their malicious code communicates easily and at a moment's notice. This new paradigm requires layer 7 data to detect intrusions -- layer 4 data is no longer sufficient.

Attackers have already made the move up the stack. On the enterprise side, we need to make sure we have the tools to move up the stack with them. Layer 7 enriched meta-data provides us a solid foundation upon which to perform the network forensics we need to perform in order to detect and respond to intrusions in a timely manner.

No comments:

Post a Comment