The (Campus) Empire Strikes Back
- By Fred Archibald
Adding to the slew of data security issues already plaguing college
and university campuses is an onslaught of stealth malware and
botnet attacks. What's a beleaguered network manager to do? Here,
from UC-Berkeley's own network pro, a cache of helpful advice.
WHEN IT COMES TO ANTI-MALWARE protection,
today's university IT departments have their
work cut out for them. Network managers must
walk the fine line between enabling a highly collaborative,
non-restrictive environment, and ensuring
the confidentiality, integrity, and availability of data and
computing resources. This is no easy task, especially if we
survey the state of the academic network, the current
threat landscape, and common user practices. Intrusions
can lead to huge productivity losses, strains on already
tight budgets, and blemishes on hard-earned reputations.
However, with good old-fashioned ingenuity and the right
tools in place, universities can succeed at malware detection
and prevention to improve network security.
STATE OF THE ACADEMIC NETWORK:
Balancing Integrity, Mobility, and Resources
Networks have steadily advanced in their capabilities, their
uses, and their misuses as well, with academic networks
often providing a glimpse into the future. Preventing security
incidents in this advanced network environment presents
challenges for universities, which have unique tenets to
uphold. IT security professionals within higher ed are under
incredible pressure to remain one step ahead of the
next destructive incident, while preserving the integrity
of university resources and data, and protecting the
privacy of users.
Securing open academic networks. By its
very nature, the academic network is a uniquely collaborative,
open network environment; within education
we refrain from imposing too many restrictions,
so as to best support unbridled academic
research and discovery. Fast-flowing networks and
ready access to high-end computing infrastructures
are critical for students, faculty, and staff, if they are
to succeed in their pursuits.
Another unique characteristic of academic networks:
While the university owns the network infrastructure, individuals
frequently own the endpoint devices such as laptops
and smart phones. This creates very real challenges
to maintain a desired level of security within the infrastructure.
Given the broad range of platforms and applications
in use among students, faculty, staff, and guests, there are
few commonalities that can be leveraged in implementing
new security controls. And taking into account the sheer
volume and variety of users and devices accessing university
resources, plus the reality that IT has limited visibility
into those endpoints, means that deploying and provisioning
(let alone enforcing) any new agent-based security
controls are difficult at best.
Many users, especially students, are suspicious of any
software additions that might slow down or restrict the
usability of their devices. Even if they agree to install the
security software, ensuring that installations are done correctly
and in a timely manner is yet another issue altogether.
For example, many security solutions today-- including
popular antivirus software products-- assume machines
are "clean" prior to installation. Because of this, they may
not function properly when installed on machines that are
already compromised in some way. They also may inadvertently
allow infected machines to access network resources.
In fact, by unloading drivers or stopping signature updates,
today's malware and spyware now actively prevent the
proper installation of security software and/or disable it,
even though users believe they have successfully completed
installation. And the roadblocks to installing agentbased
security controls constitute only a fraction of the
client support issues that consume a large percentage of
limited IT resources.
Impact of mobility on security. With the rapid adoption
of mobile devices, most universities support some type
of wireless network access on their campuses, largely
because users gain tremendous productivity advantages
with ubiquitous access to applications and resources. Yet, in
addition to accessing university resources via secure campus
wireless networks, mobile users also leverage home
broadband, public hotspots, and other campus networks
that expose them to a wide range of cybercrime exploits. In
addition, the advent of the wireless network has put up new
roadblocks to IT troubleshooting and problem-solving. Just
a few years ago, IT could trace problems through wires to
particular devices within university buildings. Now, new and
advanced technologies are needed to identify misconfigured
or compromised devices outside campus walls. So,
the increased mobility afforded by wireless networks also
increases the risk of contracting a targeted malware infection
which, in turn, affects network stability and availability as
well as consumes greater IT resources to identify and
resolve potential problems.
Compliance and higher education. In addition to
maintaining secure networks, universities also must abide
by recent legislation around compliance initiatives. Along
with the general concern about a university's machines
being compromised or prey to malware infections, there
are implications with regard to compliance, as well: Compromised
resources can mean the potential for compliance
violations. If the institution is being audited, or if the
network is compromised and data are leaked, there could
be consequences in the media or otherwise that could be
severely damaging to a user or the university.
Doing more with the same. Adding to the challenges
mentioned above, is the ongoing strain on resources: Anyone
reading this article knows that IT resources within academia
often are stretched to a breaking point. (Network managers,
in particular, are continuously asked to do more within
existing budgets and resources.) Clearly, managing and maintaining campus resources for thousands of users is a
challenge in and of itself for limited IT departments. On top
of this, infiltration, when it occurs, diverts IT resources to
combat the problem and mitigate or repair damaged equipment.
Certainly, monitoring network activity and conducting
routine network anomaly detection helps IT identify suspicious
behavior and thus eliminate some threats. Yet, the
sheer volume of information is overwhelming, the nature of
threats is evolving, and there is always more analysis that
can be performed.
They're in the Money. From data mining, espionage, and
identity theft, to stock pump-and-dump scams and cyberterrorism
targeting government infrastructures, 'bot herders' (as bot hackers
are known) leverage stolen computer power and unauthorized
access to their fullest. Botnets are rented out, bought and sold,
leveraged for particular projects, and otherwise utilized to generate
recurring revenue streams.
CURRENT THREAT LANDSCAPE:
Stealth Malware and
the Lurking Botnet Pandemic
Simply put, the malicious software or "malware" threat has
evolved substantially in recent years. Originally, viruses,
worms, and spyware were characterized as single-vector
threats; they set out to attack a sole vulnerability. They were
fast and propagated randomly, victim machines were infected
(but not remotely controlled), and hackers were motivated
largely by fame. Signature-based solutions were effective
in curtailing this type of activity for the most part.
Today's biggest security threats, however, are dynamic,
multivector or blended threats that either combine
weapons (worm, virus, spyware) to attack one vulnerability,
utilize one weapon to target multiple vulnerabilities, or any
combination thereof. For example, a directory harvesting
attack could provide e-mail addresses, allowing attackers to
send malware-laden e-mails that can infiltrate specific
machines and then download further malware payloads.
Modern stealth malware evades traditional security
controls through a variety of sophisticated schemes
including disguise, mutation, and self-propagation.
What's more, malware is now designed to move from one
vector to another to exploit new vulnerabilities when former
targets have been safeguarded. And operating systems
have become more robust, making the application
layer an attractive hunting ground for hackers.
Stealth malware is designed to covertly infiltrate or
damage a computer system without the owner's consent
or knowledge, and with the objective of controlling the victim's
device to generate a profit. Once hackers gain control
over a computer, they can execute any number of
elaborate moneymaking plots. The compromised machines,
known as "zombies" or "bots," are typically tied together
by the thousands to create a complex, high-availability
"botnet" capable of nearly any demise.
From data mining, espionage, and identity theft, to stock
pump-and-dump scams and cyberterrorism targeting government
infrastructures, "bot herders" (as bot hackers are
known) leverage stolen computer power and unauthorized
access to their fullest. Botnets are rented out, bought and
sold, leveraged for particular projects, and otherwise utilized
to generate recurring revenue streams.
In fact, botnets have changed the business of malware.
Yesterday's attacks were crude attempts to derail business-as-usual, where hackers had little to gain other than some
short-lived notoriety and a sense of conquest. Today's targeted
attacks carry out criminal objectives with surgical precision.
The spread of malware is driven by economic gain,
and with each success the malware economy grows.
Not surprisingly, botnets now feed an entire black market
economy run by organized crime rings that have little
to lose and much to gain. So lucrative is the business
model that experts estimate one quarter of the approximate
600 million web-enabled computers worldwide have
been compromised by botnet malware.
Antivirus software, behavior-anomaly detection devices,
and firewalls can strengthen security but have proven
inadequate in protecting users from targeted stealth malware
and botnet infiltration. In truth, because botnets and
stealth malware in general are very difficult to detect,
many end users may not realize their systems have been
Social Engineering Scams. The popularity of
eCommerce, social networking, and user-hosted content-rich
entertainment sites such as YouTube all
contribute to a collective curiosity, trust, and naiveté among
users, which in turn fuels social engineering vulnerabilities.
USER PRACTICES: Sabotaging the System
Open environments and stealth malware contribute to the
security challenges within today's universities, but user
practices are part of the picture, too. The importance of
user education and awareness cannot be stressed enough
when it comes to network security. Without proper training,
users may help facilitate malware infiltration. In particular,
lack of backup practices and "social engineering"
scams (a type of intrusion used for data gathering that
often involves tricking or conning users into divulging
information or breaking standard security protocol) can
sabotage IT's efforts to protect data and resources.
Social engineering preys on curiosity. Because
social engineering scams are dependent upon human intervention,
I include them here. Social engineering could be
thought of as both a security threat and a destructive user
practice. These scams prey upon user trust, curiosity, compassion,
and greed, and often are part of a blended or multivector
attack. Through social engineering, hackers may gain
access to accounts and passwords, which then can be
used to infiltrate computers to establish a botnet.
Defending against social engineering is exceptionally
difficult because IT must rely upon smart user practices.
Network managers can warn against the latest "gimmes"
or gimmicks, but it's nearly impossible to catch them all before they have proliferated across the university. The
popularity of eCommerce, social networking, and user-hosted
content-rich entertainment sites such as YouTube all contribute to a collective curiosity,
trust, and naiveté among users which, in turn, fuels
social engineering vulnerabilities.
Without backup, data losses are huge. Backup
practices are another challenge for university IT departments.
When an intrusion is detected, it's often too late to
protect the user from data loss, identity theft, remote control
of a device, and other illicit activities. In most cases, the user
has not recently backed up his or her information, or is inbetween
backup cycles, resulting in huge data losses. Then
too, if malware is detected on a machine, standard practices
usually call for a complete rebuild, which can take
days. Users also expect that their machines will be reconstructed
exactly as they were, which isn't always possible.
Faced with these consequences, many users will attempt to
work around the malware or simply ignore it, leaving a back
door open on the network which allows perpetrators to
bypass any and all security measures to access data and
resources. Bottom line: In addition to user productivity loss,
IT resources are heavily consumed to mitigate risks and
Foiling Cybercriminals. Targeted anti-malware,
anti-botnet protection will help detect and stop today's
sophisticated stealth malware attacks; emerging
technologies go so far as to combine on-premise
anti-botnet security with global botnet discovery and
analysis, to deliver a comprehensive solution.
STARTING POINT: Ingenuity and Prevention
When we consider the state of the net, the threat landscape,
and unsystematic user practices, it's easy to feel
like maintaining security across an academic network is a
losing battle. However, by thinking outside the box and
focusing on prevention, university IT departments can
protect data and resources and stay ahead of today's
Creativity is key in preserving the delicate balance
between academic freedom and network control. IT must
continually look for ways to keep the users and their data
safe while also allowing them to be as productive as possible.
Because productivity loss represents the greatest
impact of malware intrusion, universities should focus their
efforts on prevention. Targeted anti-malware, anti-botnet
protection will help detect and stop today's sophisticated
stealth malware attacks; emerging technologies go so far as
to combine on-premise anti-botnet security with global botnet
discovery and analysis, to deliver a comprehensive solution.
When evaluating anti-malware, anti-botnet solutions to
complement existing security controls, there are several
requirements network managers should keep in mind; these
reflect the unique characteristics of the academic network:
Network-based solutions ease IT/user burdens.
Network-based rather than agent-based solutions provide
several benefits for academic network security. First, they
can be deployed, provisioned, and maintained without
involving or relying on end users, thereby eliminating most
client support issues. Second, they provide centralized
management and monitoring capabilities. Both of these
benefits help reduce strain on IT personnel. Third, they support
and account for the growing wireless, mobile, and
remote user communities. Network-based solutions have
proven effective in other areas of the IT infrastructure as
well. For example, Aruba Networks and Cisco Systems provide network-
based wireless networking solutions with centralized
management and easy deployment across the network.
Accurate, automated containment/quarantining.
Automation is another critical component for university IT
security. Frankly, network managers should begin to automate
as many monitoring and containment policies as feasible.
Automated containment and quarantining together
constitute an effective preventive measure that, once fully
vetted, requires little IT resources. Automated forensics (as
opposed to manual forensics tools) such as Wireshark and NetScout are a particularly important weapon, what with the current
strains of stealth malware; using forensics, network managers
can identify the activities conducted by malware,
once it enters the system. For example, if a computer has
been botted, forensics can provide information about which
command and control (C&C) server it is calling back to,
what protocols are being used, what activities are being
conducted, etc. Additionally, automated forensics and monitoring
tools such as virtual-machine (VM) replay technologies
can be used to correlate information from multiple platforms
and systems into something that's useful, filtering out
false alerts and false positives, and freeing IT from manually
surveying activity across the network. This comprehensive
information helps identify future or related malware by
characteristics other than signature.
Ease of use and manageability. Overall, universities
need solutions that are easy to deploy and manage.
Many solutions on the market today are tedious to install,
or else they require dedicated, trained technicians to
implement and manage them. Yet, as we all know, these
resources are not always available within university IT
budgets. Solutions that are simple and seamless to implement
lessen IT overhead while securing the network.
Increasingly, and for just this reason, security vendors are
adopting the appliance form factor rather than software
solutions. Other techniques include unified threat management
(UTM) devices that provide all-in-one capabilities
to simplify management and maintenance over time.
Raising network security awareness. Universities
also must focus on building user awareness regarding
network security, and they need to clearly define usage
guidelines and best practices. There are many communication
vehicles available to universities to get the message
out: From mandatory security policy training for new
students, to ongoing security forums and kiosks, e-mail
blasts, website alerts, campus newsletters, eLetters, and
more, universities must continually engage students in
the importance of network security and user policies.
Don't Forget the Forensics. Automated forensics is a
particularly important tool in the war against current strains of
stealth malware. Using forensics, network managers can identify
the activities conducted by malware once it enters the system.
University of California-Berkeley
In late 2005, the Electrical Engineering and Computer Sciences
(EECS) department within UC-Berkeley launched an
initiative to investigate potential network access control
(NAC) solutions to unify endpoint security, user and system
authentication, and network security enforcement. We had
been treating the wireless network as less secure than the
local area network (LAN), and with the trend toward mobility
plus increasing concern about stealth malware and botnet
threats, we knew our approach had to change. We wanted
to bring the two networks to equal footing and NAC
seemed to be the best option.
The EECS computing infrastructure supports approximately
4,000 undergraduates, graduates, faculty, and
staff, leveraging an effective wireless network in addition
to the departmental LAN. While the EECS network is
somewhat autonomous from the larger university, EECS
does monitor and receive reports on wireless devices that
appear on its wireless network yet are also part of the
greater campus community. Containment of these
devices, however, is not within our jurisdiction.
Network overlay vs. client-based solution. The
EECS IT department and the director of IT for EECS, along
with some faculty members, evaluated several options and
settled on a solution that comprised a network-based NAC
appliance and a required NAC client component. The initial
solution the IT team selected worked fairly well; however,
it was client-based and there were faculty and graduate
student concerns about the client: It quickly became clear
that installing and deploying clients on a wide variety of
platforms was not going to work. The management overhead
also appeared to be substantial and complex. In the
end, the solution was rejected and we began to think outside
We then became aware of the Botwall solution from
FireEye, and abandoned the NAC initiative
in favor of targeted protection against stealth malware
and botnets for our wireless network. The IT department
elected to implement a network overlay solution that
would be complementary to our existing IT security infrastructure,
without the complex overhead and burden of
client installation and maintenance. While the discovery of
this new solution may sound simple, it was the creativity of
the entire IT department, coupled with important feedback
from our users, that led us in a new direction: evaluating
current threats, key objectives, and existing resources in a
new light. We came to realize that today's threats and
attacks are executed with such extreme precision, that
more rigorous and meticulous countermeasures would be
necessary. We soon found that an overlay solution would
allow network managers to a) take full advantage of capabilities
within the wireless infrastructure, and b) leverage all
the hooks in place to help track and contain devices. The
FireEye protection would help us achieve greater security
for this infrastructure while providing more automated
analysis of malware and botnet activity.
The solution included three chief components:
The FireEye Botwall 4000 Series appliances provided
network-based anti-malware/anti-botnet protection by utilizing
advanced virtual machine analysis of mirrored network
traffic. These appliances block, in real time, known malware
and previously unknown botnet malware that are autodiscovered
using the FireEye virtual machine analysis technology.
Next, the GigaVue-MP data access switch from
Gigamon Systems provided critical
network-traffic data aggregation and replication. The
GigaVue-MP replicates traffic from SPAN ports (of border
routers, for example) to extend simultaneous support for
multiple network monitoring tools such as security analysis
at the network edge. Cisco Airespace Wireless LAN Controllers
were implemented to securely communicate with
access points, to support systemwide wireless LAN applications.
In summary, the UC-Berkeley deployment uses
FireEye's Botwall appliances to analyze data mirrored from
the Gigamon switches and Cisco Airespace controllers, to
guard against malware infection on the wireless network.
Effective Countermeasures. The UC-Berkeley
deployment, for one, uses FireEye's Botwall
appliances to analyze data mirrored from Gigamon switches and Cisco Airespace controllers, in
order to guard against malware infection on the wireless network.
IN A NUTSHELL...
Network security professionals within higher education face
unique challenges in supporting academic freedom while
protecting constituents, resources, and data. However, the
threats we're seeing are global and the stakes are mounting.
Universities have the ability to counter stealth malware
attacks with equal force, but we must be vigilant in pursuing
advanced technologies designed to outpace the continued
evolution of threats. To protect against the latest, zero-day
malware requires stronger security than is typically afforded
by up-to-date antivirus signatures, the latest patches, or
other host-based agents! Universities need targeted anti-malware,
anti-botnet solutions that detect and protect
against proactive criminal malware activities and rogue traffic,
as well as effectively stopping intrusion-- even with
machines that may already be infected when they attempt to
access the network. With accurate identification of infected
machines, network administrators can automate quarantine
measures and eliminate unnecessary restrictions of clean
student and guest machines. By combining anti-malware
solutions with existing security controls, any college or university
can create a coordinated and multilayered approach
that guards against today's most sinister threats, and provides
protection at all entry points including the internet
gateway, messaging gateway, endpoint clients, endpoint
servers, and the network. The time to launch your selfassessment,
evaluation, and solution search is now.