« NAC deployments under scrutiny... | Main | It's Patch Tuesday again.... »

November 09, 2007

Can we detect sleeper cell bots?

Think of a botnet as a terrorist sleeper cell. A terrorist sleeper cell consists of a group of terrorists that blend themselves into the society without attracting the attention of organizations such as the FBI. When they get commands to strike, they go blow up planes, disrupt power plants, detonate dirty bombs, etc. Similarly, a botnet sleeper cell sneaks silently into computers; stays inactivated and undetected, until the botnet owner issues orders to attack. These orders can be anything including sending spam, performing a DDoS attack, or recruiting more bots.

Terrorist sleeper cells can lead directly to the loss of life as well as great physical and physiological damage, while botnet sleeper cells could cripple network infrastructure and inflict economic losses, or worse. Early this summer, Estonia was pounded by a DDoS. This displayed a tremendous amount of coordination and the destructive power of sleeper cell bots. Today, Storm worm is becoming more powerful by the day, and can easily overpower the world’s top supercomputers. Terrorism prevails when both types of sleeper cells work together. With the rumors of Al Qaeda announcing Cyber Warfare starting this Sunday, and with availability of electronic Jihad 2.0, we have yet to see the impact, but might soon.

Detection of both types of sleeper cells can be done using behavior profiling. In both cases the steps are to understand normal behavior, look for suspicious triggers, narrow down the watch-list, and continue to observe the suspect more closely until the suspect is proven to be guilty or innocent. On the other hand, there are important differences that make detecting terrorist sleeper cells a harder problem than detecting sleeper cell bots.

Total surveillance is the first key component of sleeper cell detection. It is possible to have all the hosts under total surveillance in an enterprise (Nevis does it), however, it is hard to watch every person in a nation 24/7 (even though it is attempted). The FBI has a watch-list and as of today there are about half a million people in there. Watching half a million computers is much easier than watching half a million people. (Perhaps the half a million people are best watched by primarily watching their computers.)

Characterization of behavior is the second key component of sleeper cell detection. The more characteristics you look for, the better the detection mechanism gets. Instead of going after every Muslim-like name (such as mine, but that is another and ongoing story), adding more information such as background, religion, bank and phone records, degree, age, sex, etc. would make the profile stronger and hence less false alarms. But the list of possible characteristics to include is nearly endless. On the other hand, while a few of us use computers in a diverse way, the huge majority do so in ways that are far easier to characterize than a person, even a mundane blog-writing cubical worker.

Correlation across suspected bots is more fruitful than correlation across suspected terrorists. The detection of a single bot in the botnet sleeper cell can often result in the capture of the entire botnet. However, the capture of a single terrorist may not necessarily lead to the capture of the entire terrorist network (even with waterboarding).

The impact of false alarms varies in both cases. False positives in terrorist sleeper cell detection can have a wide range of damage from a cop showing up at your doorstep to a person ending up in Guantanamo. False positives in sleeper cell bot detection can range from a guest user being cut-off from a network for a few minutes to extra work for a sys-admin, or even taking down a large chunk of the network and damaging the enterprise financially. Arguably, false negatives in the case of terrorists are worse than they are in the case of bots; even a single terrorist can lead to substantial loss of life.

While the fundamental theory behind detecting sleeper cells remains the same, the FBI’s job is much more difficult than mine. So, I’ll keep my job as well as cube life which the FBI secretly classifies as: D8DBQFHM6/RERAJ9O7woT0QB7xmpMACbBxfq4pLMkwyUxbOMFglno1gA4ÇGÊPœ/td^ÖÐÚÒÅ%iõÜ/'NO7*‰o{¶ˆ0öp%‑ÎUPuŠ4'ÅÞ©(8¹

//Khushboo Shah, Ph.D.

Posted at 03:00 PM in Malware Detection and Containment |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83452000469e200e54f7e9d058833

Listed below are links to weblogs that reference Can we detect sleeper cell bots?:

Comments

Khushboo Shah

Granted that 11/11 came and went and there was no Cyber Jihad. But I believe in taking these types of security threats seriously, especially after what we have seen in Estonia. With the bot (even IRC ones) integrated with the code to disable AVs and recognizing VMWare and honeypot, it is hard to imagine pure host-based solution to defend against bots. With more and more sophisticated botnets, the detection approach also has to get more sophisticated. If you put bot detector at a switch, monitor all the hosts, even if you can’t get a complete botnet, you can protect an enterprise from a segment of botnet.

Posted by: Khushboo Shah | November 12, 2007 at 01:57 PM

Khushboo Shah

Dana,
Thanks for the question. Storm is a constantly evolving threat, which is what makes it so difficult to protect against. I don’t think there are any network-based solutions out there today that adequately protects against Storm. There are some host-based solutions but they can be easily tampered. In my opinion, a network-based product with the capability of monitoring, profiling, and correlating, with a bit of work, can detect and prevent Storm worm. Ultimately, Storm worm is a blended threat and we need nothing but a blended solution.

Posted by: Khushboo Shah | November 12, 2007 at 01:56 PM

SixTen Research

The threats from Al Qaeda and the cyber jihad seem to be extremely exaggerated and intended only for FUD by Debka. There has, no doubt, been a considerable increase in the number of web defacements by vandals from Turkey, Saudi Arabia and Iran amongst other Islamic nations in the last couple of years. But it is doubtful if they currently have sufficient expertise to create stealthy botnets to launch massive DDoSes.

I am not sure as to how much of the botnet traffic can be analyzed at the network level to build behavior profiles and detect anomalous behavior. The days of IRC botnets are nearly over. We are already seeing botnets that use https for command and control. The right place to do this is in the hosts.

One may no longer have the luxury of taking down an entire botnet by detecting a single bot any more. Many believe that the Storm botnet has already been split up and segmented. Detecting a single bot may only result in the take down of a single segment causing minimal damage to the distributed botnet itself.

Posted by: SixTen Research | November 12, 2007 at 10:38 AM

Dana Hendrickson

Khushboo, can you briefly describe any currently available techniques and tools that can detect and disable the Storm Worm within an organization?

Posted by: Dana Hendrickson | November 12, 2007 at 08:10 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.