Mitigating Malware
Is a worm a virus? The answer is No. A worm is not a virus, although, like a virus, it can severely disrupt IT operations and cause data loss. A worm is much more severe than a virus because once it infects a vulnerable machine, it can “self-replicate” and spread automatically across multiple devices.
Worms self-replicate automatically. They spread by using automatic file-sending and receiving features that have been enabled, intentionally or not, on network computers. Once a worm has infected your computer, it installs itself in the device’s memory and can transfer to other machines.
Steps of a Worm Attack
There are three different stages of a worm attack.
Stage1: Enabling vulnerability
Stage2: Automatic replication
Stage3: Payload delivery
Stage 1: The initial phase of a worm attack occurs when the worm is installed on a vulnerable machine.
Stage 2: Once a worm is installed on a vulnerable device or system, it begins to self-replicate automatically.
Stage 3: In the last worm attack stage, the attacker increases access to the targeted system.
Mitigating Worms
There are four steps to respond to a worm attack.
Worms are more network-based than viruses. Worm mitigation requires diligence and coordination on the part of network security professionals.
The response to a worm attack can be divided into four phases: containment, inoculation, quarantine, and treatment.
-
- Containment
The first step in mitigating a worm attack is to move swiftly to contain the spread of the worm and determine which machines are infected, as well as whether these devices are patched or unpatched. The containment phase involves limiting the spread of a worm infection to areas of the network that are already affected. This requires compartmentalization and segmentation of the network to slow down or stop the worm and to prevent currently infected hosts from targeting and infecting other systems. Containment requires using outgoing and incoming ACLs (Access Control Lists) on routers and firewalls at control points within the network.
2. Inoculation
The inoculation phase runs parallel to or after the containment phase. During the inoculation phase, all uninfected systems are patched with the appropriate vendor patch, further depriving the worm of available targets.
3. Quarantine
The quarantine phase involves tracking and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.
4. Treatment
The treatment phase involves actively disinfecting infected systems. This can include terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system. Alternatively, in more severe cases, the system may need reinstalling to remove the worm and its by-products.
Mitigating Reconnaissance Attacks
Reconnaissance attacks are typically the precursor to other attacks designed to gain unauthorized access to a network or disrupt network functionality. You can detect when a reconnaissance attack is underway by receiving notifications from preconfigured alarms. These alarms are triggered when specific parameters are exceeded, such as the number of Internet Control Message Protocol (ICMP) requests per second.
Reconnaissance attacks can be mitigated in several ways, including the following:
-
- Implementing authentication to ensure proper access.
-
- Using encryption to render packet sniffer attacks useless.
-
- Using anti-sniffer tools to detect packet sniffer attacks.
-
- Implementing a switched infrastructure.
-
- Using a firewall and Intrusion Prevention System (IPS).
Mitigating Access Attacks
Several techniques are available for mitigating access attacks, including strong password security, the principle of minimum trust, cryptography, and applying operating system and application patches. A surprising number of access attacks are carried out through simple password guessing or brute-force dictionary attacks against passwords.
To defend against this, create and enforce a firm authentication policy that includes:
Use strong passwords
-
- >Disable accounts after a specified number of unsuccessful logins have occurred.
-
- >Use encryption for remote access to a network and routing protocol traffic to reduce the possibility of man-in-the-middle attacks.
-
- >Educate employees about social engineering risks and develop strategies for validating identities over the phone, via email, or in person.
-
- >Multifactor authentication (MFA) has become increasingly common.
Mitigating DoS Attacks
-
- One of the first signs of a Denial-of-Service (DoS) attack is many user complaints about unavailable resources or prolonged network performance.
-
- A network utilization graph showing unusual activity could indicate a DoS attack.
-
- A network utilization software package should always be running to minimize the number of attacks.
-
- Historically, many DoS attacks were sourced from spoofed addresses. Cisco routers and switches support many antispoofing technologies, such as port security, Dynamic Host Configuration Protocol (DHCP) snooping, IP Source Guard, Dynamic Address Resolution Protocol (ARP) Inspection, and access control lists (ACLs).
Analysis
The first step of any mitigation strategy is understanding when you are the target of a DoS attack. Analyzing incoming traffic and determining whether or not it’s legitimate is the first step in keeping your service available and responsive. Scalable cloud service providers are great (and may even «absorb» a DoS attack transparently), which is fantastic until you receive an enormous bill for bandwidth or resource overuse. Making sure your cloud provider makes scaling decisions based only on legitimate traffic is the best way to ensure your company is not spending unnecessary budget due to an attack. Early detection of an attack dramatically increases the efficacy of any mitigation strategy.
Allowing and Denying Specific IPs
The simplest defense against a DoS attack is allowing only legitimate IP addresses or blocking ones from known attackers. For instance, if the application is meant to be used only by employees of a specific company, a hardware or software rule could be created to disallow any traffic not from a particular range of IPs.
Rate Limiting
Rate limiting determines the traffic available to a specific Network Interface Controller (NIC). It can be done at the hardware or software level to mitigate the chances of being a victim of a DoS attack. At the hardware level, switches and routers usually have some rate-limiting capabilities.
Thank you for visiting my blog.
