Another hack attack hits the headlines

Big deal. This stuff happens every day now right?  Wrong. Not on this scale it doesn’t. The Kneber Bot has penetrated 75,000 systems, 2,500 companies across in 196 countries.  This is not a straightforward Trojan – a simple smash and grab. This one’s a game changer. 

Systems compromised by this botnet provide the attackers with not only user credentials and confidential information, but remote access inside the compromised network.  Just some of the data stolen includes:

  • 68,000 corporate log-in credentials
  • Access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials
  • 2,000 SSL certificate files
  • Dossier-level data sets on individuals, including complete dumps of entire identities from victims’ machines.

Penetration of this scale and amongst such an esteemed group of public and private organizations – Merck & Co, Cardinal Health, 10 US Government Agencies – makes it is clear that no-one is untouchable to an ambitious,  determined and organized group of hackers. But what’s most startling is the lack of visibility about this particular bot.

Firstly we don’t yet know where it came from. Fingers have been pointed at China but there appears to be very little hard evidence. Next, we don’t actually know the extent of the damage. This apparently, is still being assessed, and affected companies notified. Moreover it isn’t clear to what extent the attack has been contained.

What we do know is that it started in late 2008 in Germany. But that in itself begs another unanswered question. How can an attack using a spyware freely available in the Internet penetrate 75 000 systems Worldwide – and still go unnoticed for more than a year?

What is becoming ever more clear is that conventional malware and signature based detection systems are fast becoming inadequate for addressing the increasing sophistication of cyber attacks like the Kneber Bot.

So how can companies improve their visibility and protect themselves against these increasingly sophisticated attacks going forward? Well, regardless of the sophistication of the attack all computers natively generate electronic fingerprints. For every event that takes place in a computer or a network or a security system, or applications, databases or OS etc. a small record of that event is kept, it’s called a log. 

This is your electronic fingerprint. Just like a fingerprint, properly managed logs enable us to carry out forensics, and get us the visibility required to know exactly what happened, who did what, how the attack originated, how it spread, where are the attackers, what has been compromised.

So could the key to solving and preventing IT crime lie in properly managed logs? Could it be that log management could be of some use?

Yes, certainly. But the trouble is that with the explosion of corporate systems the number of logs has exploded to a difficult-to-manage number and few companies are truly geared up to manage them all – meaning that things inevitably slip through the net. Only companies using the most sophisticated log management systems such as LogLogic’s Open Log Management Platform which – with our new Quad-core hardware can monitor up to 250,000 records per second – can really hope to identify and act upon these new subtle, sophisticated and well-disguised attacks on their infrastructure.

The hackers’ game has moved on. We all need to be prepared to respond to this.