Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

Virtualization and DNS Monitoring: Strategies for Catching Cyber-Criminals



November 7, 2008 By

Hackers are getting more sophisticated, and the threat posed by a network breach and the potential for damage is graver than it has ever been before. Attacks against networks and theft of sensitive information used to be the playground of a relatively few technically savvy pranksters. Now it has evolved into a highly lucrative and robust business model.

The current threat model is largely driven by social engineering in which victims are tricked into clicking a link and filling in sensitive personal information or downloading a piece of software that infects their computer with a piece of software that is controlled by a remote hacker.

Some studies show that more than 10 million Americans were victimized by identity theft in the space of a year, with estimated losses exceeding $50 billion, Steven M. Martinez, deputy assistant director of the FBI, noted in testimony before Congress. That was in 2004. That number is undoubtedly higher today.

So you're a government security manager charged with maintaining the security of your agency's or department's network and preserving the integrity and privacy of the large amount of sensitive data that is sent over it. What methods do you use to stay ahead in the high-stakes "arms race" that involves malware attacks and network defense? Domain name server (DNS) traffic monitoring? Virtualization?

What use can these two technologies be in protecting against and detecting malware? And how can law enforcement use DNS traffic monitoring to get proactive about shutting down cyber-criminals' botnet infrastructure?

Viruses running in virtual environments are not new. Antivirus software companies currently use virtualization to test malware behavior. And according to Tom Liston, a senior security consultant with Intelguardians, virtual machines are designed for general computing and are not necessarily built with security in mind.

In the fall of 2005, the U.S. Department of Homeland Security hired Intelguardians to find out if malware could detect it was running in a virtual machine and escape to execute arbitrary code on the host machine. As a result of that research, Intelguardians discovered that between 5 percent and 10 percent of viruses in the wild can detect virtual machines, and this number is increasing, Liston said.

That's bad, Liston said, because the malware can then change its behavior if it detects it is running on a virtual machine. Based on what the software detects, it could be programmed to do something different than what it would do had it gone undetected.

Liston said Intelguardians' research from 2007 found that malware could escape the containment of a guest account and execute arbitrary code on the host computer. The researchers found the malware could transfer from one account to another. Liston said he hasn't seen this in the wild yet, giving researchers a little time to harden virtual machines against such malware capability.

Mitigating Malware on Virtual Machines

Liston said IT personnel charged with computer security should not trust that guest accounts will remain isolated from their host accounts in virtual environments. Consequently he advised them to isolate virtualization test machines from production systems and harden virtual machines against detection.

DNS Monitoring: Law Enforcement's Early Warning

The Internet allows criminals to operate stealthily and from anywhere. Current data on botnets, networks of computers hijacked to do a criminal's bidding without the owner's knowledge, is still a viable way to perpetrate computer crime. And a single computer is usually a member of several botnets, David Dagon, a security researcher with Georgia Tech, noted. Two of the uses of these networks are to send spam and perpetrate clickfraud. As a result, advertisers are transitioning to measuring an ad's effectiveness by the transaction volume generated by clicks, instead of merely measuring click-through rates, Dagon noted.


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All