13 December, 2006

Save the Users - or - Help Me Help You - CI4

Crazy Idea #4 - Potential new revenue stream for ISP's. - Digg this

About 6 to 10 years ago ( I can't remember exactly when but suppose it was about the time of code red or NIMDA) I was staring at a pile of papers on my desk. They were a dump of that months syslog and were about 6 inches high. The log for the previous month was in my hand and was only two pages long.

We had set up a pretty useful system for tracking down people that were trying to hack into our company. Our Internet facing Cisco router served as the first layer of defense. There was an ACL that watched incoming traffic and dumped all but a few ports. For HTML we got fancy and looked for some rudimentary "signatures" (about 40-50 of them) that caught things like unicode attacks and a few other items. Next in line was a SNORT box. They would log these events then forward them to a DMZ syslog behind the firewall. We also forwarded our Checkpoint firewall (which was the next line of defense after SNORT) logs to that box.

I had some Greps cron'ed to run periodically and forward their results to our SMTP server using a little mail script I wrote. HELO, MAIL TO, MAIL FROM, DATA, egrep, EHLO. We had some Network General Sniffers that alarmed for certain specific types of traffic (mostly stuff that looked like scans) and forwarded an email to the same address. The system worked really well and had for several years. We would have about 2 or three false alarms a week and just a few real ones a year. We even managed to track a few of them down and got involved with authorities in the country they were in. (two convictions, one promotion [he worked for us in another country and was trying to fix things])

It all changed overnight.

Pretty much everybody reading this blog is a security professional that went through this. (or possibly a controls engineer that I suspect is about to go through it. Remember 8 to 10 year lag)

It started with the large scale automated scans. Usually some idiot that had gotten hold of SATAN, SAINT or an early ping sweep utility and didn't know how to use it right. (honestly these started several years before) They were irritating but you could filter them in your greps. Early versions of Nessus and other versions of NMAP and HPING were more irritating because they were harder to filter and the ACL would miss chunks of them.

Then the worms ate into our brain.

Within a month or two those of us that had set up automated detection mechanisms were buried under an indecipherable morass of logs. Since then we as an industry have gotten a lot better at designing filters and managing the information chaos. Through a combination of layers, good design, luck and major initiatives by IT vendors we have somehow gotten to an acceptable equilibrium with the worms (at least for now) but the root problem has never rally been solved.

Staring at that pile of paper I had an idea. The only people who could fix this was the users and the only organizations that could help them were the ISP's. The ISP's could help their users and make money at it at the same time.

I have dropped this idea for almost three years because ISP's started to give away AV for free but recent events have revived it for me.

It is pretty simple really. The ISP (or someone hired by them) watches for suspect traffic from their address ranges. If they see hints of it they watch that address closer. If it is verified that the machine is acting improperly they use their systems to tie the address to a user and then an email. They all have the data just in different formats it might be RADIUS, MAC registrations, Mail logins, Cable modem registrations or just access logs.

They then send a email to the user informing them that there is probably a security problem on one of their systems. If they go to this web site (linked in the email) and follow the instructions it can be cleaned for free. For a simple fee of $5 a month (added to their existing bill) they can be added to the premium security service that will help to maintain their system in a clean state. For $10 a month they can be added to the platinum service that includes additional services and advanced protections.

Think of it. It is targeted marketing to someone who definitely has a need. Probably someone who is ignorant of the product and industry but has been barraged with mainstream news panic stories so is primed to react.

The first objection I usually hear is "why would they open the mail, They'll think it's spam"

Hello!!! They are infected by a trojan or worm so they obviously don't have that great of a brain-email-spam-phishing filter to begin with. Plus the carriers never need to ask for credit cards or other information. They build trust with a well developed mail and clearly branded site. If they want to be careful they can verify any orders out of band. Any info security people I plugged this with years ago looked at it with a paranoid eye.

The user doesn't.

They are link lemmings.

Besides it is certainly possible for problem accounts to send an actual snail mail.

Next objection - Exploratory Cost

It would be somewhat different for every ISP but most of the time the start up system would be very easy and inexpensive. You need some kind of Honeypot or IDS to catch the bad traffic. Chances are it already exists. You need to write a simple app to verify what traffic is actually bad. An app to link addresses to users. A site with a web based AV and spyware scan (honestly just use the company that is already being given away free). And an email app. If it makes money from the start up design then expand it to meet the needs/demand. Most ISP's already have these pieces they just need to develop the offering. At the very least it would defer some of the AV costs at the most a tidy profit center in the long run.

Next Objection - Why not do it for free

Because it doesn't have to be free. Oh the ISP's should still offer the free AV items but if a user isn't savy enough to use it then they might like a premium service that take the brain work out of it. A simple agent (uh oh I said the A word) to make sure that the AV and anti Spyware apps are up to date and working well could do. For the premium service they might throw in shredding apps, child filters, weekly security popup tip (that can be turned off of course), utilities (semi optimized) and/or periodic human verification. Pick and choose the mix to compete with the other guys. Obviously the Free AV approach isn't working that well any more.

Next Objection - Invasion of privacy!!!

First they are already watching this traffic for troubleshooting and incident response anyway so at the most this will bring it to the users attention (which is arguably a laudable goal in itself). Second it is entirely possible to set this up using only a honeypot that has no other uses and doesn't originate connections. If they don't come to you then you don't look at their traffic. There would still be plenty of opportunities.

The ISP's make more money, the users have more secure systems, the rest of us have a slightly improved security environment at least until the next gen of the battle. Everyone wins but the illegal spammers and worms.

Just another crazy idea.

1 comment:

Joel Esler said...

Nice article. Yes, I remember the good old days.

BTW -- Snort is not all in uppercase. Only the logo is in capitals.