Getting the word out on Blaster and Slammer
Recent events underscore the value of early warning systems' response to cyber attacks. For example, it was an early warning system that alerted customers in July to the RPC DCOM Windows vulnerability and the patch from Microsoft. By continuing to monitor global attack activity, early warning systems were able to issue additional alerts as activity levels rose. (For example, an intrusion-detection signature that protected against this kind of attack was released.) The vulnerability eventually resulted in the Blaster worm, which began spreading in earnest on August 11. In between the vulnerability announcement and the worm, the threat increased daily as the new tools to exploit the vulnerability were publicly disclosed, as we saw above.
In January, it was an early warning system that first picked up the fast-moving Slammer worm, which doubled its infection rate every 8.5 seconds in its early stages and wreaked an estimated $1 billion in lost productivity. Automatic analysis of sensor-generated data identified Slammer as a global threat. Customers were notified of the threat and were advised to block traffic on the targeted port. Additional alerts were issued when further analysis pinpointed the threat as a worm, when the vulnerability that Slammer targeted was identified, and when patches that eliminated the vulnerability were available.
A federal case
The private sector isn't alone in taking a closer look at early warning systems. The federal government has been active in this area as well. For example, the U.S. Department of Defense's Computer Emergency Response Team (DOD-CERT) now uses Symantec's early warning system to provide real-time threat and vulnerability intelligence reports that complement its internal early warning capabilities and provide a view of global security vulnerabilities and threat activity. The agency receives custom intelligence updates from the system, which aggregates attack data from 20,000 partners, including multiple vendors' intrusion detection and firewall products, in more than 180 countries. The system provides the DOD-CERT with early warning notification from the industry's largest vulnerability database tracking more than 18,000 product versions from more than 2,200 vendors. The DOD-CERT receives actionable threat and vulnerability alerts via email.
The U.S. Department of Homeland Security, meanwhile, is setting up an early warning system for Internet security alerts. The Global Early Warning Information System (or GEWIS) is intended to act as a kind of central hub that monitors sensitive areas of the Internet and alerts Department of Homeland Security officials to suspicious activity. For example, officials said it could be used to help the department monitor unusual numbers of domain name lookups and requests to authenticate digital certificates as possible precursors to an electronic attack.
Defending against today and tomorrow's numerous and rapidly moving security threats requires new, proactive technologies. Maintaining the status quo is no longer an option. By providing early warning of cyber attacks, and countermeasures to prevent attacks before they occur, early warning systems are destined to play a key role in ensuring that enterprises and the government stay ahead of those threats.