Recently, I did some interesting research with a worm outbreak emulator that I wrote. I was wondering:
How much time do you have to stop a self-replicating worm, once it enters your network, before it gets out of hands?
As you can imagine, there are many ways for a worm to get into an enterprise's network. It could penetrate through the firewall, and even past an IPS (Intrusion Prevention System) if these devices are not explicitly instructed to stop the traffic types the worm uses to spread, or are configured with the exact signature of the worm or its exploit.
It is bad enough that those security solutions are by definition always out-of-date (relative to a zero-day worm, for example). The bigger problem for many enterprises is that there often is no clear demarcation line between 'our' network and the outside anymore.
People come and go with their mobile devices, wireless access points are proliferating, links to extranets and business partners need to be opened... it all contributes to a battle which does not only take place on one front anymore, but on multiple fronts, or even in our own backyard. These days, a worm can pop up at any time, from anywhere in the network, it seems.
So, once this happens, what can you do? Well, you need to find the worm outbreak, and stop it as quickly as possible, of course. Clearly, as long as the worm is only on a very small number of machines, let's say three or less, and you can manage to stop its spread right there and then, you can say that you have successfully defended your network against a major worm outbreak.
Now, to get back to my experiments with the worm outbreak emulator: How much time do you have before the outbreak gets out of hands, and the network is brought down in an ever increasing avalanche of torrential worm traffic?
The answer very much depends on your network, of course, and the particular worm. But let's assume a relatively small network, which contains some 100 vulnerable hosts. 'Vulnerable' here means that those 100 machines could possibly be infected by the worm. There might be many more machines in the network, which do not run the software or OS that can be exploited by the worm.
Let's also assume that we have a worm that scans with around 500 scans per second for new victims. Furthermore, we assume the worm uses a random scanning strategy, in which IP addresses to scan are literally chosen by a random number generator, and which is very commonly used by worms. And finally, let us assume that the outbreak starts from a single machine, for example someone's infected laptop.
Using all these numbers, we find through the emulator, but also through some pretty straight forward math, that on average (!) the worm will scan for around 20 seconds, before it has infected its first victim. Now with two machines scanning, around 10 seconds later, the next machine is infected, followed by the third machine some 5 seconds later.
So, within 30 to 35 seconds, on average the worm will be on about three machines in your network. The speed rapidly picks up from there, with a maximum infection rate reached when about half the vulnerable machines are infected. After that, while the overall worm-generated traffic in your network continues to increase, the infection rate (newly infected machines per second) is actually dropping again, since there are less vulnerable, and not-yet infected machines left to find.
Obviously, you need to stop the worm in 30 seconds or less. Clearly, a manual approach will not be effective. You need to detect the worm's presence in your network within seconds, automatically, and then have the capability to stop the worm or isolate the infected machine. For this to work, an automatic solution is paramount. And this, of course, is exactly what we at Esphion are working on.
Juergen Brendel
CTO
www.esphion.com
Comments