It’s time for defensive worms

Sometimes your best defense is infectious...

worms virus symantec
Thejaswi (CC BY-SA 2.0)

We’re entering a new age of cybersecurity, where worms will be just as critical for defense as they are for offense. This is going to surprise many people in the security industry, who for many years have thought of worms as only a malicious tool.

To provide some historical context, for the past 10+ years, the security community and government have been obsessed with botnets and “Advanced Persistent Threats.” Most of the defensive tools and strategies, as well as cyber laws, regulations and policies, are centered around these threats. But the truth is, worms are the real basis of many of the most advanced actors on the stage. After all, what were Stuxnet, Flame and Duqu but worms at heart? All top-line nation-state tools are capable of self-replication, as autonomous operation is the key to any cyber espionage effort where gaining persistence on an air-gapped network is required.

Although worms are not always front and center in policy discussions, the worm model has been behind many – if not most – of the sophisticated attacks we’ve seen in the past decade. And worms were here before that too: from 1989-2001 they were the dominant threat on the Internet, leading finally to a massive security push from Microsoft that delayed Vista by six months. And then, for a few years, worms happened much less often, although they did still happen. Largely they were replaced in our mindshare with botnets and phishing, which represent a very different technical risk profile.

However, worms have always been and always will be key to offense. In the next few years, the frequency of advanced multi-platform worms launched by nation-states and other sophisticated threat actors is likely to increase substantially.

First, let’s take a look at why worms are so important. For offense, worms have always solved some key issues:

  1. No need to maintain a command and control, because spreading happens automatically
  2. Can be set to run as fast as needed (to beat a defender’s response time) or go low and slow
  3. Able to reach networks that are only connected temporarily (ex: air-gapped systems)

It is these attributes of worms which make them a necessary tool in the arsenal of any offensive team. And their importance will only grow over time, as defenses continue to improve and more nation-states enter the cyber war game, but without the unlimited resources of bigger players like the US and China.

Why a worm boom is coming

If we look at the trend lines, we can see that smaller players are getting into the cyberwar game. They really don’t have a choice. Every country needs to be doing cyber-espionage and developing cyber deterrence capabilities. By our standards, Russia is a small, but skilled, cyber player – it is no accident they, like North Korea, chose a worm for their latest attacks.

Few countries have the resources to replicate the Five Eyes QUANTUM infrastructure, which requires a massive up front investment. Therefore, a worm is a better fit for their strategic equations because it does not require complex infrastructure, control and purchase of routers, supply chain attacks, or control of the global telecommunications system. For this reason, we can expect to see a high rate of growth in the number of sophisticated worms built by smaller nation states. 

Running parallel to this development is another one: security technology is getting better. And the more it evolves and the better defenses are at catching intrusions, the more worms you’re going to have because they operate faster than defenses ever can.

Right now, vulnerabilities rarely get caught when they are used by professional teams. But modern defenses may be changing that. Here's Microsoft catching an A-grade team they call PLATINUM. Kaspersky also has been excellent at catching A-Grade teams (see their research on the Equation Group, for example).

The security industry has addressed the problem of traditional worms in many ways. In particular, we’ve built scanners which traverse an IP range (aka, Qualys/Nessus), and gateways which inspect traffic as it flows through them. But IPv6 and IPSEC make both of those things much harder. This makes a particular kind of worm, which sits on endpoints and tries to infect the machines that connect to it, much more valuable, as you cannot simply “scan” IPv6 space easily.

Soon, exploits are going to start getting caught, which means they will be created and used very differently from the last 10 years. Worms are the attacker’s answer to the race of getting something done before getting caught by endpoint defenses and advanced analytics.

Using defensive worms

In the past, companies such as HP have built scanners which utilized exploits to penetrate into machines to patch them. This intuitive approach solved a lot of issues with traditional vulnerability management, at the cost of a higher risk of causing issues as you attempted exploits against your own infrastructure. But if you’re willing to bear that risk (of occasional crashes), there are huge advantages to using exploits instead of simply looking at banners or which patches are installed. And even more so, if you can transform that technology from a scanner into a controlled worm. Any scanner is built around the concept of a largely flat network, reachable from a single location. But this is also, by definition, a defenseless network. Compartmentalization is the name of the game for any network that wants to be secure.

It is for this reason that we can project where the next generation of defensive tools will fit: controlled worms that patch systems (known as Nematodes in the technical literature). Many systems on corporate networks are unmanaged, or only turned on occasionally. Traditional scanners struggle with these issues. Nematodes treat them exactly as your attacker would treat them, because if it was vulnerable to your worm, it was also vulnerable to someone else’s worm.

This approach would offer considerable advantages to defensive teams, as worms can run constant scan/patch operations at machine speed across even large and diverse networks, and all without human staff or a running system behind it. This would free up the defensive team to focus on more pressing issues, such as checking for anomalous activity and covert data exfiltration. It would also offer considerable cost savings to the company. Worms could even be used to detect breaches early on or target/disable malware. The opportunities are endless and because of this the market will almost certainly follow.

As attacks become more sophisticated, one of the best resources we have comes from the attacker’s toolkit - and it’s time the industry began to embrace the defensive potential of worms. The same attributes which have served offensive teams for so well over the years can also benefit defenders.  

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report