Persistently changing and evolving threats and threat agents are driving up risks and elevating the need for new security capabilities to counter new risks. These are largely related to a new breed of malicious software (malware) designed and distributed for criminal profit, state sponsored offensive activities (spying) or ideological offensive purposes (terrorism and sabotage). This software manifests itself as the most successful form of crime and “violence” on the Internet: identity theft, credit card and banking fraud, spamming, phishing, and denial of service attacks.
It is known that malware increasingly passes undetected through firewalls, intrusion detection systems (IDS) and anti-virus (AV) systems. In some cases, these controls are less then 30% effective against known (previously identified) malware; in virtually all cases, vendors now include “generic” signatures for heuristic analysis (guessing) as a safeguard against the (previously unidentified) threats they cannot keep up with.
In the early 1990's to early 2000's, malware developers wrote viruses and worms that wreaked havoc by destroying data and systems, but it was more of a game. They claimed credit for bigger and more malicious infections and took pride in watching information technology (IT) managers scramble to stop the damage and fix systems, at huge expense. At that time, malware developers would share and publish exploit code. Now there is money to be made and strategic advantages to be gained through malware exploitation. Exploit code is shared less and the best code is not shared at all, rather it is guarded like an industrial secret. Prior to release, malware code is carefully and professionally tested against all known AV/IDS signatures using publicly available tools, and released into the wild in secret. Malware code and testing is more the work of highly educated and well-coordinated teams than of brilliant loners working from basements.
What is therefore needed is a real-time system for information and intelligence sharing, in order to identify threat agents and threatened assets on the Internet rather than to perpetuate the endless cycle of vulnerability patching and signature scanning.